VLAN routing question

mikearama · March 2008

Our network uses vlans extensively to segregate traffic. I've been asked to create another, with a catch.

Our last audit pointed out that our conference rooms provide network access for both staff and visitors/vendors. Visitors/vendors, whether wired or wireless, get IP's on the same vlan as staff... potentially getting access to the same domain resources.

The new vlan is to be for any non-domain authenticated laptops, and is to only permit access to the internet. I've read about this, but never had to set up anything like it, so I have obvious questions.

For example, how do I use 8021x or taccacs to assign a vlan dynamically, ensuring that visitors are put into the restricted vlan, while domain-authenticated machines get the regular user vlan? Do I have to use an isolated vlan to control routing and ensure that the restricted vlan can reach the core, but from there, only the firewall? or would an acl / route-map suffice?

I would appreciate any thoughts from you techies who've rolled out something like this.

Much obliged,
Mike

Netstudent · March 2008

The thing with an isolated vlan is they are only supported on high end switches as far as Cisco is concernced. If Nortel has some kind similar feature, then an isolated or community type vlan might be an option. Is your using VTP, then Secondary vlans won;t work. But you are a working a nortel shop right?

To dynamically assign a vlan, you would need some kind of vlan policy server, but even then you would probably need the MAC address or some kind of identifying info from the visitor laptop.

I would create a visitor vlan, and assign it to a couple switch ports for each conference room, and then use a Vlan map, or ACL to deny that subnet from getting anywhere besides a dhcp server and the internet.

With wireless, maybe you could put a WAP in the visitor vlan with all the same restrictions on the vlan. Make the new WAP have a Visitor SSID and isolate that wireless network from the rest of the network.

darkuser · March 2008

you can use the 8021x "guest" vlan feature.

we currently use the vmps "fallback" vlan as our guest vlan.

this is implemented as a dmz on the firewall with internet access.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/Sw8021x.html#wp1065246

mikearama · March 2008

Netstudent wrote:

But you are a working a nortel shop right?

Hey NS... you have a good memory. I lasted 10 weeks at the college, and decided I wan't enjoying it. I did really like the wireless layout, and took advantage of the opportunity to learn all I could about Symbol/Motorola controllers. Other than that, it wasn't much fun... too much entry level work, despite the fancy title. So, I called Toyota Canada back up, and they hadn't yet filled my role, and what do ya know, they offered it back to me. Couple weeks now.

Anyway, 100% Cisco again. Ah, feels like home.

So I can pursue a pure cisco solution to the issue.

I was hoping to not have to set up a policy server... seems a lot of work for one vlan. Having said that, I'll do that over having to hardset switch ports to the restricted vlan... that has "problematic" written all over it. I'll be changing them daily to suit the people in the room.

I like your idea of the second wlan with a unique ssid. That'll work.

Guess I'll start reading up on policy server.

tech-airman · March 2008

mikearama,

Are you looking for a pure Cisco solution to this problem?

joshgibson82 · March 2008

You could do it another way. Have your wireless broadcast a guest vlan with open authentictation, and have it on a separate vlan from your production. Then on the guest vlan interface, use a route map to catch all the traffic on that interface. Set up a GRE tunnel from the guest vlan gateway to the firewall, and set all guest traffic with a next-hop of the other side of the GRE tunnel. That will get all the traffic into the DMZ, and from there only allow the traffic to go out the internet. I've see that used before.

It's quick and easy, but probably not as secure.

Thanks

Wireless ---Gateway---Tunnel----Firewall ----Internet

mikearama · March 2008

tech-airman wrote:

mikearama,

Are you looking for a pure Cisco solution to this problem?

100% pure. Extra virgin, if possible.

mikearama · March 2008

joshgibson82 wrote:

It's quick and easy, but probably not as secure.

Wireless ---Gateway---Tunnel----Firewall ----Internet

Perfect. I like it. And it does sound easier than I expected. I'll look into the GRE tunnel. And it didn't need to be a super-secure solution... just get visitors off our production user vlan.

I'm back to wondering about the wired side of the equation.

tech-airman · March 2008

mikearama wrote:

tech-airman wrote:

mikearama,

Are you looking for a pure Cisco solution to this problem?

100% pure. Extra virgin, if possible.

mikearama,

Since I'm currently enrolled in the Cisco Networking Academy course called "Fundamentals of Wireless LANs" I'd like to help with the wireless part.

Based on what I've learned so far, you can configure a Cisco 1200 series Access Point to associate a certain SSID to a certain VLAN. So let's say you can associate the SSID of CORP to the VLAN for the Staff and the SSID of ANYONE to the VLAN for the Visitors/Vendors. Then you'd have to contain the second VLAN on the wired network so that the VLAN only has internet access as desired. Then you could freely let everyone know the SSID of "ANYONE" to, um, anyone.

The Ethernet port on the Cisco 1200 series Access Point will be an 802.1q trunk link back to the nearest managed switch with 802.1q VLAN capabilities. There's more commands to help lock down the AP for security but I'm not up to that module yet. I hope this helps.

dtlokee · March 2008

You don't really need a GRE tunnel, just a seperate VLAN that does not contain any other resources, just the wireless clients and the connection to the firewall. I personally don't like the idea of a completely open access point in any case, you may want to consider some forme of basic authentication like PSK that isn't going to be to difficult for somone to type in.

joshgibson82 · March 2008

dtlokee wrote:

You don't really need a GRE tunnel, just a seperate VLAN that does not contain any other resources, just the wireless clients and the connection to the firewall. I personally don't like the idea of a completely open access point in any case, you may want to consider some forme of basic authentication like PSK that isn't going to be to difficult for somone to type in.

It may very well be physically impossible to connect the vlan directly to the firewall. Therefore, the GRE tunnel will allow the guest traffic to traverse the entire network without showing a potential hacker hops it takes to get over to the firewall. I'm sure there are 1000 ways to set up this scenario, this is just my 2 cents.

dtlokee · March 2008

Yup, but the simplest solution is the best solution, introducing a GRE tunnel if it's not necessary will add overhead to the frames, as well as introduce MTU issues on the frames requiring fragmentation. We don't know the whole topology so it's difficult to say what is best. I mean we could implement a MPLS core and L3 VPNs, or perhaps L2 VPNs to make it work, all possible solutions. My point was don't assume a GRE tunel s required when a VLAN might be the best solution.

TTA89 · March 2008

Just off the top of my head...

The Cisco APs support multiple vlans with different SSIDs. The config is different if you are using Wireless Controllers and lightweight APs or Autonomous mode APs. Either way they support this and its used for this purpose.

So I would create a new vlan and add your guest network to it.

Then create a simple ACL that allows DHCP but blocks access to the rest of the network. I think its UDP Port 67.

ip access-list extended 100
permit udp any host DHCPSERVERIP bootpc or bootps I forget which one is the which.
deny ip any 10.0.0.0 0.255.255.255 log Assuming you use the 10.x.x.x network internally.
permit ip any any

This way the only traffic allowed out of the vlan is traffic destined for any network other than 10.x.x.x.

Then I would setup my DHCP server scope to hand out IPs in the 172.16 range so you can easily tell the traffic apart and use a public DNS server like www.opendns.com to serve DNS. You can even use your switch to serve DHCP so you don't have to allow anything to your internal network.

I'd then configure a few ports in the conference rooms and label them as internet only and put them in the same vlan as the guest AP Vlan. Enable DHCP Snooping, DAI, etc, etc, to keep the script kiddies at bay.....

I think for a quick and easy solution that works. I'd mess with it in a lab and try to break it before implementing.

Paul Boz · March 2008

If you want to be the most secure and have the easiest implementation just buy a low-speed (cheapest package, usually marketed as a "lite" service) dynamic DSL/Cable connection from a local provider and stick an AP on it completely off of the LAN. A Linksys with a WPA pre-shared key is all you need. The benefit of such a configuration is that it filters the "junk" traffic from hosing up your primary network's bandwidth to the internet. Any time you allow open access people are going to use the hell out of the internet on that connection.

If you want to make it complicated or don't have the budget for another internet connection put the AP into its own VLAN and use QoS to give that AP the lowest priority possible so that errant surfing doesn't grind your network down.

redwarrior · April 2008

Another solution, but one that costs $$$ is Cisco Clean Access. That way, you could create separate profiles, one for your regular users and one for guests. When everyone first connects, they get put into an authentication vlan while clean access figures them out. Your users log in as usual and are put into their usual vlan, but you could either create a guest account or create a profile for all computers that don't meet other requirements. These are placed into a separate vlan which you can then control as you like, routing it directly to the internet and controlling access with ACL's. Despite the pains we've been having with it, it's kind of cool how you can use clean access for more than just making sure your users have updated virus software!

mikearama · April 2008

Yeah, I love the nac solution, but it's both overkill for what I want, not to mention not in the budget.

We had a competitors version at the university I was at last, and it was a sweet ride. I'll just never get it approved for visitors internet access.

Mike

VLAN routing question

Comments