Isolate Public Wireless Network on Catalyst 3500XL and 4507R

lovembsc89 · ‎04-30-2010

I am trying to use a 3Com wireless router in one of our training rooms to allow public internet access when in that room. We have it

jacked into a port in a Cisco Catalyst 3500XL, which is jacked directly into our Cisco Catalyst 4507R. We have 6 vlans in the 4507

switch. I created a 7th vlan (vlan 700) on both switches and assigned the interface on the port in the 3500 to that vlan. I'm not sure what to do on the 4507

though. The firewall that the users need to go through to get to the internet is on one of the vlans (vlan 100 -- 172.16.0.x) that I'm trying to avoid access to for vlan 700. I tried assigning an acl to vlan 700, but I must have done something wrong, because it caused current users on the wired network to lose access to the switch. I used:

access-list 101 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 101 permit 192.168.100.0 0.0.0.255 any

What I want to do is this:

Wireless router & dhcp addresses on 192.168.100.0 network = internet

only access

All other networks: 172.16.0.0, 192.168.30,40,50,60 = all access

except 192.168.100.0

I'm very confused as to what I need to do, and on which switch.

Jon Marshall · ‎04-30-2010

lovembsc89 wrote:

The firewall that the users need to go through to get to the internet is on one of the vlans (vlan 100 -- 172.16.0.x) that I'm trying to avoid access to for vlan 700. I tried assigning an acl to vlan 700, but I must have done something wrong, because it caused current users on the wired network to lose access to the switch. I used:

access-list 101 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 101 permit 192.168.100.0 0.0.0.255 any

What I want to do is this:

Wireless router & dhcp addresses on 192.168.100.0 network = internet

only access

All other networks: 172.16.0.0, 192.168.30,40,50,60 = all access

except 192.168.100.0

I'm very confused as to what I need to do, and on which switch.

You need to create a L3 SVI for vlan 700 on your 4507 switch ie.

int vlan 700

ip address 192.168.100.x 255.255.255.0

then you need to apply the acl 101 in the inbound direction on vlan 700 interface ie.

int vlan 700

ip address 192.168.100.x 255.255.255.0

ip access-group 101 in

Jon

lovembsc89 · ‎04-30-2010

Thanks, Jon! I did what you said. Now, two more questions:

1. Do I need vlan 700 on the port on the 3500XL?

2. If I have a 100 mb connection jacked into a gigabit ethernet port in the 4507, do I need to set the duplexing and speed of that port, or will the auto setting be enough for this connection?

At least this time, nothing has blown up.

Jon Marshall · ‎04-30-2010

lovembsc89 wrote:

Thanks, Jon! I did what you said. Now, two more questions:

1. Do I need vlan 700 on the port on the 3500XL?

2. If I have a 100 mb connection jacked into a gigabit ethernet port in the 4507, do I need to set the duplexing and speed of that port, or will the auto setting be enough for this connection?

At least this time, nothing has blown up.

1) If the 3500XL is only for vlan 700 then yes the port on the 3500XL and the corresponding port on the 4507 should be set to vlan 700. If there are multiple vlans on the 3500XL then you will need to make the connection at both ends a L2 trunk.

2) auto-negotiation should be fine as long as both ends are set to auto-negotiate.

Glad to hear nothing else has blown up

Jon

lovembsc89 · ‎04-30-2010

Ok. Just to make sure I understand. There are two vlans on the 3500. The port that connects the 3500 to the 4507 is on vlan 100 (private network). I have the router coming into the 3500 from the patch panel, and have set that port to vlan 700 (public network). In this scenario, I can't configure an L2 trunk, can I?

Jon Marshall · ‎04-30-2010

lovembsc89 wrote:
Ok.  Just to make sure I understand.  There are two vlans on the 3500.  The port that connects the 3500 to the 4507 is on vlan 100 (private network).  I have the router coming into the 3500 from the patch panel, and have set that port to vlan 700 (public network).  In this scenario, I can't configure an L2 trunk, can I?

If the path to your firewall is via the 4507 switch then you need to configure the connection between the 3500 and the 4507 as a L2 trunk because you need 2 vlans, vlan 100 and vlan 700 to go from the 3500 switch to the 4507 switch. So the port on the 3500 connecting to the 4507 needs to be a trunk port and so does the port on the 4507 connecting to the 3500.

Don't do this during production hours because changing it from an access port in vlan 100 to a L2 trunk will create an outage. Not a huge outage but it could be a couple of minutes. You also need to be aware of VTP if you change the connection to a L2 trunk. You would be advised to change the 3500 to VTP transparent mode if it isn't already so it cannot overwrite the VTP database on the 4507 switch which would really break things. Do this before configuring the trunk link.

Alternatively if you have a spare connection between the 4507 and 3500 ie. not the existing one in vlan 100 then you could simply configure that to be in vlan 700 and leave the original connection alone.

Jon

lovembsc89 · ‎04-30-2010

Jon,

I'm going to do this Monday after hours. I'll let you know how it goes. This is just the first phase of this project, so I want to make sure that I have a good handle on it before we open it up and roll out more wireless access points.

Thanks so much for your help, and have a great weekend.

~T

lovembsc89 · ‎05-12-2010

I was finally able to try this, and I get the same result.

Traffic on the 192.168.100.x network can still see the other networks. I added the ACL to the Cat 3500, thinking maybe it needed to go there too, and I added connected spare ports between the switches and added them to vlan700. The other ports use spanning-tree portfast. Should I take this away from this port in the 3500?

The vtp mode is transparent. I am copying the relevant pieces of the configs from both switches. Thanks for any assistance you can offer.

Pieces of config from 4507 (why does vlan 700 say "shutdown" even after I issue "no shut"?)

interface GigabitEthernet7/23
switchport access vlan 100
switchport mode access

vlan 600
name SocSvc
!
vlan 700
name RCACBOSW
shutdown

interface Vlan600
description SocSvc
ip address 192.168.60.1 255.255.255.0
!
interface Vlan700
description RCACBOSW
ip address 192.168.100.24 255.255.255.0
ip access-group 102 in

access-list 102 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any

Pieces of config from 3500:

interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 700

interface VLAN200
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN700
ip access-group 102 in
no ip directed-broadcast
no ip route-cache
shutdown

access-list 102 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
spanning-tree portfast