Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
9
Replies

Cisco VLAN Config

Go to solution
Matt Hoak
Level 1
Level 1

‎03-13-2014 03:50 PM - edited ‎03-10-2019 12:26 PM

Let me start by saying i'm Cisco challenged.  I understand all of what i'm doing, and i've done it before with HP switches, but i don't have much experience with Cisco, and I think i'm making it more complicated than it needs to be.  Let me start by describing my environment.

Access Point -> Catalyst 2950 -> Fiber -> 4510r+e Core Switch -> Copper -> ASA 5510 -> Internet Gateway

The AP is currently up and running on our internal workstation network on default VLAN 1.  I need to add a guest network that only has access to the internet.  AP supports second network on different VLAN, so I have added guest on VLAN 2.  AP is connected to port 45 on Catalyst switch.  I need to figure out the following:

How do I determine in the core switch which port is connected to this edge switch?  Have 12 edge switches all connected to core using fiber.  Basically need to track traffic to edge switch IP through the port it is using.  

How do I configure switch and core fiber ports to pass traffic on multiple VLANS?

How do I enable DHCP for one VLAN on the ASA?

Guessing an ACL would be the easiest way to only allow traffic from the new DHCP subnet out to the internet, and not to my internal network.

Again I have done all this before with HP and WatchGuard network gear, but this is very different.   I appreciate the help.   

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Matt Hoak

‎03-13-2014 05:32 PM

Some things to cover -

1) if you are only using one vlan and it being routed on the ASA then if you want to continue to use the ASA that will mean changing the inside interface to use subinterfaces and making the 4500 to ASA connection a trunk link.

If you were routing on the 4500 you wouldn't need to do that.

However the advantage of using subinterfaces on the ASA is that you do not need any acls to stop the guest network from talking to your internal network. You can just make the subinterface for the guest vlan a lower security level than the subinterface for the internal vlan and it will all work.

This does though mean as i say reconfiguring the 4500 link to the ASA and more importantly the ASA inside interface as i needs to be split into subinterfaces.

That said though if you have a spare interface on the ASA you could just use that for the guest vlan and leave the existing inside interface alone and pretty much all of the above applies except you wouldn't need subinterfaces and you wouldn't need to configure the 4500 to ASA connection as a trunk, you simply run another connection from the 4500 to the ASA.

The alternative is to route both vlans on the 4500 and use an acl to stop the new vlan communicating with the existing vlan but this still means a certain amount of configuration including adding a route to the ASA for the new vlan pointing to the 4500.

Ideally if you were going to do this the 4500 to ASA link would use it's own subnet which would mean readdressing the ASA inside interface and adding routes not just for the new vlan but also the existing vlan.

One thing i would say is that if you are planning to use more vlans internally then using the 4500 to route between vlans makes more sense than using the ASA but if you are not planning on doing that it may not be worth it.

It really comes down to what you are happier doing.

2) Yes you would need to tag the packets. If you only tag the new vlan then the trunk configuration on the 2950 port that connects to the AP needs to have the native vlan set to the existing vlan which it probably will be by default.

If you tag both vlans then you need to make sure the native vlan on the trunk link is some unused vlan in your network.

3) Which DHCP server to use comes down to where you do the routing. If you do use the ASA then yes you can hand out IPs for the new vlan on the ASA.

4) In terms of tracking the correct switch if you are running CDP on the 4500 and you know the IP used for managing the 2950 you can run "sh cdp neighbors detail" on the 4500 and it will show you all the attached switches and their IPs.

If that isn't possible if you can identify a device connected to the 2950 find it's mac address and then on the 4500 you can use the mac address to see which port on the 4500 that address is being learnt on which, if the switch is directly connected ie. not via other switches, will be the port you are looking for.

5) in terms of the interconnects as already said the AP to 2950 should be a trunk and the 2950 to 4500 will also need to be a trunk as well to pass both vlans.

Whether the 4500 to ASA needs to be a trunk depends on some of the above.

So that's quite a lot of info so please have a good read and by all means come back if you need clarification or you have more queries.

The key thing to decide is how you are going to handle the routing and if you use the ASA do you have a spare interface or not.

Jon

 

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-13-2014 04:16 PM

Do you have multiple vlans on your internal network ?

Where is the routing for your current vlan(s) being done ie. on the 4500 or on the ASA ?

Does the AP support trunking on it's connection to the 2950 ?

How do you handle DHCP at the moment ie. is it the ASA, the 4500, a separate DHCP server ?

Not sure what you mean by tracking the IP ?

Apologies for all the questions (and there may be more) but we need to understand the current setup before suggesting a solution.

Jon

0 Helpful

Go to solution
Matt Hoak
Level 1
Level 1
In response to Jon Marshall

‎03-13-2014 05:01 PM

No problem, ask as many as you need.  I appreciate the help.

There are multiple VLANS on a few of our switches, but from what I can tell only the default is being used.

I believe all the routing is being handled for my network on the ASA.

The AP gives the option of assigning new networks to a specific VLAN, so I assume the port it is connected to on the switch would just need to be "tagged' (HP's name for it)  for that VLAN.  

All DHCP on our network is handled by a Windows DHCP server.  I'm not opposed to using a different scope on the same server, i just figured it would be easier to just enable it on the ASA for this guest network.  I don't care much about logging on it, or really any other feature other than just giving out addresses that will get wireless guest users to the internet.  

I just meant that I don't know how to determine which physical fiber port this particular closet switch is connected to on the core without logging some sort of traffic to it.  I wasn't able to identify the correct port by anything in the interfaces list on the 4510.  

Thanks again for the help.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Matt Hoak

‎03-13-2014 05:32 PM

Some things to cover -

1) if you are only using one vlan and it being routed on the ASA then if you want to continue to use the ASA that will mean changing the inside interface to use subinterfaces and making the 4500 to ASA connection a trunk link.

If you were routing on the 4500 you wouldn't need to do that.

However the advantage of using subinterfaces on the ASA is that you do not need any acls to stop the guest network from talking to your internal network. You can just make the subinterface for the guest vlan a lower security level than the subinterface for the internal vlan and it will all work.

This does though mean as i say reconfiguring the 4500 link to the ASA and more importantly the ASA inside interface as i needs to be split into subinterfaces.

That said though if you have a spare interface on the ASA you could just use that for the guest vlan and leave the existing inside interface alone and pretty much all of the above applies except you wouldn't need subinterfaces and you wouldn't need to configure the 4500 to ASA connection as a trunk, you simply run another connection from the 4500 to the ASA.

The alternative is to route both vlans on the 4500 and use an acl to stop the new vlan communicating with the existing vlan but this still means a certain amount of configuration including adding a route to the ASA for the new vlan pointing to the 4500.

Ideally if you were going to do this the 4500 to ASA link would use it's own subnet which would mean readdressing the ASA inside interface and adding routes not just for the new vlan but also the existing vlan.

One thing i would say is that if you are planning to use more vlans internally then using the 4500 to route between vlans makes more sense than using the ASA but if you are not planning on doing that it may not be worth it.

It really comes down to what you are happier doing.

2) Yes you would need to tag the packets. If you only tag the new vlan then the trunk configuration on the 2950 port that connects to the AP needs to have the native vlan set to the existing vlan which it probably will be by default.

If you tag both vlans then you need to make sure the native vlan on the trunk link is some unused vlan in your network.

3) Which DHCP server to use comes down to where you do the routing. If you do use the ASA then yes you can hand out IPs for the new vlan on the ASA.

4) In terms of tracking the correct switch if you are running CDP on the 4500 and you know the IP used for managing the 2950 you can run "sh cdp neighbors detail" on the 4500 and it will show you all the attached switches and their IPs.

If that isn't possible if you can identify a device connected to the 2950 find it's mac address and then on the 4500 you can use the mac address to see which port on the 4500 that address is being learnt on which, if the switch is directly connected ie. not via other switches, will be the port you are looking for.

5) in terms of the interconnects as already said the AP to 2950 should be a trunk and the 2950 to 4500 will also need to be a trunk as well to pass both vlans.

Whether the 4500 to ASA needs to be a trunk depends on some of the above.

So that's quite a lot of info so please have a good read and by all means come back if you need clarification or you have more queries.

The key thing to decide is how you are going to handle the routing and if you use the ASA do you have a spare interface or not.

Jon

 

 

0 Helpful

Go to solution
Matt Hoak
Level 1
Level 1
In response to Jon Marshall

‎03-13-2014 09:09 PM

Thank you very much for the help.  Sounds like the route I need to go is trunking the AP to 2950 connection, the 2950 to 4510, and the 4510 to ASA, then adding the sub interface on the ASA.  I read something earlier this week about adding a sub interface, and how when it is added it clears out the rest of the config for the port.  I will probably spend some time this weekend reading up on everything, then i'll post some commands back here to make sure i'm not going to screw things up.  Thanks again for the help, and the quick response.  

0 Helpful

Go to solution
Matt Hoak
Level 1
Level 1

‎03-19-2014 08:55 AM

OK, so i've made some progress on this.  I was able to set up the VLANs on all my switches, and get the DHCP working from my ASA.  The last issue i'm running into has to do with the firewall settings.  I want this new VLAN to have unrestricted access to the internet, and access to a few websites internally.  Ideally all traffic would go out to the internet and then back in, but I don't think this is possibly since it is using the same gateway and external interface as the rest of my network traffic.  I seem to have some misunderstanding of how the rules are set up in the ASA, because the only way i've been able to get internet access to work is with an any to any allow rule on my new Wireless_Guest subinterface Access Rules.  The problem obviously is that with this rule, the new network has unrestricted access to everything else.  Below is an overview of the interfaces i'm working with.  Again, I really appreciate the help.

Ethernet0/0                Inside                             Security Level 100

Ethernet0/0                Outside                          Security Level 0

Ethernet0/0                DMZ                               Security Level 25

Ethernet0/0                Wireless_Guest            Security Level 0

 

Access Rules

Wireless_Guest

any to any

 

NAT Rules

Dynamic         Wireless_Guest-network/24            to                      outside interface address

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Matt Hoak

‎03-19-2014 09:15 AM

You need to rewrite your acl so that -

1) it allows traffic to the few internal web sites

2) it then denies traffic to all other internal IP subnets

3) it then allows traffic to anything else ie. the internet

The confusing thing is it shouldn't be allowed to connect to the inside unless you have defined static NAT for all your internal subnets though.

Jon

0 Helpful

Go to solution
Matt Hoak
Level 1
Level 1
In response to Jon Marshall

‎03-19-2014 02:09 PM

Looks like you were right about the static NAT.  I found it and removed it, but that still didn't cut off access to one of my internal subnets, and after spending a couple hours looking I still couldn't find it.  I ended up writing the rules to allow all, block all in that subnet, then allow exceptions.  Probably not the best way, but it will work until I can spend some time tracking down where that subnet is allowed through.

The very last problem I have to solve on this project is we need the ability to test ASA 5505 boxes from at least one port in our office before we send them out.  We used to do this through another external circuit which we have now disconnected.  I need to figure out how to allow traffic from my wireless_guest vlan directly to the .1 address assigned to my external interface.  I added an entry to the access list, but I believe I still need something in a NAT rule.  I know this will be a little different since this is an actual interface IP.  Any ideas?  

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Matt Hoak

‎03-19-2014 02:20 PM

It is a bit weird about the static NAT.

Did you check the xlate table after you removed the actual statements ?

Even saying that though it is unusual to statically NAT all internal subnets and i wouldn't have thought you would have setup them up to NAT to the guest interface anyway.

That aside i'm not sure what you are trying to test. Do you want to in effect go out through the ASA but then back in via the outside interface to test connectivity ?

If so for that particular request i would post a separate thread in the Firewalling forum for that. I did do a lot with firewalls a while back but i haven't yet got up to speed on the post 8.3 NAT which i'm assuming you are using ?

If i have misunderstood what you are asking please clarify.

Jon

0 Helpful

Go to solution
Matt Hoak
Level 1
Level 1
In response to Jon Marshall

‎03-20-2014 06:45 AM

Yes, that's exactly what i'm trying to do.  I'll go ahead and post another thread in the firewall forum.  Thanks again for all your help, you definitely helped point me in the right direction on all of this.  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card