I need to provide Internet wifi access to our visitors in the office while keep our network safe.
We have one Cisco 3560, I've created one VLAN for VoIP and assigned several ports to it, in these ports I attached the VoIP phones and also one SOHO Wifi router. The VoIP is using the attached router, but I want also to use the Wifi router for the wireless connections (mostly people with smartphones and visitors with their laptops). I don't want them to gain access to our LAN. All the other ports are in the default VLAN.
DHCP is active in the Wifi router but I can't connect to the Internet using my laptop. The laptop takes the switch default gateway instead of the router. I don't know if I can add a default gateway to the VLAN...
We recently added a server (SBS2008) to the office, it provides DHCP to the clients. When I switch on the server, then the wifi clients get the switch default gateway, but the DHCP server is now the SBS, and I can connect to the Internet BUT using the other ISP.
The diagram is simple like this:
Router for the LAN | Firewall | switch 3560 -------- WIFI Router (for VoIP and wireless clients)
I'm using the same subnet for both VLANs.
I can't get it working :-( Any help would be great !
Generally I don't like to use the term 'best practices'; but it may be appropriate here.
The 3560 is a fine layer three switch and if you have the appropriate licensing it should be utilized as a layer three switch.
Each vlan *should* be a different subnet. It's a fair forecast to say having the same subnet in different vlan's will always be troublesome.
Only one device should be provisioned to answer DHCP requests. Having two will always lead to conflicts. There is an exception to this but I doubt it's in the scope of this post.
Is the firewall in a layer2 mode or a layer3 mode? I recommend layer2 (transparent mode) as firewalls are notoriously terrible routers and being placed between two great routing platforms it dosn't need to route.
To address the original concern of preventing wireless visitors from accessing LAN resources this can certainly be done with an ACL on the 3560. That said visitors should have their own SSID, subnet and VLAN.
In your diagram the path for internet access in not clear. Is the internet gateway via the 'router for the lan' or the 'swith 3560'.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...