09-11-2013 05:09 AM - edited 07-04-2021 12:48 AM
We have a branch office that we would like to setup a guest network at. We would like to use flexconnect for local switching being that the branch has a local internet service. Our plan is to setup a non-routable VLAN that will on have internet access so that it does not have access to internal corporate resources. To do this we were planning on using external dns such as 8.8.8.8. The issue I have ran into is by doing this the client can no longer resolve the dns name for the virtual interface used for web authentication. We would need them to be able to resolve guestwlan to 1.1.1.1. How are others handling this? Our security team does not want us giving access to any internal dns servers and there is not a dmz at the location. It is a rather small branch. Any ideas?
09-11-2013 06:06 AM
The dns request to 8.8.8.8 has to be routed to the Internet as it's external and the only possible way would be for the firewall to allow the requests from the guest subnet to the external DNS. So I advise u speak to your firewall person.
Sent from Cisco Technical Support Android App
09-11-2013 06:15 AM
if you configured a name under the Virtual Interface, then you would need to use an DNS server that is under your administrative control to be able to resolve the address.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
09-11-2013 06:23 AM
Yes I configured a name under the Virtual Interface that is guestwlan.ourdomain.com. What we ended up doing is going on our public dns server hosted on the internet and putting an A record in that resolves guestwlan.ourdomain.com to 1.1.1.1. It replicated across the internet so now even using the 8.8.8.8 dns server it is able to resolve the name guestwlan.ourdomain.com to 1.1.1.1 and the web authentication page is rendered. Osita to address your concern we are allowing udp 53 access to the internet on the firewall for the guest network for external dns.
09-11-2013 06:26 AM
you might want to look into changing that. IANA gave out the 1.x/8 address space. And of course, anyone else that did the same thing, could cause you guys conflicts if they update the A record for that IP address.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
09-11-2013 06:32 AM
would it cause a conflict being that it is specific to our domain space? We thought about that but were thinking that it uses ourdoman.com this would not be an issue. Thoughts?
09-11-2013 06:42 AM
more referring to the owners of 1.x getting your records removed
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
09-11-2013 06:48 AM
I see what you are saying. I am thinking the only way around this is to allow the guest vlan access to one of our internal dns servers with only udp port 53 and putting the A record on that server.
09-11-2013 06:57 AM
if you have DNS servers in the DMZ/Internet, you can give them that address to use
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
09-11-2013 07:45 AM
.
09-11-2013 07:45 AM
That makes sense. So I would just need to re-address my virtual interface to something other than a public IP such as the one you have suggested. Then I can add it back to my public dns record correct?
09-11-2013 08:03 AM
I assume there are no conflicts or issues with creating public dns records pointing to that 192.0.2.0/24 network?
09-11-2013 08:45 AM
Yes, that is what you do. No, there are no issues with creating A records with that subnet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: