cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1379
Views
0
Helpful
5
Replies

dns lookups in guest vlans

jkay18041
Level 3
Level 3

I am setting up a network where a 3750 switch is going to route the guest vlan. On the dhcp server I gave the dns server 8.8.8.8 and that does not resolve. If I remove my firewall rules blocking vlan 2 from talking to vlan 1 and give dns server in the vlan 2 scope the ip address of my router on vlan 1 the dns lookups work. 

So my question is what do I need to do in order to get DNS to work on vlan 2 when I have vlan 2 blocked from vlan 1? 

Thank you for the help

Switch config

Current configuration : 5525 bytes
!
! Last configuration change at 22:21:23 UTC Mon Jan 2 2006 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 
enable password 
!
username admin privilege 15 password 0 
no aaa new-model
clock timezone UTC -6 0
clock summer-time UTC recurring
switch 1 provision ws-c3750e-24pd
system mtu routing 1500
ip routing
ip dhcp excluded-address 10.10.1.1 10.10.1.5
ip dhcp excluded-address 10.10.1.245 10.10.1.254
ip dhcp excluded-address 192.168.2.1 192.168.2.5
ip dhcp excluded-address 192.168.2.250 192.168.2.254
!
ip dhcp pool Wired
network 10.10.1.0 255.255.255.0
bootfile pxelinux.0
next-server 10.10.1.248
default-router 10.10.1.253
dns-server 10.10.1.253
!
ip dhcp pool Wireless
network 192.168.2.0 255.255.255.0
default-router 192.168.2.253
dns-server 8.8.8.8
!
!
ip domain-lookup
!
!
crypto pki trustpoint TP-self-signed-2239690
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2239690
revocation-check none
rsakeypair TP-self-signed-2239690
!
!
crypto pki certificate chain TP-self-signed-2239690
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323339 36393032 34301E17 0D393330 33303130 30303135
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3232 33393639
30323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BEA47CEC B823E0F6 DED127E1 0433E8D9 1EB693E2 C5C33E72 B4282A4C D4749F45
A1A406CE AEE2D3B4 35583588 20980A52 45F63E52 DF9A7131 A94E85BC 55163BFB
925A4194 74AAC9BB 9E69F75B C0D408CB 965F670E 41D0CEC8 42EE92D5 ACB2B040
88D854A4 AA5D4E8D FAD33D70 19952292 D08C9AFA 191A66E3 0EDA01A6 CD395FCD
02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
11040B30 09820753 776974
quit
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 1
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
description Media PC
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
description To 1841
!
interface GigabitEthernet1/0/24
description To 2821
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
ip address 10.10.1.250 255.255.255.0
!
interface Vlan2
ip address 192.168.2.253 255.255.255.0
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.10.1.253
!
ip access-list extended WiFi_Block
deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
!
access-list 122 deny tcp any eq 22 any
access-list 122 permit tcp 10.0.0.0 0.255.255.255 any
!
snmp-server community fast_stats RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps cluster
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps hsrp
snmp-server enable traps cpu threshold
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps errdisable
snmp-server enable traps vlan-membership
!
!
line con 0
line vty 0 4
access-class 122 in
privilege level 15
password 
login local
transport input ssh
line vty 5 15
password
login
!
end

Switch#

5 Replies 5

Paul Chapman
Level 4
Level 4

Hi -

<edit>

You can permit guest traffic to transit your production network, but I don't really recommend it.  You simply modify your ACL to permit traffic to the firewall, then deny to the rest of the network.

ip access-list extended WiFi_Block
! Replace <x> with the IP of your firewall
permit ip 192.168.2.0 0.0.0.255 host 10.0.0.<x>
 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255
 permit ip any any

To correctly set this up you do not want to do inter-vlan routing on the 3750.  You want to remove the VLAN interface for VLAN 2.  Set up a DMZ interface on your firewall and give it the 192.168.2.253 address.  For DHCP, either set up a proxy on the firewall pointing at the VLAN 1 interface on the 3750, or set up DHCP directly on the firewall.

PSC

Thank you for the tips and advice. How come you have to add the host rule into the access-list? Sorry I am not the best with this stuff and just assumed since the packets wouldn't have the destination of the network I was blocking then it would still pass them on since the switch was doing the routing.

Hi -

I had a <duh> moment there.  You are right about the ACL.  I'll edit that post.  On further consideration of the issue I think the problem is actually in the firewall configuration.  1) Do you have a route in the firewall pointing at 10.10.1.250 for the 192.168.2.0/24 network? 2) Do you have a NAT rule that matches outbound traffic from the 192.168.2.0/24 network?

PSC

I ended up putting the guest network to be routed on the router. I didn't want to do this originally because I don't know much about the dell sonic walls and it also doesn't seem to be very powerful so figured the switch would be better off routing it.

I have to say I'd never buy a sonicwall. The thing would not allow the switch to route the vlan because it would never forward traffic back to the switch for that vlan. I did add the static route from the router to the guest vlan like I should. I ended up having to use a 3rd interface on the sonicwall, then create a sub interface on it as the thing could only be tagged to a vlan via a sub interface. The hole device is confusing as heck and just over complex for what it really needs to be.

Thanks for the help on this.

So new issue. For some reason the sonicwall is not doing very well at this routing vlan 2 traffic. I called Dell and the guy couldn't figure out my problem.

So I have the AP's plugged into the switch as seen in the config above. I then made a 2nd lan interface on the dell sonic wall that plugs into the cisco switch on port 24. I tagged the vlan on port 24. So Dell sonic wall is X0 LAN (VLAN 1)    X1 WAN then I made a X2 interface (X2V2) as the LAN for vlan 2. I plugged  x2v2 into port 24 on the cisco 3750. I also took the ip address for vlan 2 off of the cisco as well as the dhcp server and put that ip on the sonicwall and then made the sonicwall handle dhcp. So my question is since I am now using the 3750 switch as a layer 2 I have no ip on vlan 2. Do I need to add a static route such as 0.0.0.0 0.0.0.0 vlan 2 10.15.1.254 on the switch so that the traffic for vlan 2 will be pushed to that address? I wouldn't think I would have to but I cannont get vlan 2 out to the internet and I am not onsite currently to do a trace-route or packet capture. My hope is to figure my issue out then I can take care of it over my lunch break as this is not my job, just a side job for someone.

Thanks for the input and help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: