Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
5
Replies

Second VLAN on SR520 for non-VPN traffic?

sethschmautz
Level 3
Level 3

‎07-22-2010 09:57 AM - edited ‎03-21-2019 02:48 AM

Hey guys,

I have a remote teleworker that is connecting to our UC520 back at the office.  The remote teleworker setup includes an SR520W at the remote site with an SPA525G phone sitting behind it.  The remote teleworker is accessing our server and some other applications on our corporate LAN while connected.  Is there any way to set up a second VLAN (or use the wireless VLAN solely) for non-VPN traffic?  I am already using split tunneling, but the remote teleworker will often have vendors and other parties coming into his office with a need for Internet Access and I'd like to separate traffic for obvious security reasons.

Thanks in advance,

Seth

Labels:
0 Helpful
5 Replies 5

sethschmautz
Level 3
Level 3

‎09-01-2010 08:14 AM

I am returning to this issue as I need to get it resolved for our remote teleworker.  Is it possible to set up this second VLAN and completely separate traffic from the VPN connection?

0 Helpful

jyoopro4ia
Level 1
Level 1
In response to sethschmautz

‎09-02-2010 06:19 AM

Not sure if it's possible with CCA but you should be able to do it with CLI..  create a new vlan, assign it to a port(s) and setup ACL.

0 Helpful

sethschmautz
Level 3
Level 3
In response to jyoopro4ia

‎09-02-2010 08:02 AM

Thanks.

I'm going to play around with that later today to see what happens.  I'm still a little bit concerned that the although we could put 1 port on VLAN 1 and another port on VLAN 50 (i.e. guest) that their traffic would still hit our server if they knew what to look for.  That might be a stretch, but it's a security concern at the very least.  Is there any way to ensure that the only traffic from VLAN 1 travels over the VPN but all traffic from VLAN 50 cannot?

Thanks,

Seth

0 Helpful

jyoopro4ia
Level 1
Level 1
In response to sethschmautz

‎09-02-2010 10:29 AM

As long as you have proper ACL (access-lists) setup, you can restrict the guest vlan (50?) traffic from

reaching your internal vlan.

0 Helpful

sethschmautz
Level 3
Level 3
In response to jyoopro4ia

‎09-02-2010 10:43 AM

Thanks again.

Not being much of a CLI guy, can you take a look and see if I'm getting it correct below?

Current Access list:

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.85.0 0.0.0.255

access-list 1 permit 192.168.75.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip *public IP* 0.0.0.3 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip host *remote VPN IP* any

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip any any

access-list 103 remark SDM_ACL Category=4

access-list 103 permit ip 192.168.75.0 0.0.0.255 any

192.168.85.x is my new guest vlan - vlan 50

192.168.75.x is the internal vlan - vlan 75

The VPN is a split tunnel configuration where 3 additional subnets are being allowed for voice and data.  Let's say that these are:

data - 192.168.10.x

voice - 10.1.1.x

voice - 10.1.10.x

In order to ensure that VLAN 50 on the SR520 cannot interact with these, would I need to include the following commands:

access-list 104 deny 192.168.85.0 192.168.10.0

access-list 104 deny 192.168.85.0 10.1.1.0

access-list 104 deny 192.168.85.0 10.1.10.0

I get a little confused about exactly how the access lists should be numbered and if these are formatted correctly.

Thanks in advance,

Seth

0 Helpful
Customers Also Viewed These Support Documents