Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2868
Views
15
Helpful
13
Replies

Assigning a seperate internet connection to a certain vlan .

Go to solution
BilalNass
Level 1
Level 1

‎04-19-2015 08:53 AM - edited ‎03-07-2019 11:37 PM

 I wanted to ask if its possible if we get a seperate internet connection from our main one to use it for Access Points only , so that users on the access point could use only this specific connection without affecting our main one . Equipment are : Catalyst 4506 Core Switch , 2911 Router , ASA 5510 , Cisco 5500 Series Wireless Controller .

Thanks in Advance.

 

I'm new here and i hope it will be a good long stay :) .

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to BilalNass

‎04-20-2015 02:18 PM

No problem.

Okay if you want to keep the traffic totally separate and it is one vlan what you could do on the switch is create the vlan but don't create an SVI (int vlan <num>) for it.

Then use a spare interface on the ASA and set the default gateway of wireless clients to the IP address of the ASA interface.

In effect you have created a DMZ for your wireless clients and they are routed on the ASA so they cannot get to the rest of your internal subnets.

This would mean though DHCP would need to be done on the ASA for that subnet.

The alternative is to create an SVI on the switch and have them routed on there and then you can use the DHCP server you currently use for the rest of your network. 

You would then need to use an acl on the wireless vlan SVI to only allow it access to the internet only.

If you do the second option you  could use the existing inside interface on the ASA for traffic which you may as well do as you are using the same outside interface of the ASA for all traffic to get to the router.

Up to you really and it depends on how you want to allocate the IP addresses with DHCP and what is easier for you to manage.

In terms of the internet connection you will need PBR and NAT on the router.

Use this link to get you started -

https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla

Jon

 

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-19-2015 11:19 AM

I'm new here and i hope it will be a good long stay :) .

Hope so too :-)

Where would the separate internet connection be terminated ie. on your 2911 or on your ASA ?

And what connects to the inside interface of ASA, it is the 4500 switch ?

If so are you happy for all traffic ie. both non wireless and wireless to use the same link and you just want to use a different internet connection or do you want complete separation all the way ?

Finally do your wireless clients need to talk to the other internal subnets or each other (if using multiple vlans/IP subnets) or is it just internet connectivity they need ?

Depending on the above there are quite a few options.

Jon

Go to solution
BilalNass
Level 1
Level 1
In response to Jon Marshall

‎04-19-2015 03:19 PM

Im getting a new seperate internet connection from our supplier , but the cisco controller and ap's are our network . And yes they only need internet . I dont want the traffic to affect our local connection . I didnt decide yet but i guess its gonna be on the 4500 switch . Do u use skype bro maybe i can tell u more about it ? 

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to BilalNass

‎04-19-2015 09:57 PM

even simpler, create a VLAN and SSID for the guests only, run a DHCP scope on that VLAN with the default gateway IP being that of the separate internet supplier. for the rest dont put any other interfaces into that VLAN.

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
BilalNass
Level 1
Level 1
In response to Dennis Mink

‎04-19-2015 10:22 PM

Is there any way i can contact you man on man ? Skype ? Viber ? Anything ....

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to BilalNass

‎04-19-2015 10:32 PM

Bilal, 

 

I stick to the forum if thats OK,  go and try out, and if you get stuck, add to this post.

 

cheers

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
BilalNass
Level 1
Level 1
In response to Dennis Mink

‎04-19-2015 10:38 PM

I have already created a vlan for guests wifi only , but what im asking is how can i be able to connect the other connection to our switch and make this vlan only use the interface of the new connection . I have more than 43 Access points that i need to install and im stuck at this ...  Anw thanks bro .

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to BilalNass

‎04-20-2015 04:04 AM

There are a number of ways of doing it but you didn't answer all of my questions so it's difficult to suggest anything.

Where does the new internet connection terminate ie. on what equipment.

How does your topology looks ie. is it -

4500 -> ASA > 2911 -> internet

if you are terminating the second connection on the 2911 then as Dennis says you are going to need PBR on there.

Do you have spare interfaces on your ASA ? 

The easy part is the internal bit, the harder part is the public IP addressing and NAT ie. where do you do your NAT now, is it on the ASA or the router etc.

We can help but only if you provide us with the details we need.

By the way please don't try and take discussions off the forum with Skype requests because the answers provided may benefit other users in future so we try and keep all information within the thread if we can.

Jon

0 Helpful

Go to solution
BilalNass
Level 1
Level 1
In response to Jon Marshall

‎04-20-2015 06:39 AM

it is internet->2911 -> ASA -> 4506-E -> Catalyst 2960 Poe Switches.

Yes i am terminating the connection on the 2911 , and yes i have spare ports on the ASA , but im getting an extra port to the 2911 since the 3 ports are full . PBR ? and NAT is most likely on the router . and sorry about the skype thingy im new here you know ... and i understand bro , thank you for trying to help .

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to BilalNass

‎04-20-2015 02:18 PM

No problem.

Okay if you want to keep the traffic totally separate and it is one vlan what you could do on the switch is create the vlan but don't create an SVI (int vlan <num>) for it.

Then use a spare interface on the ASA and set the default gateway of wireless clients to the IP address of the ASA interface.

In effect you have created a DMZ for your wireless clients and they are routed on the ASA so they cannot get to the rest of your internal subnets.

This would mean though DHCP would need to be done on the ASA for that subnet.

The alternative is to create an SVI on the switch and have them routed on there and then you can use the DHCP server you currently use for the rest of your network. 

You would then need to use an acl on the wireless vlan SVI to only allow it access to the internet only.

If you do the second option you  could use the existing inside interface on the ASA for traffic which you may as well do as you are using the same outside interface of the ASA for all traffic to get to the router.

Up to you really and it depends on how you want to allocate the IP addresses with DHCP and what is easier for you to manage.

In terms of the internet connection you will need PBR and NAT on the router.

Use this link to get you started -

https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla

Jon

 

0 Helpful

Go to solution
BilalNass
Level 1
Level 1
In response to Jon Marshall

‎04-20-2015 11:48 PM

Thanks alot man , this is exactly what i was looking for. If i will have any further questions ill get back to you .  

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎04-19-2015 11:24 AM

So, you want to separate the guest network from the user network right?

You can get a separate connection for your guest wi-fi, but than you need a separate connection for your users if they need to use wi-fi as well. Or you can use the same in ternet for both guest and users and keep the guest separate using access list and firewalls.

HTH
 

Go to solution
BilalNass
Level 1
Level 1
In response to Reza Sharifi

‎04-19-2015 03:23 PM

Im getting a different internet connection to the wifi guests , but im asking for a configuration to make a specific vlan only use this connection . I dont want it to affect our business internet connection . 

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎04-19-2015 06:08 PM

There is no one size fits all, but the way I would do it is by means of policy based routing. all your wireless (guest) users are routed to your second internet connections, based on the subnet they are in

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents