Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

I need some help!

Hello everyone. I am trying to do this task.

I am working in a network which is class A. We already have a scope which every user for the company could access with their user and password, then they have access to some resources. We managed this with active directory.

I need to allow to external user such a auditors to have access only to internet when they conect their laptops to a network point.

I don't know how to do it. I think I have to create a new scope and autorize in the ADirectory. Also, Do you know if I have to modify something in the switches?.

Any sugestion and previous experience in this task it's welcome.

If you need more information just tell me.

Thanks

21 REPLIES
New Member

Re: I need some help!

Creating a new scope in AD is one thing you'll have to do [if you want automatic delivery of IP addresses], however you will also have to provide a way for this new network to pass through your LAN and out through your ISP router.

Describe your LAN a little. What kind of switches do you have? What router do you have for internet access, does it have more than one LAN [ethernet] port?

New Member

Re: I need some help!

Thanks for your response.

I have a cisco 3750 which is centralized with the others (cisco 2100 series). I am thinking to create a VLAN. What do you thinK?, If so, What I have to do?. I believe this could be the procedure.

-Create the new scope in dhcp server, autorize in AD.

-Create a VLAN.

I have a router for internet, it's netscreen which is a firewall as well. Do i have to change something here?.// I has more than one ethernet port as you asked me.

Thanks

Re: I need some help!

Hi,

You need to create a VLAN and by using an ACL you need to restrict access to internet only and to no other part of your network.

You can create the VLAN either on the access switch or maybe on the core switch.

Hope this helps...

Regards,

AbhisheK

Please rate all helpful posts!!!

New Member

Re: I need some help!

Hi,

Thanks for your answer. I need to create a Vlan, but I don't know if I have to create a private V-lan or ISL V-lan.

Do you recomend me to enable VTP?. Why? I read that many people had troubles with it.

Wladimir

Re: I need some help!

Hi,

I think even the simple ISL VLAN should do, but if you want the network to be very secure you can use P-VLANs.

But for ease of use and management I would recommend simple VLANs. Just create a special VLAN for the auditors and then by using ACLs restrict access only to internet and nothing else.

VTP is recommended only if you are having lots of access switches. If there is only one or two switches to which the auditors are going to connect, theres is no need for VTP. VTP helps you in managing VLANs from one single Core switch, where in you dont need to make changes on all the switches, you just change it on one switch and the information then automatically propogates to all the switches and they update their respective VLAN databases.

There shouldnt be any trouble with VTP, if you take care of making a device to run in transparent or client mode before connecting it to the network. As by default all switches are configured to run in 'server' mode and hence if they have a revision number latest than the current VTP server in the network, all the devices would follows the information propogated by the new switch which in a way is false information.

For more on VTP, refer this URL -->

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008062cfb2.html

Hope this helps...

Regards,

AbhisheK

Please rate all helpful posts!!!

New Member

Re: I need some help!

Thanks for help.

So, If my network has configurated like this.

2 switch cisco 3750 which are the core and 4 switch 2100 series which are for access.

Do I have to configurate all the switches if I disable VTP?

This network has the switches I mentioned. For the core, They are conected with each other. Do I have to configure both?

Thanks

Wladimir

Re: I need some help!

Hi,

You are welcome.

You'll need to configure VTP only if the auditors can possibly connect to any of the 2100 access switches. If you already know that they would connect to only one access switch what you can do is check if that switch is running in transparent or client mode and then configure a VLAN onto that for them and apply an ACL accordingly.

When you say "They are conected with each other", do you mean that the main core switch and standby switch are connected to each directly. Isnt it?

If you can explain your exact topology in detail, it would be good.

Hope this helps...

Regards,

AbhisheK

New Member

Re: I need some help!

Hi,

I mean the core switches as a stack (3750)

it's a star topology which the switches 3750 are providing the services to the access switches (2100 series). The router is conected to the core access.

Wladimir

Re: I need some help!

Hi,

As I said in the previous post, you can decide to use VTP depending upon the number of switches the auditors are going to connect to. If the number is more than 1 I guess you should use VTP for ease of use and no confusion in maintaing the VLAN.

You can create the VLAN on the core and then use VTP to propogate the VLAN information or you can can create the VLAN on one of the access switches only(if the auditors will connect to one specific switch only).

Hope this helps...

Regards,

AbhisheK

Please rate all helpful posts!!!

New Member

Re: I need some help!

Hi,

Thanks for help me. All these information had useful.

In fact I will install it in the core switch with VTP. Do I need to configuarte something aditional in the router or firewall? I mean for this task.

Wladimir

Re: I need some help!

Hi,

You are welcome Wladimir.

Nothing needs to be done in the firewall or the router. As you want the auditors to be able to access only internet, just remember to add an ACL for the same on the core switch.

Hope this helps...

Regards,

AbhisheK

Please rate all helpful posts!!!

New Member

Re: I need some help!

Hi,

I have a doubt. As I wrote you before. I need to configure the scope for the users which don't belong to the company. So, How many vlan I have to create?. Suppose that it's gonna be for 50 users.

Thanks

Re: I need some help!

Hi,

As you have about 50 users create only one VLAN on the Core switch though and then by VTP propogate it to your VTP switches.

Hope this helps...

Regards,

AbhisheK

Please rate all helpful posts!!!

Re: I need some help!

Hi,

I forgot one things, after you have create the VLAN and have it on the access switch, you'll need to make access ports the member of that particular VLAN by issuing the command " switchport access vlan "

Hope this helps..

Regards,

AbhisheK

Please rate all helpful posts...

New Member

Re: I need some help!

ok, thanks.

Where I have to make the access ports for the VLAN?. Do you mean in the core switch?.

Do I have to do this in the access switches?.

Wladimir

Re: I need some help!

Hi,

- Create VLAN on the core switch.

- Connect core switch and access switch if not already connected and make the ports on both the ends as trunk ports.

- Check VLANs by entering Show VLAN on the access switches.

- On the access switch, make all the ports member of the VLAN.

This should do it for you.

Hope this helps...

Regards,

AbhisheK

Please rate all helpful posts!!!

New Member

Re: I need some help!

just cr8 a new user with no rights then give them user name to access to your network so they will only able to use internet and remainig will hide from them

may this could help you

New Member

Re: I need some help!

ok, but if I give him a user and a password he has to login in my domain which means waste time. Also I have to this with all the external users every day.

So it's not a good deal

New Member

Re: I need some help!

whenever u have domain so that mean you have to be the part of domain to access any thing of that domain so i said just create a user name with no rights so they won't able to do any thing in that domain except internet usage and your problem will solved..as many universities has guest login in which you only able to use internet and u can't do any thing else...

New Member

Re: I need some help!

hi,

I know your point which is true. The thing is that I have to deny access to the resources to any people which plug any cable in a network point to have access to them. I mean if I am an auditor and need to do some conference here I could plug a cable and see all the resources of the company. So I think I have to create Vlan to do this task, DO you think it, don't you? Any sugestion??

Thanks

New Member

Re: I need some help!

Hi2

basically problem is your domain because every user must logon into your domain so thats why yo u have to give user name to person which want to login into ur domain... ( You can't create any user besides your Domain.. If you have Domain then every resource will belong to you domain. whatever its IE or something else. because every internet traffic must pass from server.)

For Vlans user must b connected to that port of switch for access the network but if he doesn't connect to that port what will u do at that situation...

So in domain just create a user name with no rights like most network administrators do then either user connect to 1 switch or any switch to that network you don't need to implement VLAN and intervlan ...

i think now u'll got i want to say ...

191
Views
19
Helpful
21
Replies
CreatePlease login to create content