CIPortAuthority
asked on
Cisco VLAN Routing
We are using a Cisco wireless LAN controller (WLC) and APs to give our company 2 WiFi networks. The first is for our use and it has access to our network and the second is for guest use and should only have access to the Internet via our firewall. I am trying to figure out how to properly route the traffic from the clients on the guest WiFi to our firewall.
The WLC uses VLANs to segregate the various networks. VLAN 5 is for WiFi management and is used by the WLC to talk to the APs (172.16.150.0/24). VLAN 6 is used for the guest WiFi network (172.16.160.0/24). VLAN 7 is used for the internal WiFi network (172.16.170.0/24). The WLC has 2 ports that connect to the closest Cisco Switch. Both ports on the switch that the WLC connects to are setup for 802.1Q trunking. There are 2 more switches that traffic has to hop through to get to our ISA Server firewall. The firewall has 1 physical port for the internal traffic that is VLANed in to 2 virtual ports for VLAN1 and VLAN 6.
I have attached a network diagram to show the details.
How do I get data from a guest WiFi client to the firewall without allowing them access to our internal network (ie: route VLAN6 through to the firewall)?
network-diagram.jpg
The WLC uses VLANs to segregate the various networks. VLAN 5 is for WiFi management and is used by the WLC to talk to the APs (172.16.150.0/24). VLAN 6 is used for the guest WiFi network (172.16.160.0/24). VLAN 7 is used for the internal WiFi network (172.16.170.0/24). The WLC has 2 ports that connect to the closest Cisco Switch. Both ports on the switch that the WLC connects to are setup for 802.1Q trunking. There are 2 more switches that traffic has to hop through to get to our ISA Server firewall. The firewall has 1 physical port for the internal traffic that is VLANed in to 2 virtual ports for VLAN1 and VLAN 6.
I have attached a network diagram to show the details.
How do I get data from a guest WiFi client to the firewall without allowing them access to our internal network (ie: route VLAN6 through to the firewall)?
network-diagram.jpg
I see the diagram now. Not sure why I didn't see it before
ASKER
I thought I had attached the diagram but it didn't for some reason so I had to go back and edit the question to attach it a second time. :)
Do I really need to configure inter-vlan routing and ACLs to do this? Surely there is a way to just have the traffic isolated to VLAN6 and carried across the network that way?
Do I really need to configure inter-vlan routing and ACLs to do this? Surely there is a way to just have the traffic isolated to VLAN6 and carried across the network that way?
From the looks of your diagram and having routing enabled you already have inter-vlan routing enabled. The ACL's are the only way that I can think of in order to accomplish what you are after.
Since you are only concerned with the wifi guest access accessing your internal lan you would only need to create a single ACL (with multiple permit/deny statements) and then apply that to the default gateway (interface vlan on your Wireless controller) so that the traffic would be dropped there.
Since you are only concerned with the wifi guest access accessing your internal lan you would only need to create a single ACL (with multiple permit/deny statements) and then apply that to the default gateway (interface vlan on your Wireless controller) so that the traffic would be dropped there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am trying to get back to this shortly but I'm the only one in my department in right now and other more pressing issues are constantly coming up. Give me a day or two to try out the suggestions above. Thanks.
ASKER
Ok... I am thinking that maybe I have a different problem. I started to play around with what BigPapaGotti suggested and so I added the IP address 172.16.160.254 for VLAN6 to the first switch. With an IP address in place, I should be able to ping that address from the WLC but it doesn't work. I can ping 172.16.150.254 and 172.16.170.254 just fine but they share port 1. From switch 1, I can ping 150.254 and 170.254 but not 160.254. Everything is setup the same except for the native VLANs on the two ports and which physical port on the WLC is being used:
Any ideas?
interface FastEthernet0/32
description WLC Port 2 (VL06)
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet0/40
description WLC Port 1 (VL05)
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
spanning-tree portfast
!Any ideas?
On the first switch that you created a new SVI (interface vlan 6) with an IP address of 172.16.160.254, run the command "show ip interface brief" and let us know what the status of the interface is. You can also do a "show interface vlan 6" Is it up/up or is it down? I know that in order for a VLAN interface to be in the up status a port needs to be assigned to that VLAN and it needs to be active.
Here is a link describing this issue in more detail if the line protocol of the interface is down:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080160b14.shtml
If the interface vlan 6 does happen to be down because of the above you can exclude it from requiring a port in that vlan by using the "Autostate" command. Here is a link on doing this. You will basically go under that interface and type the command "switchport auto-state exclude"
Switch#config t
Switch(config)#interface vlan 6
Switch(config-if)#switchpo
http://www.ciscopress.com/articles/article.asp?p=1574301&seqNum=3
http://dhucaby.wordpress.com/2010/06/07/ccnp-switch-svi-autostate/
Let me know the results
Here is a link describing this issue in more detail if the line protocol of the interface is down:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080160b14.shtml
If the interface vlan 6 does happen to be down because of the above you can exclude it from requiring a port in that vlan by using the "Autostate" command. Here is a link on doing this. You will basically go under that interface and type the command "switchport auto-state exclude"
Switch#config t
Switch(config)#interface vlan 6
Switch(config-if)#switchpo
http://www.ciscopress.com/articles/article.asp?p=1574301&seqNum=3
http://dhucaby.wordpress.com/2010/06/07/ccnp-switch-svi-autostate/
Let me know the results
ASKER
Nope... Everything is up:
I thought the manual vs NVRAM method might mean something but that just indicates the interface was created from the CLI since the last boot.
Interface IP-Address OK? Method Status Protocol
Vlan1 172.16.116.2 YES NVRAM up up
Vlan2 172.16.129.4 YES NVRAM up up
Vlan3 172.16.130.4 YES NVRAM up up
Vlan5 172.16.150.254 YES NVRAM up up
Vlan6 172.16.160.254 YES manual up up
Vlan7 172.16.170.254 YES NVRAM up up
FastEthernet0/32 unassigned YES unset up up
FastEthernet0/40 unassigned YES unset up upI thought the manual vs NVRAM method might mean something but that just indicates the interface was created from the CLI since the last boot.
ASKER
I think that this is probably an issue with the WLC. I created a new interface on it for VLAN8 with the same basic info: 172.16.180.10/255.255.255.
So, let me get this figured out and I will get back to this issue... hopefully shortly.
So, let me get this figured out and I will get back to this issue... hopefully shortly.
ASKER
Well, this all turned out to be an issue between the WLC and the Cisco switch 1. There was some sort of incompatibility when I used port 2 tagged with VLAN 6 and had the FA0/32 port on the switch set to native vlan 6. Once I removed the "switchport trunk native vlan 6" (which isn't really necessary as the packets are all tagged anyways) everything worked. I think it should have worked albeit been redundant so I will chock this up to a bug.
ASKER
Once I figured out the WLC/switch issue, this solution worked perfectly without the need to setup ACLs.
You can use an ACL to deny the traffic from your guest network to access your internal network. Once that is done the flow of the traffic will go out the default route/internet. That way if a sophisticated user tried to get to your internal network the ACL would deny them access and they would only be able to get out to the internet. Once the ACL is created you will need to apply it to the inbound direction of the vlan for which the inter-vlan routing is occuring on