- Cisco Community
- Technology and Support
- Networking
- Routing
- Give VLAN internet but not LAN access via SFP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2024 09:33 AM
Hundreds of new, unfamiliar devices connect to our network each day, and I'm tasked with creating a VLAN that accesses the internet, but nothing else. I just started learning about VLANs a week ago, but I'm confident all I need is a nudge, I just don't know what I don't know.
I have the VLAN configured, but I don't know how to give it ONLY internet access. I configured ports 1-24 on my catalyst 9300 to belong to VLAN 10, and I gave vlan 1 along with vlan 10 SVIs for web UI on the management port and for a gateway on the VLAN side respectively. I considered configuring port 48 as a trunk (allowed vlans all, native vlan 10) to a neighboring switch, but I decided against it, as I realized this would require use of my main network's gateway, allowing LAN access (I think). I put a dedicated DHCP server inside of the isolated VLAN, so currently devices can connect to the VLAN and talk to each other and the switch, but nothing else, and I want this to remain the case, except for the addition of internet access. I hope to use the SFP/fiber module, but I don't know how to figure out where my available fiber connection leads (to a router/gateway in the LAN or to the ISP), nor how to route it once it leaves the switch; if it leads to a gateway/router, how can I route this while securely isolating VLAN traffic from the rest of the LAN, and if it leads to the ISP, do I need additional hardware to handle routing to the internet? The main LAN uses a firewall as a gateway, and the subnets are vastly different (192.168. vs 10.10.).
There is unfortunately an exception: I need one or two access points to be able to talk to a wireless lan controller shared by the APs on my main LAN. It's trivial to physically connect a separate interface of the wireless lan controller to the VLAN ports on the switch, and presumably the WLC can correctly handle vlan tagging (set native vlan 10 on this port OR set vlan ID to 10 in WLC on the relevant interface, as I understand it either of these work), but I'm not a network engineer so I want to make sure this is a sensible configuration given my objective of network isolation. If relevant, this will eventually service up to ~100 clients simultaneously.
I just don't know what I'm looking for. Suggestions are welcome, no matter how critical.
Thanks!
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2024 06:32 AM
Honestly, I don’t think a proper solution can be provided without knowing the configuration and operation of the existing network. If the existing is not using VLANs it sounds like it is either a single flat network or perhaps isolated groups of switches for each network with a dedicated gateway port on a router or firewall. Once you add a new subnet for the Internet only VLAN there needs to be some sort of provisions made to route and control the access via whatever is in place.
That being said, if VLAN 1 is strictly for management and VLAN 10 for the isolated Internet only network:
1. Keep the VLAN 1 interface for management but connect via a VLAN 1 access port, not a trunk.
2. If the WAPs are to provide wifi for the Internet only subnet then trunk them to the switch and allow VLANs 1 & 10.
a. VLAN 1 will be for connectivity between the WAP and WLC and will use the same port that the VLAN 1 interface uses to connect
b. VLAN 10 will not go back to the WLC but instead exit locally into that network on the switch.
3. Remove the VLAN 10 interface. Without it the VLAN 1 and 10 networks will not know of each other. If the DHCP server is local to the switch in VLAN 10 it should still work
4. Connect a VLAN 10 port (copper or SFP) to an available port on the firewall or router which will be VLAN 10’s gateway IP where the proper policies and rules can be applied.
In this scenario the VLAN 10 network is strictly layer 2 with no IP connectivity to the other network via this switch and it’s gateway is on the existing network. I understand that #4 is a variable out of your control, but without it I don’t see how you can just add a switch in this manner and be expected to make it work.
Even if you were to enable “ip routing” on the switch and control the access that way, there would still need to be some sort of provisions made on the current network to route to this new subnet.
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2024 10:34 AM
It sounds like you only have two VLANs. If that's the case you could simply put in and out access lists on the internet only VLAN SVI interface denying access to and from the other VLAN(s) networks and then permitting all else...the internet. As far as the WAPs and communication to the WLC, you could also permit those instances.
If you care to share some basic configs or network information an example config could be provided.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2024 12:02 PM
This is definitely the simplest (and presumably the intended) way of doing this, but unfortunately, the network is almost entirely untagged. The only switch configured with VLANs is the one I just added, and I created vlan 1 merely to access the management interface in band.
Am I correct in thinking that this would require all traffic in the network to be tagged to a VLAN? Would an untagged frame be visible to devices in the isolated VLAN? I fear this isn't very practical in my case; we don't have a core switch/router (a single, eventual gateway for all traffic), I don't have access to the configs/credentials of most of the switches, and I'm a temporary employee, so despite wanting to overhaul the network, the changes I make can't affect the configuration used for newly added switches, if for no other reason than because I'm not certain I'd have sufficient time to fix it if I break everything.
My assumptions could be painfully wrong, so please correct me if this is the case. I've attached the censored and truncated output of "show running-config", followed by similar output from "show ip interface" Notably, the trunk port's "Operational Mode" is "access"; that is, it's configured as a trunk, but the connected interface on the neighboring switch isn't. I understand the DHCP server pretty well, and the current configuration assigns addresses that would allow access to both internet and LAN, if the switch were actually trunking that is.
Thank you for your help!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip **bleep** 192.168.1.252 255.255.255.0
speed 1000
negotiation auto
!
interface GigabitEthernet1/0/1-12
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/13
!
...
...
...
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/5
!
interface TenGigabitEthernet1/1/6
!
interface TenGigabitEthernet1/1/7
!
interface TenGigabitEthernet1/1/8
!
interface FortyGigabitEthernet1/1/1
!
interface FortyGigabitEthernet1/1/2
!
interface Vlan1
ip **bleep** 192.168.1.252 255.255.255.0
!
interface Vlan10
description Isolated VLAN
ip **bleep** 10.10.1.1 255.255.0.0
ip helper-**bleep** 10.10.1.2
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!Vlan1 is up, line protocol is up
Internet **bleep** is 192.168.1.252/24
Broadcast **bleep** is 255.255.255.255
**bleep** determined by setup command
MTU is 1500 bytes
Helper **bleep** is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is not set
Inbound Common access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
Associated unicast routing topologies:
Topology "base", operation state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network **bleep** translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Vlan10 is up, line protocol is up
Internet **bleep** is 10.10.1.1/16
Broadcast **bleep** is 255.255.255.255
**bleep** determined by setup command
MTU is 1500 bytes
Helper **bleep** is 10.10.1.2
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is not set
Inbound Common access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
Associated unicast routing topologies:
Topology "base", operation state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network **bleep** translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
GigabitEthernet0/0 is down, line protocol is down
Internet **bleep** is 192.168.1.252/24
Broadcast **bleep** is 255.255.255.255
**bleep** determined by setup command
MTU is 1500 bytes
Helper **bleep** is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is not set
Inbound Common access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
VPN Routing/Forwarding "Mgmt-vrf"
Associated unicast routing topologies:
Topology "base", operation state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network **bleep** translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
GigabitEthernet1/0/1 is up, line protocol is up
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/2 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/3 is up, line protocol is up
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/4 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/5 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/6 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/7 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/8 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/9 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/10 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/11 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/12 is up, line protocol is up
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/13 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
...
...
...
Internet protocol processing disabled
GigabitEthernet1/0/43 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/44 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/45 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/46 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/47 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/0/48 is up, line protocol is up
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/1/1 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/1/2 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/1/3 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
GigabitEthernet1/1/4 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
TenGigabitEthernet1/1/1 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
...
...
...
TenGigabitEthernet1/1/8 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
FortyGigabitEthernet1/1/1 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
FortyGigabitEthernet1/1/2 is down, line protocol is down
Inbound access list is not set
Outgoing access list is not set
Internet protocol processing disabled
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2024 06:32 AM
Honestly, I don’t think a proper solution can be provided without knowing the configuration and operation of the existing network. If the existing is not using VLANs it sounds like it is either a single flat network or perhaps isolated groups of switches for each network with a dedicated gateway port on a router or firewall. Once you add a new subnet for the Internet only VLAN there needs to be some sort of provisions made to route and control the access via whatever is in place.
That being said, if VLAN 1 is strictly for management and VLAN 10 for the isolated Internet only network:
1. Keep the VLAN 1 interface for management but connect via a VLAN 1 access port, not a trunk.
2. If the WAPs are to provide wifi for the Internet only subnet then trunk them to the switch and allow VLANs 1 & 10.
a. VLAN 1 will be for connectivity between the WAP and WLC and will use the same port that the VLAN 1 interface uses to connect
b. VLAN 10 will not go back to the WLC but instead exit locally into that network on the switch.
3. Remove the VLAN 10 interface. Without it the VLAN 1 and 10 networks will not know of each other. If the DHCP server is local to the switch in VLAN 10 it should still work
4. Connect a VLAN 10 port (copper or SFP) to an available port on the firewall or router which will be VLAN 10’s gateway IP where the proper policies and rules can be applied.
In this scenario the VLAN 10 network is strictly layer 2 with no IP connectivity to the other network via this switch and it’s gateway is on the existing network. I understand that #4 is a variable out of your control, but without it I don’t see how you can just add a switch in this manner and be expected to make it work.
Even if you were to enable “ip routing” on the switch and control the access that way, there would still need to be some sort of provisions made on the current network to route to this new subnet.
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2024 10:56 AM
This is awesome. Thank you so much.
I have most of this working; the AP can ping the WLC over vlan 1 even if it can't join (it doesn't seem to like the trunk port, but I don't know how to allow two vlans on an access port yet), the DHCP server is only accessible from within vlan 10, and the devices on the vlan 10 access ports cannot ping the WLC nor the main LAN.
But I have one final problem: the firewall appliance (I am certain now that this is the network's core router, modem feeds into it) is several hundred meters of dense warehouse away from where the AP will be, and running cables just isn't feasible. The firewall plugs into a switch, which connects over fiber to the switch I hope to plug the AP into. Allegedly, there's a router in between, but I don't think there is, and I can't figure out how to check (traceroute just yielded a bunch of asterisks).
If there isn't a router in between, I was hoping to move the switch to the server closet containing the firewall, connect a vlan 10 port to the firewall as suggested, and connect the fiber link (which I hope to locate the other end of using LLDP) to a vlan10-dedicated switch across the warehouse, which the AP will connect to. Would this work? Would the port on the new switch that the WAP plugs into need configuration to allow vlans 1 and 10?
I'm almost certain that there isn't, but if there is a router..... I'm having some trouble conceptualizing how I could maintain strict isolation over a single connection, and I don't know if it'd be preferable to have the router midspan on the switch-AP link or the switch-firewall link--that is, should I still directly connect the switch to the router. I feel like tunnelling would be plenty secure, but I it might perform worse than a lower level solution.
Lastly, any chance you could hint towards what routing would look like on the firewall? Do I just add a static route pointing any request for 10.10.*.* to the relevant switch? Do I need to do so even if the configured switch is directly connected to the firewall? My confusion arises from the deletion of the vlan 10 interface, as it's my understanding that this switch is still the subnet gateway, but my intuition falls apart once it doesn't have an IP address; do I give the firewall an IP in the new subnet and use that as a gateway instead?
I greatly appreciate your help. You and all the other heroes of Cisco community.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2024 11:57 AM
Happy to hear this is helping.
You need to set up the WAP's access port as a trunk and with VLANs 1 and 10. Unfortunately, I don’t know how to set up the WAP for that but know it can be done.
The optimal scenario would be that your switch is connected to another switch with the fiber and that far switch can connect to a dedicated port on the firewall or router. Since it’s not a Cisco, LLDP may work. Good idea. Then, if you could create a VLAN 10 on that switch you could trunk VLANs 1 and 10 between the two across the fiber and then configure a VLAN 10 access port to connect directly to the firewall or router. The IP on the interface on the firewall or router would be the default gateway for your 10.10.x.x network. (May need to update the DHCP server)
Generally, if it was a firewall the interface would be its own security zone or DMZ and the proper security and access policies could be applied, if a router it could still be managed and controlled with access lists. In either case, if it is an interface on either then they would know how to route to it. However, the provider’s Internet router (if separate) may need to know about the 10.10.x.x network and how to route to it.
So to your last question, the VLAN 10 network would be 100% layer 2 on the switches and would extend all the way to the firewall or router which would have the IP interface and the only way to get to packets off the local subnet, to the Internet, but not to any of other inside network(s).
I know you have limited access and options, but this is by far the simplest and to me that works best. Hopefully it’s a viable option and there isn’t a router in the middle.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2024 01:32 PM
Just got it working!!!!
Not a single L3 interface on the switches (ended up using older switches as I had better transceivers available, badly installed fiber SUCKS), all L2 into the firewall where I set authoritarian access rules to permit only outbound WAN access. It works flawlessly; from the subnet, Nmap is oblivious to the existence of the main LAN, and when I connect "AD-configured" Windows devices and watch in Wireshark, they flail about but not a single packet makes it into the LAN. Vlan 11 stays local as intended.
The issue with the APs is a limitation of my admittedly-old WLC, totally unrelated.
I'd worked with cisco wireless, but I honestly didn't know what a VLAN was a few weeks ago, and this was precisely the guidance I needed. You're the best
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2024 03:12 AM
Thanks for the update, glad I was able to help and congrats to you for getting it to work in what seemed to be a challenging situation to say the least.
Best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
