Guest VLAN - Restriction

anthony.dyne · ‎01-06-2011

Hello

What is the best way to implement Guest VLAN and ensure it cannot communicate with other vlans.

vlan 2
name User_VLAN

interface Vlan2
ip address 10.10.5.1 255.255.254.0

vlan 3
name Server_VLAN

interface Vlan3
ip address 192.168.1.1 255.255.255.0

vlan 4
name Management_VLAN

interface Vlan4
ip address 10.10.7.1 255.255.255.0

vlan 5
name Uplink_to_ASA

interface Vlan5
ip address 10.1.1.1 255.255.255.252

vlan 10
name guest_VLAN

interface Vlan10
ip address 172.16.17.1 255.255.255.0

shut

ip route 0.0.0.0 0.0.0.0 10.1.1.2

Richard Burts · ‎01-06-2011

Anthony

You have not told us much about your environment and there may be things that we do not know about yet which might change our advice. But based on what you have given us so far I would suggest that the solution would be to configure an inbound access list on the vlan 10 interface. The access list would deny any traffic originating within the guest vlan and had destinations in the other VLANs on that router/switch and permit traffic to the Internet.

The access list might look something like this:

access-list 150 deny ip 172.16.17.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 150 deny ip 172.16.17.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip 172.16.17.0 0.0.0.255 any

HTH

Rick

HTH

Rick

anthony.dyne · ‎01-07-2011

Hi Rick

thanks for your input. Our environment got Internet-Router connects to the ASA 5510 and back to cisco 3560

Internet-rtr___ASA_______3560_____LAN

For now we got Guest area so configuring guest VLAN on those nodes is not an issue, we do have plan to implement Cisco AP dedicated for Guest users.

I didnt added these to the initial post

ospf area 0 is configured on 3560
4 branch office are connected to HQ
between ASA and 3560 there is static routing

On the ACL I need to add branch office subnet to deny, apply the ACL to guest VLAN, on the ASA I need to add a static route for guest VLAN

thanks

Anthony

hobbe · ‎01-07-2011

The most secure and simple thing you can do is to get a 5505 set it up towards the internet and set up switches and APs for the Guestvlan behind that.

why is this the best solution in most cases ?

There is nothing to gain for the "guests" to try to attack your systems over the guest system then over the internet, with one exeption, the speed towards your 5510 will most likely be faster than over the internet.

It is easy to control and monitor.

An agressor can not exhaust any resources in your production switching environment

An agressor can not capitalise on any software bugs in your production environment.

An agressor can not se what equipment you are using for your production environment.

An agressor can not capitalise on configuration errors in the production equipment/environment.

The negative side is that it will cost a little money for hardware for you to set this up.

The positive side is that it is basically impossible to mess up this setup to make a security concern out of it.

Good luck

HTH

Message was edited by: hobbe

Richard Burts · ‎01-07-2011

Anthony

If there are multiple branch offices then you do need to add their addresses to the deny statements in the access list. You may notice that in my example access list I used two approaches: I denied a specific network/subnet (192.168.10.0) and I used summarization to deny a group of network/subnet (10.0.0.0). To get your 4 branch offices into the access list you could add 4 specific deny statements, or you might be able to use some summarization and get all of them included with fewer statements.

HTH

Rick

[edit] And if re-designing the network and deploying additional equipment is an option, then the suggestion of having a separate firewall that connects all the guest access points and allows them to have Internet access but not access to your network might be a good idea.

HTH

Rick