VLAN Help with BYOD

jtbarnes1 · ‎05-14-2013

I'm pretty sure I'm on the right track and somewhat close to a correct setup for this. The goal is to get a wireless controler to route default (safe) traffic on vlan1 and all BYOD traffic (bad) on vlan2. So far I have the controller tunneling the BYOD traffic back to the controller and tagged at vlan2. All other SSID traffic which is internal and safe is vlan1. My problem is with my current setup all the traffic still see's each other.

The goal is to keep VLAN2 seperate and unable to malware up all the internet network servers, while still providing internet access.

Internet access edge is 10.3.3.254 (ASA Firewall)

All internal traffic is 10.x.x.x (10.3.x.x 10.1.x.x 10.2.x.x etc)

BYOD is VLAN2 and 10.8.x.x 255.255.0.0

I'll post the parts of the config that matter.. and just as a show here is the overall IP route, but I won't go into detail on all the ranges, just know they are interal network (safe), except BYOD traffic.

Gateway of last resort is 10.3.3.254 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.3.3.254

10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

D 10.1.0.0/16 [90/28672] via 10.3.3.2, 6w6d, Vlan1

D 10.2.0.0/16 [90/28928] via 10.3.3.2, 6w6d, Vlan1

C 10.3.0.0/16 is directly connected, Vlan1

L 10.3.3.1/32 is directly connected, Vlan1

C 10.8.0.0/16 is directly connected, Vlan2

L 10.8.1.1/32 is directly connected, Vlan2

C 10.102.0.0/24 is directly connected, GigabitEthernet1/0/7

L 10.102.0.1/32 is directly connected, GigabitEthernet1/0/7

192.168.1.0/30 is subnetted, 2 subnets

D 192.168.1.4 [90/3328] via 10.3.3.2, 6w6d, Vlan1

D 192.168.1.8 [90/3072] via 10.3.3.2, 6w6d, Vlan1

IP routes

ip route 0.0.0.0 0.0.0.0 10.3.3.254

So here we can see I basically have two vlan's, vlan1 (default) and vlan2 (BYOD I've configured as 10.8.1.1).

interface Vlan1

ip address 10.3.3.1 255.255.0.0

!

interface Vlan2

ip address 10.8.1.1 255.255.0.0

!

Next is the show vlan print out.

VLAN Name Status Ports

---- -------------------------------- --------- ------------------------------

1 default active Gi1/0/1, Gi1/0/3, Gi1/0/4

Gi1/0/9, Gi1/0/10, Gi1/0/11

Gi1/0/12, Gi1/0/13, Gi1/0/14

Gi1/0/15, Gi1/0/16, Gi1/0/17

Gi1/0/18, Gi1/0/19, Gi1/0/20

Gi1/0/21, Gi1/0/22, Gi1/0/23

Gi1/0/24, Gi1/1/1, Gi1/1/2

Gi1/1/3

2 VLAN0002 active Gi1/0/8

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

DHCP Setup, This is handing out 10.3.x.x addresses on the 10.3.x.x network and the BYOD is given 10.8.x.x. There are excludes listed from this ranges just not posted here so this is setup correct. I can currently get a 10.8.x.x ip over the wireless and connect to the internet so this dhcp is working correctly.

ip dhcp pool TES

network 10.3.0.0 255.255.0.0

dns-server 10.3.3.4

default-router 10.3.3.1

lease 7

!

ip dhcp pool BYOD

network 10.8.0.0 255.255.0.0

dns-server 8.8.8.8

default-router 10.3.3.254

lease 7

Next is eigrp to cover the bases.

router eigrp 1

network 10.3.0.0 0.0.255.255

network 10.102.0.0 0.0.0.255

redistribute connected

Next is a interface list of the useful stuff.

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

switchport trunk encapsulation dot1q

switchport mode trunk

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust dscp

macro description cisco-router

auto qos trust

spanning-tree portfast trunk

spanning-tree bpduguard enable

!

interface GigabitEthernet1/0/6

description Ruckus ZD3000

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/7

no switchport

ip address 10.102.0.1 255.255.255.0

!

interface GigabitEthernet1/0/8

switchport access vlan 2

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

So here we can see the interface list. Ge1/0/1 connects to the ASA Firewall and it's IP is 10.3.3.254. Ge1/0/6 is our Ruckus Wireless controller which is dropping the traffic on the network, both Vlan1, and Vlan2 tagged BYOD traffic. Ge1/0/8 is setup as a access port purely to test vlan2 and make sure there was nothing on the wireless side of the controller effecting this. Currently I can ping 10.8.1.1 from any laptop connected by the wireless. However I can also ping 10.3.3.1 (this switch) and any other range of IP addresses on the internal network.

My Goal is to have vlan1 and vlan2 traffic connect to the wireless controller via Ge1/0/6 and also be able to access Ge1/0/8 which will be a future radius/auth server for this wifi. Then have this traffic get internet via 10.3.3.254 or Ge1/0/1. However I do not want any of the Vlan2 traffic to be able to talk to any of the other ports. I'm not sure what is setup which is making this occur currently.

jtbarnes1 · ‎05-15-2013

Ok I've figured out what the problem is. Because this is a layer 3 switch and ip routing is enabled. I have setup intervlan routing by assigning the ip address to vlan2. I'm pretty sure this is what I would need to do anyhow since it must communicate with 10.3.3.254 the firewall. Next I need to figure out how to keep vlan2 traffic coming from Ge1/0/6 from getting to any interface except Ge1/0/1. Suggestions on the best way to do this?