08-26-2013 09:55 AM - edited 03-07-2019 03:07 PM
I presently have a network where in WLAN and LAN is being based on the same network, utilizing the same DHCP server.
However, I feel that this risks my network and would like to separate my network using different IP subnets, with each having there own DHCP servers. The separation would be have to make the WLAN network look something like an External Network and the clients on LAN as part of the internal network.
The requirement being that in now way would there be any contact between the External and Internal network. Both the network connects to a UTM device on different ports, where both the ports are designated as LAN ports. However, there is a static route in the core ip route 0.0.0.0 0.0.0.0 UTM so that clients on LAN have access to internet.
Could anyone suggest solutions that can be useful for me in this setup ?
Thanks
08-28-2013 01:08 AM
No one ?
08-28-2013 08:17 AM
Why don't you just put the WLAN behind the firewall as a different interface and as a completely separate network? So now if the users that are on the WLAN won't be able to access anything on the LAN unless you specify it. You can also not even create SVI for the WLAN on your core and send the traffic stright to the firewall, so for the WLAN clients the default gateway would be the interface on the firewall instead of the SVI on the core.
I'm assuming you are looking to accomplish something like this?
08-28-2013 11:58 PM
I am not able to understand what putting the WLAN behind the firewall meant. Each switch over the organization is connected to the core. I would be required to place Access Points in different location. In such case how would I be able to route back without an SVI.
The requirement is for a hospital which plans to provide open access for patients. And I require to make sure that the LAN is safe from possible attacks. The other requirement being that the Core, edge switches, firewall and Internet connectivity all have to be share, with no additional hardware other than access points.
08-29-2013 12:24 AM
Hey John,
I would like to know some more about the options we have over that setup, we can simply go for multiple vlans and forward specific dhcp broadcast to a dedicated dhcp server /scope.
Second, your static routes can be defined accordingly, i.e. your vlan 1 carries wired computers where as vlan 2 carries wireless computers.
Vlan 1 - wired - 10..x.x.x /8, 10.1.1.1 (gateway)
Vlan 2 - wireless 11.x.x.x./8, 11.1.1.1 (gateway)
The gateway is vlan ip address and the same can be configured on a layer 3 device, the vlan interface (svi) will forward the dhcp request to a particular server ip address.
and as far as the firewall is concerned, you can have that but that is not your exact query all about.
Thanks and have a nice time !!
Parvesh
Note: Do not forget to rate the post helpful if so.
08-29-2013 03:23 PM
Parvesh Paliwal wrote:
Hey John,
I would like to know some more about the options we have over that setup, we can simply go for multiple vlans and forward specific dhcp broadcast to a dedicated dhcp server /scope.
Pravesh, as of my configuration is just like you have mentioned. But I do not want any sort of communication form the wired network to the wireless or vice versa.
Application of an access-list has not done any good either. The internal application, are also available over Internet. the wireless clients clients however continue to hunt for possible routes with the core switch that being trying to access the firewall.
Here are parts my present configurations which does not do the job as required
vlan internal allocation policy ascending
!
vlan 14
name Tower_3rd_floor
!
vlan 100
name MANAGEMENT
!
vlan 200
name WIFI_VLAN
interface GigabitEthernet4/1 #The port to which DHCP server for the WLAN is connected
switchport access vlan 200
switchport mode access
interface Vlan1 #Primary VLAN
ip address 128.1.x.200 255.x.x.0
ip helper-address 172.18.x.21 #DHCP server for LAN clients
ip helper-address 172.18.x.75 #DHCP server for LAN clients
!
interface Vlan14 #SVI for a floor in the buliding
ip address 172.18.4.254 255.x.x.0 #acting as the default-gateway for the edge VLAN
ip helper-address 172.18.x.21
ip helper-address 172.18.x.75
!
interface Vlan200 #WLAN VLAN
description WIFI_VLAN
ip address 10.0.0.254 255.255.255.0
ip access-group wireless in #access-list to seperate WLAN and LAN
ip helper-address 10.0.0.1 #DHCP server for wireless clients
ip route 0.0.0.0 0.0.0.0 128.1.x.15 #static-route for UTM (Firewall)
ip http server
!
!
!
ip access-list extended wireless
permit ip host 10.0.0.1 host 172.18.x.23 #access for my workstation to the WLAN DHCP server
permit ip 10.0.0.0 0.255.255.255 host 172.18.x.23 #access for my workstation to the wireless network
permit ip 10.0.0.0 0.255.255.255 host 128.1.x.15 #access for wireless clients to firewall
permit ip 10.0.0.0 0.255.255.255 host 128.1.x.200 #access to the core switch
deny ip 10.0.0.0 0.255.255.255 172.18.0.0 0.0.x.255
deny ip 10.0.0.0 0.255.255.255 128.1.0.0 0.0.x.255
permit ip any any
deny icmp any 172.18.0.0 0.0.x.255
I also planned on assigning port 4/2 also to VLAN 200 and connect it to a port on the UTM, but in this case I cannot specify a static route say
ip route 0.0.0.0 0.0.0.0 10.0.0.15 for the wireless clients either. This will mean that I have a separate switch as the core for WLAN, which doesn't seems logical. More over with the edges switches,to which the access points are added, connecting to the C4507 I have no idea how a switch just for doing static route for the WLAN workout.
08-30-2013 09:07 PM
Help :(
Sent from Cisco Technical Support iPad App
09-01-2013 10:08 PM
So, what is the current situation ?
Your wireless and wired systems are on different subnets ?
All the clients are able to get to the gateway ?
what is the tracert from different vlans ??
09-04-2013 12:08 AM
Parvesh Paliwal wrote:
So, what is the current situation ?
The current configuration as below
vlan 100
name MANAGEMENT
!
vlan 101
name CORE_VLAN
!
vlan 113
name WLAN_Corp
!
vlan 200
name WLAN_Management
!
interface GigabitEthernet4/1 #Port where the WLAN DHCP Server is connected
switchport access vlan 200
!
interface GigabitEthernet4/5 #Port if needed to be configured to connect with UTM for WLAN
shutdown
!
interface Vlan1
ip address 128.x.x.200 255.255.x.0
ip helper-address 172.18.x.x5
!
interface Vlan101
description CORE_VLAN
ip address 172.18.x.254 255.255.x.0
ip helper-address 172.18.x.x5
!
interface Vlan113
description WLAN_Corp
ip address 10.3.1.254 255.255.254.0
ip helper-address 10.0.0.1
!
interface Vlan200
description WLAN_Management
ip address 10.0.0.254 255.255.255.0
ip access-group wlan in
ip helper-address 10.0.0.1
!
ip route 0.0.0.0 0.0.0.0 128.1.x.x5 #Static route to forward all internet traffic to UTM
ip http server
!
!
!
ip access-list extended wlan
permit ip 10.0.0.0 0.255.255.255 host 172.19.x.x3
deny ip 10.0.0.0 0.255.255.255 172.18.0.0 0.0.x.255
deny ip 10.0.0.0 0.255.255.255 172.19.0.0 0.0.x.255
deny ip 10.0.0.0 0.255.255.255 128.1.0.0 0.0.x.255
permit udp any eq bootpc any eq bootps
permit ip any any
!
!
end
This is IP and ping from a workstation on the external network
The following form an Internal workstation
What in the access-list is wrong that both the external client cannot show similar result as the internal workstation ?
09-06-2013 06:15 AM
How should my access-list be modified so that from an external source I receive a time out for internal network.
Would ip route 10.0.0.0 0.0.0.255 10.0.0.15 route all traffic from the scope to 10.0.0.15 ?
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide