Second VLAN on SR520 for non-VPN traffic?

Unanswered Question
Jul 22nd, 2010

Hey guys,

I have a remote teleworker that is connecting to our UC520 back at the office.  The remote teleworker setup includes an SR520W at the remote site with an SPA525G phone sitting behind it.  The remote teleworker is accessing our server and some other applications on our corporate LAN while connected.  Is there any way to set up a second VLAN (or use the wireless VLAN solely) for non-VPN traffic?  I am already using split tunneling, but the remote teleworker will often have vendors and other parties coming into his office with a need for Internet Access and I'd like to separate traffic for obvious security reasons.

Thanks in advance,

Seth

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sethschmautz Wed, 09/01/2010 - 08:14

I am returning to this issue as I need to get it resolved for our remote teleworker.  Is it possible to set up this second VLAN and completely separate traffic from the VPN connection?

jyoopro4ia Thu, 09/02/2010 - 06:19

Not sure if it's possible with CCA but you should be able to do it with CLI..  create a new vlan, assign it to a port(s) and setup ACL.

sethschmautz Thu, 09/02/2010 - 08:02

Thanks.

I'm going to play around with that later today to see what happens.  I'm still a little bit concerned that the although we could put 1 port on VLAN 1 and another port on VLAN 50 (i.e. guest) that their traffic would still hit our server if they knew what to look for.  That might be a stretch, but it's a security concern at the very least.  Is there any way to ensure that the only traffic from VLAN 1 travels over the VPN but all traffic from VLAN 50 cannot?

Thanks,

Seth

jyoopro4ia Thu, 09/02/2010 - 10:29

As long as you have proper ACL (access-lists) setup, you can restrict the guest vlan (50?) traffic from

reaching your internal vlan.

sethschmautz Thu, 09/02/2010 - 10:43

Thanks again.

Not being much of a CLI guy, can you take a look and see if I'm getting it correct below?

Current Access list:

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.85.0 0.0.0.255

access-list 1 permit 192.168.75.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip *public IP* 0.0.0.3 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip host *remote VPN IP* any

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip any any

access-list 103 remark SDM_ACL Category=4

access-list 103 permit ip 192.168.75.0 0.0.0.255 any

192.168.85.x is my new guest vlan - vlan 50

192.168.75.x is the internal vlan - vlan 75

The VPN is a split tunnel configuration where 3 additional subnets are being allowed for voice and data.  Let's say that these are:

data - 192.168.10.x

voice - 10.1.1.x

voice - 10.1.10.x

In order to ensure that VLAN 50 on the SR520 cannot interact with these, would I need to include the following commands:

access-list 104 deny 192.168.85.0 192.168.10.0

access-list 104 deny 192.168.85.0 10.1.1.0

access-list 104 deny 192.168.85.0 10.1.10.0

I get a little confused about exactly how the access lists should be numbered and if these are formatted correctly.

Thanks in advance,

Seth

Actions

This Discussion