Guest VLAN

Unanswered Question
Nov 29th, 2009

Hi,


I got 14 Secondary switches C2960 configured with a dot1x and aaa Radius, all authentication happend trought the radius.

My core switch C3750G is connected to all C2960 switches, to the Router and to My ISA/Proxy server.

I have a Guest_VLAN on all Secondary Switches C2960 . i want my Guest to be able only to internet.

I have only one subnet LAN 192.168.210/24.

My idee to create a new subnet 192.168.220/24 (only for routing purpose) with as gateway the isa server ip address.

Do i have to routing the new subnet to the isa server on the layer 3 switch?

Do i have to create alle guest vlan on all switches with the new subnet + gateway?

I want the authentication to radius with Domain computers since the user account reside on another domain.

What are the vendor attribute on the radius?

Advies please.


Thanks alot

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
manfernandez Sun, 11/29/2009 - 15:51

If I understand it correctly, you want to have a guest VLAN that has no access to your Internal Networkl  This guest vlan

is only for Internet traffic.


Assumptions:

1. You are using VTP or GVRP to pupulate the VLAN ID accross multiple switches.

2. You are using trunk ports of some sort between switches and the core.



I would create a new VLAN, all ports on the switches that will be on this VLAN will have a default gateway of the ISA server (So L2 through all your switces).  Add an additional NIC to ISA server if not already there and plug that port into a switch on the new VLAN.


Use ACLs to block traffic from the guest to internal since the trunk ports will need to pass all tags.


Use a loopback IP or a mgmt vlan to source the RADIUS traffic.


Hope the helps


Manny

access1097BA Mon, 11/30/2009 - 01:44

Thank you for your feedback,


ACL is for IP restrictions, all my users incl guest are on the same subnet.

Any suggestions will be welkome.

Thanks

access1097BA Mon, 11/30/2009 - 14:26

Please can you help me further,


Can you please tel me step by step how i have to do this configuration.


Core switch 3750G, router and all my secondary 2960 switches are connected to the core switch.

I want all my local users authenticate to Radius for authentication.

I want to create a VLAN for local users and VLAN for guest internet.

Where and how i have to configure the dot1x ( on all example wat i found on google Fasteethernet0/3).

Waht they meen with fastethernet0/3, do i have to set the dot1x on alle switches port fastethernet0/3?

Please can you guide me.

Thanks

Actions

This Discussion