06-02-2009 10:21 AM - edited 03-21-2019 01:09 AM
I have followed the document 'UC500 and SR500 Secure Router Setup' and it seems simple. I will be needing to setup a system with several vlans (company1 data, company2 data, voice vlan, guest wireless vlan) and I am not sure about the vlan setup.
I know in the past when using the wireless controller I have to manually enter the vlans into the controller.
So the question is: When using a firewall in front of the UC520 which devices controls the vlans?
Do I have to create them manually on both devices?
Should delete the native vlan on the SR520 and replace it with the corresponding vlan from the UC520 (that would be easier I think).
How about when one device supports more vlans than the other?
Thanks,
Johnny
Solved! Go to Solution.
06-02-2009 12:08 PM
Johnny,
In the case where you have an SR520 in front of the UC500 the vlans will still be setup in the UC500. From the SR520 perspective you would need routing to the subnets.In the case of using the WLC526 wireless controller the configuration would be the same.
Hope this helps,
Douglas Smith
06-11-2009 12:05 PM
First, make sure the firewall and NAT are turned off on the UC520.
Make sure there is a route on the SR520 that points to the UC520 for the LAN information behind it. Also, try making the seed device in CCA the UC500.
06-11-2009 01:36 PM
Eivind has good advice as well.
I haven't tried to add the routes via CCA. I would assume it was there.
In CLI, it would look like...
ip route 192.168.10.0 255.255.255.0 192.168.75.2
ip route 10.1.1.0 255.255.255.0 192.168.75.2
ip route 10.1.10.0 255.255.255.252 192.168.75.2
06-02-2009 11:13 AM
Johnny,
I am not famiular with the SR500, but the uplink port of the UC520 will trunk your VLAN's and the UC520 can act as a VTP server. If the Secure router can do a "router on a stick" config, or supports trunking to a switch port, and supports VTP you could use the UC520 to control the VLANs.
Just my two cents, but I'm sure Cisco will chime in with the best practice.
Bob
06-02-2009 12:08 PM
Johnny,
In the case where you have an SR520 in front of the UC500 the vlans will still be setup in the UC500. From the SR520 perspective you would need routing to the subnets.In the case of using the WLC526 wireless controller the configuration would be the same.
Hope this helps,
Douglas Smith
06-03-2009 09:07 AM
I was trying to work within CCA, as intended, for this product family. I dont have a wireless controller in this configuration.
Routing the subnets - I am not sure what you mean by that in relation to the SR520. I know that each device must be made to recognize the vlans independently I just wasnt sure which device would be the vlan master.
06-11-2009 11:31 AM
I have setup the devices per the document and I have the wan interface on the UC520 as 192.168.75.2 and the internal IP as 192.168.10.1. I am able to VPN to the SR520, RUN CCA and see all of the 192.168.75.X subnet but unable to access the 1921.68.10.x subnet.
The vlans on the UC520 are still 1 and 100 (default), the Vlans on the SR520 are still 1 and 75 (default). I thought that CCA was supposed to blend these devices together or something.
How do I get access to the local lan that it is hidden behind the wan interface on the UC520 in a CCA 2.0 compatible way?
Please help me out I am way behind on deployment.
Thanks
06-11-2009 12:05 PM
First, make sure the firewall and NAT are turned off on the UC520.
Make sure there is a route on the SR520 that points to the UC520 for the LAN information behind it. Also, try making the seed device in CCA the UC500.
06-11-2009 12:19 PM
As far as I know I followed the setup document competely which included deleting firewall information and Nat on the UC520. What wasnt addressed in the document that I am aware of (did I miss it?) was any mention of altering the ACL for incoming traffic on the wan being able to have access to the private network.
As far as the route to the internal subnet.. what exactly do you mean? Is there a way to do it with CCA or within the CCA OOB guidelines?
Thanks
06-11-2009 12:32 PM
Johnny,
Have you checked that the VPN server allows VLAN 1 through the VPN client??? Please check if there is a ACL on the vpn configuration.
Regards
Eivind
06-11-2009 01:36 PM
Eivind has good advice as well.
I haven't tried to add the routes via CCA. I would assume it was there.
In CLI, it would look like...
ip route 192.168.10.0 255.255.255.0 192.168.75.2
ip route 10.1.1.0 255.255.255.0 192.168.75.2
ip route 10.1.10.0 255.255.255.252 192.168.75.2
06-12-2009 11:21 AM
In the end the document did a good job of setting up the two devices to work together and allowed a pc connected directly to the SR520 to have access to the private lan behind the UC520 (defaults: 192.168.10.0, 10.1.1.0, 10.1.10.0). I was testing on the VPN and found I needed to add the extra subnets to the split tunnel networks box in CCA. Once I did that it worked.
This doesnt solve all the problems but its a big piece of the pie.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide