cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
2712
Views
20
Helpful
9
Replies
Izac ICT
Beginner

Creating VLAN for guests

Dear All,

 

I want to create special VLAN for some.

I'll connect one unmanaged switch to Cisco 2960 port. I want to configure special VLAN and route the traffic directly to firewall and if it is possible also enable DHCP on that VLAN. There are other VLANs and DHCP working on the other 3750 switches which 2960 is connected and I don't want to create any disruption on them.

 

Let's say I want to create 192.168.1.0 network on the vlan on 2960, enable  DHCP, route it to 172.16.1.1 and connect unmanaged switch for temporary users and remove it 1 week later.

 

Please advice the configuration.

 

regards,

Izac

1 ACCEPTED SOLUTION

Accepted Solutions

Hello

 


@Izac ICT wrote:

Hello @paul driver

 

What do you mean? Can you advise configuration example?

 

THank you.

cheers.

Izac


Do you have access to the FW?
1) create the L3 routed address and dhcp scope for you client on Fw ( NOT on the LAN L3 switch)

 

Cisco ASA fw config:
conf t
interfacex/x
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.255.0

object-network Guest
subnet 192.168.1.0 255.255.255.0

object-group NAT-Guest
network-object Guest
nat (Inside,Outside) after-auto source dynamic NAT-Guest interface

dhcpd address 192.168.1.100-192.168.1.200 Guest
dhcpd option 3 ip 192.168.1.1
dhcpd lease 28800
dhcpd domain stan.local
dhcp dns 8.8.8.8 8.8.8.4
dhcpd enable Guest


2) on L3 LAN switch create a guest vlan
config t
vlan 100
name Guest
exit

 

3) On lan l2 switch or L3 switch configure a port the unmanaged switch will connect to.

int x/x
description Unmanaged switch
switchport host
switchport access vlan 100

res
Paul

 

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

9 REPLIES 9
Georg Pauwen
VIP Expert

Hello,

 

what type of unmanaged switch are you trying to install ? On which device(s) is layer 3 routing and DHCP server functionality configured ?

Hello @Georg Pauwen

 

The unmanaged switch is netgear gs108. DHCP and routing not configured on the switch I'll connect but on the main switch on other floor.

 

thank you.

 

cheers

Izac

paul driver
VIP Mentor

Hello

Dont create any L3 interface on your L3 switch for guest users, - Just do exactly has you have mentioned, in that have your guest vlan only L2 on your network and have the FW perform the routing , dhcp etc. for it

 

That way your guest users have no way into you office network and incur no disruption.

 

res
Paul

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Hello @paul driver

 

What do you mean? Can you advise configuration example?

 

THank you.

cheers.

Izac

Hello

 


@Izac ICT wrote:

Hello @paul driver

 

What do you mean? Can you advise configuration example?

 

THank you.

cheers.

Izac


Do you have access to the FW?
1) create the L3 routed address and dhcp scope for you client on Fw ( NOT on the LAN L3 switch)

 

Cisco ASA fw config:
conf t
interfacex/x
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.255.0

object-network Guest
subnet 192.168.1.0 255.255.255.0

object-group NAT-Guest
network-object Guest
nat (Inside,Outside) after-auto source dynamic NAT-Guest interface

dhcpd address 192.168.1.100-192.168.1.200 Guest
dhcpd option 3 ip 192.168.1.1
dhcpd lease 28800
dhcpd domain stan.local
dhcp dns 8.8.8.8 8.8.8.4
dhcpd enable Guest


2) on L3 LAN switch create a guest vlan
config t
vlan 100
name Guest
exit

 

3) On lan l2 switch or L3 switch configure a port the unmanaged switch will connect to.

int x/x
description Unmanaged switch
switchport host
switchport access vlan 100

res
Paul

 

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

@paul driver thank you for your time but I have already DHCP active on firewall port. Do you think I cannot create this on L3 switch which unmanaged switch connected? Or can I create second DHCP pool on ASA on same interface? I'm confused now.

 

Thanks again.

 

Izac

Hello


@Izac ICT wrote:

@paul driver thank you for your time but I have already DHCP active on firewall port. Do you think I cannot create this on L3 switch which unmanaged switch connected? Or can I create second DHCP pool on ASA on same interface? I'm confused now.

 

Thanks again.

 

Izac


Use a spare port on the FW and create another L3 interface and dhcp scope for the guest subnet, this interface will also need to a lower security level then the LAN interface.

You DONT want to have any routing on the L3 switch relating to the guest network as you want this isolated - there are others way to segregate the guest network but i think this is the most simplistic solution

                                            FW

                                    |                  |

                                  LAN           Guest interface

                                     |                 | - 
                                                 L3swtich
                                                        |  -

                                                 unmanaged switch

 

 

res
Paul

 

 

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Thank you but I don't have available port on firewall.

Hello


@Izac ICT wrote:

Thank you but I don't have available port on firewall.


So then you have the option to create the L3 guest interface on the L3 switch and also apply an routed access-list ( RACL) to negate communication between you other lan users

 

res
Paul

 

 

 

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future