Network Design for Guest Internet Access

A VLAN that is isolated from the main network will do precisely that - prevent guests on the VLAN from using / seeing the main network.

If you have any Wi-Fi on the main network, secure it very well so normal guests cannot crack it.

VLAN with L3 SVI or only Layer 2 VLAN.

Either will suffice for most uses.

I never liked the idea of just using Layer 2 VLAN or L3 with ACLs alone on the guest network..I'm not sure whether there are other options.

You can set up a guest router on a different DHCP network. That, too, will isolate and for most purposes is OK. It is not as secure as VLAN.

I've heard about using VRF, but not aware about its deployment and configuration

I have not used that.

No problem, lets hear from other experts about their opinion.

Here are some simple diagrams which you may find useful.  

The first page shows how you can cascade routers (which entails double or triple NAT but I find no particular disadvantage to that - in contrast to opinions of some).  When you cascade routers, the guest router should be at the "top" nearest the internet gateway.  In some cases, the computers at the "bottom" can "see" the computers higher up but not the reverse.  It is true that packets destined for the internet from the "private" LAN will traverse the upper LAN but without physical access I don't know how those packets could be sniffed.

The second page shows how you can run routers in parallel in which case there are no computers on common LANs.  There is still double NAT but not triple.  There are no computers on a LAN that shares traffic (even if on a separate subnet - as "LAN" and "subnet" aren't the same thing).

With this sort of thing in mind then, if you have VLAN-capable hardware you might effectively do the parallel method with a single router and two VLANs - a VLAN replacing a router each.
But, if you don't, then commodity routers will do just as shown.
Multiple-Subnets.pdf

Samir, the right way to do this with a Cisco WLC is to use a dedicated WLC as an "anchor". It sits in a DMZ and terminates a secure tunnel between the dedicated guest internet circuit and your corporate WLC.

If you dont have an anchor WLC you can connect the guest internet circuit directly to the corporate WLC using a dedicated port and send guest wireless traffic straight out of the internet router. That sounds like the way forward here.

VRF is an option but less favourable if you can connect a circuit directly to the WLC.

Hi,
If I have multiple internet connections and dedicated for each provider in the buildings, how is that possible then ?
Because we have guests and different third party contracted providets requires only Internet Access and L2L VPN between us and them.

What is the best way to design such network ?

I'll need a diagram of what you currently have, Samir. It sounds like it'll need an anchor or VRF. Separate interfaces are probably out of the question.

Sure I will post a diagram shortly

Hi
Please find the attached diagram, it is just main layout without any showing any redundant links
screenshot.png

Thanks, Samir. That would fit VRF perfectly. Each building is a separate "customer", right?

Samir, actually it is simple. The WLC can do what you need easily with what you already have. You can group APs and separate their traffic per group, pushing guests over the guest VLAN from the core (which is where the WLC would be connected).

Sir
These internet connections will not be limited to Wireless only, many of users will be Wired Connections also.

Thanks

Ok so VRF is still ok. You can put each building in its own VRF and still connect each to the internet, and do guest. I'm guessing you have ACLs at the moment?

I've never worked with VRF, can you please help with deployment and configuration.
Yes we have ACLs to prevent VLANs talking to each other.

Thanks

Sure can. I'm not able to do anything until tomorrow now but I can show you what's needed.

No problem I can wait :) Highly Appreciating your usual help and support

Ok, so we need to ask some questions before we VRF the network to get us started, to work out where we can and can't separate traffic.

1] Does each site need to see any other's traffic?
2] Are the Internet connections specific to particular sites, or does each site use P1 and P2?
3] What control do you have over the Internet routers?

Thank you Sir.

1. Sites should be able to see the traffic between each other, only Guest and Providers shouldn't be see each other and our production network.
2. Currently internet connections are dedicated for each providers and guests
3. Actually we controls to be honest, but I'm really interested to limit the traffic from bandwidth point of view.

This should be relatively easy then.  Last question... do you have wired connections that need to be on the guest network?

Yes Sir, there will wired connection for Guests and Providers Employees.

Ok Sir,...if understood correctly the idea here is to first convert the link between Cores and Distribution Switches as L2 instead of L3.?

Yes, if they're pure L3 they need to be L2, with an SVI to route the 'corporate' traffic and another SCI to route 'guest' traffic.  You'll still be doing L3, just over a L2 link.

Is it possible to have simple diagram to understand  the scenario?

Currently the SVIs for the VLANs are on distribution switches, so do I need to move all SVIs to Cores ?

No you dont need to move all SVIs to cores. All we're going to be doing is using a new SVI for the L3 link at the distribution switches instead of putting the IP on a physical interface. If you send me your L3 interface config from each end I'll show you how to convert.

If you send me your L3 interface config from each end I'll show you how to convert.

As Craig knows he means publishing the configuration here in the Q&A forum.

Core Switch1

int gi2/10
description < Link to gi1/1/1 to  Distribution SW1 B1
ip address 10.41.23.1 255.255.255.252

Core Switch 2
int gi2/10
description < Link to Gi2/1/1 Distribution SW2 B1
ip address 10.41.24.1 255.255.255.252

DSW1
int gi1/1/1
ip address 10.41.23.2 255.255.255.252

DSW1
int gi2/1/1
ip address 10.41.24.2 255.255.255.252

Thanks, Samir.

So you have 2 cores, not 1?
How does each core see each other?  Do you have L2 or L3 links between?
Does the Guest internet circuit connect to both cores?

Hi,
Yes we have 2 Cores at the Core Layer. They are connected as Layer 2. But after 2-3 months we are planning to add VSS.


Internet circuit is connected to a router and router is connected Core 1 only as of now without L2 or L3 configuration between router and core

I'd wait for the VSS at the core before you do this. It'll be a lot cleaner and a lot easier.

You can do the wireless bit easily but wired guest will be a little harder as VRF will be required to securely route traffic (as you have L3 links between core and dists).

What dist switches do you have, Samir?

Sir
VSS might take some time to implement and we need to Guest and Providers Internet

We have 3750x at Dist.

I have no issue to go with VSS with your kind support

Do you already have providers internet?

Yes
We have already got the internet circuit
Just need to design and implement the solution

Ok so of all the diagram you gave, how much of it is actually working already?

The Core,DSW and Access Switches

Ok do you have IP Services on the 3750X?

Yes Sir

Cool so we can VRF all the way to the 3750X.

I'll send a config tomorrow :-)

Thanks a lot

Thanks Sir
The config is complicated but I will try to work out
Just to clarify, why do we have loopback interfaces it is just for OSPF Router Id purposes?

Yes loopbacks are for OSPF. If you don't use dynamic routing you don't necessarily need loopbacks.

Basically, all interfaces in the GUEST VRF are in a separate routing domain to the CORP interfaces. The GUEST interfaces are tagged in the GUEST VRF using the ip vrf forwarding GUEST command. This keeps them separate from the 'global' routing table where CORP interfaces live.

Thank you Sir
We have another site which has a separate Guest Internet Circuit. This site has collapsed core network so how the configuration will look if the Guest Internet Router was connected to Collapsed Core Switch

I'm going to office tomorrow to test all the config

Thanks

All you need to do is create a VRF at the core and put any interfaces related to the Guest service into the VRF. That will separate the Guest from everything else.

Have a look at each section of the config I gave you to see how it fits. The static default route is tagged in a VRF too.

If you have an IP Services image for a 3625 or similar you can use GNS3 to lab it.

Sure I will lab them in GNS and will post here if anything goes wrong

I'm actually out of office and will return tomorrow, I will lab them in GNS3 and will update you,

No rush, Samir. I'm away until Saturday too.

Hello
Sorry for the delay in reply.
This is topology I have setup in GNS3 but not configured anything yet.
screenshot.png

I've configure the VRFs

How I can inject VRF route into global routing table and vice versa

As I have monitoring station and I need to monitor the router placed in Guest and Providers VRFs

Hi,

Thanks for the link

Just confused with some above configuration, why have you created two separate VLANs i.e Corp Transit and Guest Transit

Is it not possible with just 1 transit VLAN

Thanks

No - you have to route traffic for each VRF over its own link.  That requires a transit link in each VRF.

They're two separate routing domains, so if you pushed all traffic over one single L3 interface how would the next hop know which VRF to put the traffic on?

Thanks sir for clarification
It may sound a similar question Is this scenario not possible using L3 links ?

Absolutely, if you have enough physical interfaces.  Instead of using trunks and SVIs you could do...

interface GigabitEthernet1/1/1
 description CORP TRANSIT
 no switchport
 ip address 10.0.0.1 255.255.255.252
!
interface GigabitEthernet1/1/2
 description GUEST TRANSIT
 no switchport
 ip vrf forwarding GUEST
 ip address 192.168.0.1 255.255.255.252
!

Select allOpen in new window

Hi Sir

I see you have different configuration for HSRP on Core 1 and Core 2. The default route for GUEST VRF is pointing to Standby  IP, however the route should point to GUEST internet Router interface

I am a bit puzzled.

Another thing, the Guest Subnet is /29, here what will be the subnet for Guest Users. I want to make the routers as a DHCP server for clients also,

Thanks

Yes, I put the wrong IP as the GUEST default route. You're right.

The guest subnet is a /29 for the guest internet router VLAN at the core but guest users will be at DSWs so you can make them as big as you need. I used VLAN 666 with a /24 in my example.

Thanks Sir
Just another points
- Why you have added network statement for loopback interfaces
- Why default route is pointing to loopback ( 10.0.0.1) on Core Switche
- Also I noted you have not advertised VLAN 215,216 and 217 from Cores to DSW ?

Network statements for loopbacks is habit, but the default information originate command injects a default route into the stub areas (each DSW) so really we don't need to advertise VLANs 215-217 as the DSWs route everything via the core anyway.

Default route should point to your internet routers - that was a mistake on my part :-)

Thank you sir.

The switch port on Core Switch connecting guest and providers routers should not have "ip vrf forewarding" command? Right Sir
Howevever SVIs are part of there own VRFs

The switch port on Core Switch connecting guest and providers routers should not have "ip vrf forewarding" command? Right Sir

The Guest router should be in its own VRF.  It needs the ip vrf forwarding command.  If you don't use that command, the GUEST VRF can't use the router to route traffic.  Similarly, the corporate side of the network should't be able to get to the guest router.  Only GUEST traffic should be able to get to the router.

Because  Sir what happens here I configure the GUEST SVI as follows and switchport on which the GUEST router is connected

interface Vlan215
 description Link to GUEST Internet
 ip address 192.168.0.2 255.255.255.248
 standby 255 ip 192.168.0.1
 standby 255 priority 110
 standby 255 preempt

int gi0/2
switchport access vlan 215
switchport mode access

GUEST Router

int gi0/0
ip address 192.168.0.3 255.255.255.248

with the above configuration I was  able to ping SVI IP  from Router but not vice versa Actually I was puzzled how the traffic was returned from Core to Router if I didn't put the router into GUEST VRF

Thanks Sir Its cleared now
When I am trying to add "no interface-default for Vlan2002" under VRF OSPF Process but I recieved the error  "Interface %Interface specified does not belong to this process"
Any idea what could be the issue ?

You don't have this...

interface Vlan2002
 ip vrf forwarding GUEST

Select allOpen in new window

Thanks Sir
Everything is configured however the VRF Guest default is not advertised to DSW1
Below is the configured and routing table

Core 1

vlan 215
!
interface Vlan215
 description Link to GUEST Internet
 ip vrf forwarding GUEST
 ip address 192.168.0.2 255.255.255.248
 standby 255 ip 192.168.0.1
 standby 255 priority 110
 standby 255 preempt

vlan 2002
!
interface Vlan2002
 ip vrf forwarding GUEST
 ip address 172.17.1.1 255.255.255.252

router ospf 2 vrf GUEST
 passive-interface default
 no passive-interface Vlan2002
 network 172.17.1.0 0.0.0.3 area 0
 default-information originate always

interface Ethernet0/1
description **Link to DSW1**
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2001,2002
 switchport mode trunk

Select allOpen in new window

DSW1

vlan 666

interface Vlan666
 description GUEST VLAN
 ip vrf forwarding GUEST
 ip address 192.168.101.1 255.255.255.0

vlan 2002

interface Vlan2002
 ip vrf forwarding GUEST
 ip address 172.17.1.2 255.255.255.252

router ospf 2 vrf GUEST
 passive-interface default
 no passive-interface Vlan2002
 network 172.17.1.0 0.0.0.3 area 0
 network 192.168.101.1 0.0.0.0 area 0

interface Ethernet0/0
description **Link to Core*
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2001,2002
 switchport mode trunk
 duplex auto

Select allOpen in new window

Routing Tables

Core 1

CSW1#sh ip route 
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.1.0/29 is directly connected, Vlan216
L        10.0.1.2/32 is directly connected, Vlan216
C        10.0.2.0/29 is directly connected, Vlan217
L        10.0.2.2/32 is directly connected, Vlan217
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.1.0/30 is directly connected, Vlan2001
L        172.16.1.1/32 is directly connected, Vlan2001

CSW1#sh ip route vrf GUEST

Routing Table: GUEST

Gateway of last resort is 192.168.0.3 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.0.3
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.1.0/30 is directly connected, Vlan2002
L        172.17.1.1/32 is directly connected, Vlan2002
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/29 is directly connected, Vlan215
L        192.168.0.2/32 is directly connected, Vlan215
O     192.168.101.0/24 [110/2] via 172.17.1.2, 00:08:42, Vlan2002

CSW1#sh ip route vrf GUEST ospf

Routing Table: GUEST

Gateway of last resort is 192.168.0.3 to network 0.0.0.0

O     192.168.101.0/24 [110/2] via 172.17.1.2, 00:09:13, Vlan2002

Select allOpen in new window

DSW1

DSW1#sh ip route
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Vlan100
L        10.1.1.1/32 is directly connected, Vlan100
C        10.1.2.0/24 is directly connected, Vlan110
L        10.1.2.1/32 is directly connected, Vlan110
      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C        172.16.1.0/30 is directly connected, Vlan2001
L        172.16.1.2/32 is directly connected, Vlan2001
C        172.16.2.0/30 is directly connected, Vlan2003
L        172.16.2.2/32 is directly connected, Vlan2003
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.2.0/30 is directly connected, Vlan2004
L        172.17.2.2/32 is directly connected, Vlan2004

DSW1#sh ip route vrf GUEST

Routing Table: GUEST
Gateway of last resort is not set

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.1.0/30 is directly connected, Vlan2002
L        172.17.1.2/32 is directly connected, Vlan2002
      192.168.101.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.101.0/24 is directly connected, Vlan666
L        192.168.101.1/32 is directly connected, Vlan666

Select allOpen in new window

Hi Sir
But the problem is DSW is not receiving the default VRF route from but the Core received the VRF subnet

Agreed, but tidying up OSPF won't hurt :-)

Sure Sir
I tried the above the command but still I don't see any route on DSW1 for Guest VRF


DSW1

DSW1#show ip route vrf GUEST ospf

Routing Table: GUEST
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

Select allOpen in new window

CSW- Core

CSW1#sh ip route vrf GUEST ospf

Routing Table: GUEST
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.0.3 to network 0.0.0.0

O E2  192.168.101.0/24 [110/20] via 172.17.1.2, 00:00:17, Vlan2002

Select allOpen in new window

And you 100% have default-information originate in the OSPF config at the core? That should be all you need.

Yes Sir this is the OSPF config on Core

router ospf 2 vrf GUEST
 router-id 192.168.0.3
 passive-interface default
 no passive-interface Vlan2002
 network 172.17.1.0 0.0.0.3 area 0
 default-information originate

Select allOpen in new window

Sir, The issue is resolved.

I removed default-information originate from DSW1 Switch but no clue why it was causing this issue

router ospf 2 vrf GUEST
 redistribute connected subnets
 passive-interface default
 no passive-interface Vlan2002
 network 172.17.1.0 0.0.0.3 area 0
no default-information originate

Very last question in this thread, I need to have routes on Guest Router for Guest VLANs using OSPF, hence what will be the best approach

Ok so if it was on DSW1 it thought itself was the default route. The default-information originate command tells other routers that it is the default router.

You can configure OSPF on the guest router to learn routes from the core and put default-information originate always there then the core will use the guest router as its default route.

I configured the router as follows but no routes were learned from Core

router ospf 1
network 192.168.0.3 0.0.0.0 area 0

You should advertise the network at the core too. That actually runs the routing process on the interface. You'll need to use no passive interface Vlan215 at the core too.

I configured the below on Core and Router but no adjacency took place

Core
router ospf 2 vrf GUEST
 router-id 192.168.0.3
 passive-interface default
 no passive-interface Vlan2002
 no passive-interface Vlan215
 network 172.17.1.0 0.0.0.3 area 0
 default-information originate

Router

router ospf 2
network 192.168.0.3 0.0.0.0 area0

As I said, you need to advertise the network at the router and the core.

network 192.168.0.0 0.0.0.3 area 0

Excellent Sir
Everything is working fine as desired

Thanks a lot for your usual excellent support and precious time

That's good to hear, Samir.  As always, glad to help :-)