cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
697
Views
0
Helpful
5
Replies

Single ISR router with VPN connecting to multiple VLAN?

gareth_r52
Level 1
Level 1

Hi,

Just wondering if someone could assist... I have a single 1801 ISR router and have 3 VLANs. Say we name them 1, 2 and 3.

If I create a VPN connection, obviously I can define which VLAN I want the router to pass traffic to. However is it possible at all to have say:

User A > VLAN 1

User B > VLAN 2

So in other words, different users have access to different VLAN's when connecting via VPN?

5 Replies 5

Hi,

If you're talking about a small amount of users and want to do the configuration local, you can create a separate VPN group per user.

So, the ISR will have say 5 groups (one group = one user).

You can then define each group access separately.

In this way, the users will connect to each corresponding group and each group will have access to the VLANs/IPs you define.

Obviously this will not scale.

There are other solutions when the amount of users is considerable.

Hope it helps.

Hi Federico,

Yes, there will only be 3 for 4 users. However I would be interested in reading about the other options (I'm no VPN expert, yet) if you could point me in the right direction.

Do you have a basic configuration for the group/vlan > user linkage?

Gareth,


For example you can have:

crypto isakmp client configuration group ONE

  key KEY1

  acl 1

  pool POOL1

crypto isakmp client configuration group TWO

  key KEY2

  acl 2

  pool POOL2

If this is a small scenario where you have full control, you can provide the users access to each group individually.

Each group will have its own access determined with the ACL 1,2, etc.

A better alternative might be using a Radius server (for example ACS) that can inject per-user downloadable ACLs.

Federico.

That makes sense. Thank you.

Just a quick one, how is group applied to a specific local authenticated user?

I don't recall being an option to map a local user to a VPN group in IOS.

I was suggesting basically a separate PCF for each client, so that a user can connect to a separate group and have separate access.

This won't work if you provide the same PCF for all users, because all users can connect to the same group then...

Again... maybe not the best solution but it will accomplish giving different access to different users based on the group they connect to.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: