12-03-2017 07:25 AM - edited 03-08-2019 12:58 PM
Dear All,
I want to create special VLAN for some.
I'll connect one unmanaged switch to Cisco 2960 port. I want to configure special VLAN and route the traffic directly to firewall and if it is possible also enable DHCP on that VLAN. There are other VLANs and DHCP working on the other 3750 switches which 2960 is connected and I don't want to create any disruption on them.
Let's say I want to create 192.168.1.0 network on the vlan on 2960, enable DHCP, route it to 172.16.1.1 and connect unmanaged switch for temporary users and remove it 1 week later.
Please advice the configuration.
regards,
Izac
Solved! Go to Solution.
12-04-2017 04:26 AM - edited 12-04-2017 04:28 AM
Hello
@Izac ICT wrote:
Hello @paul driver
What do you mean? Can you advise configuration example?
THank you.
cheers.
Izac
Do you have access to the FW?
1) create the L3 routed address and dhcp scope for you client on Fw ( NOT on the LAN L3 switch)
Cisco ASA fw config:
conf t
interfacex/x
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.255.0
object-network Guest
subnet 192.168.1.0 255.255.255.0
object-group NAT-Guest
network-object Guest
nat (Inside,Outside) after-auto source dynamic NAT-Guest interface
dhcpd address 192.168.1.100-192.168.1.200 Guest
dhcpd option 3 ip 192.168.1.1
dhcpd lease 28800
dhcpd domain stan.local
dhcp dns 8.8.8.8 8.8.8.4
dhcpd enable Guest
2) on L3 LAN switch create a guest vlan
config t
vlan 100
name Guest
exit
3) On lan l2 switch or L3 switch configure a port the unmanaged switch will connect to.
int x/x
description Unmanaged switch
switchport host
switchport access vlan 100
res
Paul
12-03-2017 12:46 PM
Hello,
what type of unmanaged switch are you trying to install ? On which device(s) is layer 3 routing and DHCP server functionality configured ?
12-04-2017 02:20 AM
Hello @Georg Pauwen
The unmanaged switch is netgear gs108. DHCP and routing not configured on the switch I'll connect but on the main switch on other floor.
thank you.
cheers
Izac
12-03-2017 12:59 PM
Hello
Dont create any L3 interface on your L3 switch for guest users, - Just do exactly has you have mentioned, in that have your guest vlan only L2 on your network and have the FW perform the routing , dhcp etc. for it
That way your guest users have no way into you office network and incur no disruption.
res
Paul
12-04-2017 02:16 AM
12-04-2017 04:26 AM - edited 12-04-2017 04:28 AM
Hello
@Izac ICT wrote:
Hello @paul driver
What do you mean? Can you advise configuration example?
THank you.
cheers.
Izac
Do you have access to the FW?
1) create the L3 routed address and dhcp scope for you client on Fw ( NOT on the LAN L3 switch)
Cisco ASA fw config:
conf t
interfacex/x
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.255.0
object-network Guest
subnet 192.168.1.0 255.255.255.0
object-group NAT-Guest
network-object Guest
nat (Inside,Outside) after-auto source dynamic NAT-Guest interface
dhcpd address 192.168.1.100-192.168.1.200 Guest
dhcpd option 3 ip 192.168.1.1
dhcpd lease 28800
dhcpd domain stan.local
dhcp dns 8.8.8.8 8.8.8.4
dhcpd enable Guest
2) on L3 LAN switch create a guest vlan
config t
vlan 100
name Guest
exit
3) On lan l2 switch or L3 switch configure a port the unmanaged switch will connect to.
int x/x
description Unmanaged switch
switchport host
switchport access vlan 100
res
Paul
12-04-2017 05:52 AM
@paul driver thank you for your time but I have already DHCP active on firewall port. Do you think I cannot create this on L3 switch which unmanaged switch connected? Or can I create second DHCP pool on ASA on same interface? I'm confused now.
Thanks again.
Izac
12-04-2017 01:08 PM
Hello
@Izac ICT wrote:
@paul driver thank you for your time but I have already DHCP active on firewall port. Do you think I cannot create this on L3 switch which unmanaged switch connected? Or can I create second DHCP pool on ASA on same interface? I'm confused now.
Thanks again.
Izac
Use a spare port on the FW and create another L3 interface and dhcp scope for the guest subnet, this interface will also need to a lower security level then the LAN interface.
You DONT want to have any routing on the L3 switch relating to the guest network as you want this isolated - there are others way to segregate the guest network but i think this is the most simplistic solution
FW
| |
LAN Guest interface
| | -
L3swtich
| -
unmanaged switch
res
Paul
12-05-2017 12:39 PM
Thank you but I don't have available port on firewall.
12-05-2017 01:19 PM
Hello
@Izac ICT wrote:
Thank you but I don't have available port on firewall.
So then you have the option to create the L3 guest interface on the L3 switch and also apply an routed access-list ( RACL) to negate communication between you other lan users
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide