Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1240
Views
0
Helpful
3
Replies

Guest VLAN

access1097BA
Level 1
Level 1

‎11-29-2009 01:54 AM - edited ‎03-06-2019 08:45 AM

Hi,

I got 14 Secondary switches C2960 configured with a dot1x and aaa Radius, all authentication happend trought the radius.

My core switch C3750G is connected to all C2960 switches, to the Router and to My ISA/Proxy server.

I have a Guest_VLAN on all Secondary Switches C2960 . i want my Guest to be able only to internet.

I have only one subnet LAN 192.168.210/24.

My idee to create a new subnet 192.168.220/24 (only for routing purpose) with as gateway the isa server ip address.

Do i have to routing the new subnet to the isa server on the layer 3 switch?

Do i have to create alle guest vlan on all switches with the new subnet + gateway?

I want the authentication to radius with Domain computers since the user account reside on another domain.

What are the vendor attribute on the radius?

Advies please.

Thanks alot

Labels:
0 Helpful
3 Replies 3

manfernandez
Level 1
Level 1

‎11-29-2009 03:51 PM

If I understand it correctly, you want to have a guest VLAN that has no access to your Internal Networkl  This guest vlan

is only for Internet traffic.

Assumptions:

1. You are using VTP or GVRP to pupulate the VLAN ID accross multiple switches.

2. You are using trunk ports of some sort between switches and the core.

I would create a new VLAN, all ports on the switches that will be on this VLAN will have a default gateway of the ISA server (So L2 through all your switces).  Add an additional NIC to ISA server if not already there and plug that port into a switch on the new VLAN.

Use ACLs to block traffic from the guest to internal since the trunk ports will need to pass all tags.

Use a loopback IP or a mgmt vlan to source the RADIUS traffic.

Hope the helps

Manny

0 Helpful

access1097BA
Level 1
Level 1
In response to manfernandez

‎11-30-2009 01:44 AM

Thank you for your feedback,

ACL is for IP restrictions, all my users incl guest are on the same subnet.

Any suggestions will be welkome.

Thanks

0 Helpful

access1097BA
Level 1
Level 1
In response to access1097BA

‎11-30-2009 02:26 PM

Please can you help me further,

Can you please tel me step by step how i have to do this configuration.

Core switch 3750G, router and all my secondary 2960 switches are connected to the core switch.

I want all my local users authenticate to Radius for authentication.

I want to create a VLAN for local users and VLAN for guest internet.

Where and how i have to configure the dot1x ( on all example wat i found on google Fasteethernet0/3).

Waht they meen with fastethernet0/3, do i have to set the dot1x on alle switches port fastethernet0/3?

Please can you guide me.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card