Gateway Isolation 3

[kurio71]

A retirement home we manage has requested internet access to residents. We have created a new subnet 192.168.4.x for this purpose and connected it to a switch (resident internet), in the main server room, which we patch the room ports. Now, there are a few intermediate switches in the complex which are trunked by single fibre to the main switch. This is the problem. Connecting the rooms that are connected to the intermediate switches to use the newly created gateway. The intermediate switches are managed Cisco devices. Could we try using ACL's to limit access to the residents internet gateway and preventing access to our domain network? Or any other alternatives?

Level 1 Support Technician

 

[hairlessupportmonkey]

Funny, we have been asked to do a similar thing for a similar place! We are going to use a L3 switch, VLANS, DHCP on the VLAN routed to the original network.

ACSS - SME
General Geek

 

[chieftan]

Yes, you can use VLANs or you can use access lists.

Set up a seperate vlan on the access switch but you will have to make the inter switch connectivity trunked if more than 1 vlan traverses it.

That should do the trick for you.

 

[kurio71]

Thanks for the relies, my switching knowledge is minimal. Chieftan you mentioned trunking the access switch and intermedialte switch. This is already a single fibre connection. Do you mean adding an additional trunk? Aced CCNA routing a few years back but never did switching.

Level 1 Support Technician

 

[chieftan]

With the switchport modes you can have "Access" or "Trunked".

The difference is that "Access" has a single VLAN assigned to it whreas a "Trunk" has whatever VLANs you want to assign to it.

Normally, an edge switch (Where users are connected) are assigned "Access" as they will only belong to one particular VLAN, however, if there is more than 1 vlan on the switch, the port that connects the edge switch to the next switch (Backbone or core) will need to be set as a trunk. If it is not then only 1 vlan can traverse the link. So, hypothetically, lets say you have th following set up:-

Switch 1:
Fa0/1 - Access VLAN10
Fa0/2 - Access VLAN10
Fa0/3 - Access VLAN20
Fa0/4 - Access VLAN20
Fa0/24 - Trunk - Dot1q - vlans allowed 10, 20

Now, Fa0/24 is a trunk because you require 2 vlans to get across the link to the next switch. That switch will need its connected port to be configured the same as the current switch or the trunk will not work.

The switch you are connecting externally can then be set as an access port assigned to the vlan for the users you want on that vlan, therefore you have provided the seperation required.

The dot1q encapsulation is required as an extra tag on the front of the packet is required, so the far end switch knows the number of the vlan and knows which port or ports to send the packet to.

Hope that explains it a bit better.

 

[chieftan]

Just a little sample config - very simple but if you only had 2 switches this would do the job. There are other things you could like enabling portfat on the edge switches, but I have left that off.

Switch 1 ------> Switch 2

Switch 1:
Fa0/1
Description ***Internet user***
switchport mode access
switchport access vlan 10

Fa0/2
Description ***Internet user***
switchport mode access
switchport access vlan 10

Fa0/3
Description ***Normal User***
switchport mode access
switchport access vlan 20

Fa0/4
Description ***Normal User***
switchport mode access
switchport access vlan 20

Fa0/24
Description ***Trunked link to distribution switch***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20
switchport mode trunk
speed 100
duplex full

Switch 2:
Fa0/1
Description ***Internet user - access to internet***
switchport mode access
switchport access vlan 10

Fa0/2
Description ***Normal User***
switchport mode access
switchport access vlan 20

Fa0/3
Description ***Normal User***
switchport mode access
switchport access vlan 20

Fa0/4
Description ***Normal User***
switchport mode access
switchport access vlan 20

Fa0/24
Description ***Trunked link to edge switch***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20
switchport mode trunk
speed 100
duplex full

 

[kurio71]

So, create same VLANs is the main switch and intermediate switches. An access port from the external switch, the 192.168.4.x network, to the main switch? And a trunk between the main and intermediate switches?

Level 1 Support Technician

 

[chieftan]

Firstly, let's make sure the understanding is correct here:-

Room A - Connects to Switch A --- Switches in the middle --- Core switch --- Internet ? Correct?
Room B
Room C

So, the rooms connect to Switch A, then there are a couple intermidiate switches, then the main core switch. What occurs at the main core switch?

Lets say room A connects to Switch A - Port (lets say FastEthernet) Fa0/1
Room B - Switch A - Port Fa0/2
Room C - Switch A - Port Fa0/3

The thing to remember is that if there is only 1 vlan on switch A, then only access ports are required, however, if there is more than 1 vlan then you need to set the port being used for switch to switch connectivity as a trunk and so on through the network where one switch is connected to another.

In a switched network, the chances are that your core switch will be the gateway for the devices and it will be the address withing the scope you have mentioned assigned to the VLAN.

So you will probably have a config similar to:-

int vlan 10
ip address 192.168.4.xxx 255.255.255.0

And then whatever other options you require (HSRP or anything like that).

Whatever the port is on the core switch will have an access vlan assigned to it for the internet usage and off it goes to your firewalls etc etc.....

 

[kurio71]

At the moment, the core switch is connected to the 192.168.3.x network only. We created a new subnet, 192.168.4.x, on the router and connected a new Netgear switch to that port which is for the residents internet. Which is fine but we didn't think of the intermediate switches that are around the complex. At the moment patching the rooms into the intermediate switches gives the residents access to the 192.168.3.x network.

Level 1 Support Technician

 

[unclerico]

I sure hope you've thought about the security implications here. With this setup and having all residents on a common subnet, you are relying on them having some sort of firewall in their residence in order to provide some sort of isolation. You should be making use of Private VLAN's in this topology. If you don't do PVLANs then you should understand that each resident should be put in their own VLAN and ACL's put in place to provide that isolation. This can get very messy in a short period of time. You need to make either the residents or the administration aware of what your security model is so they can plan accordingly.

 

[chieftan]

Thanks Unclerico....... Thats exactly what I was trying to point out..... Keeping residents seperate via VLANs.

A network diagram would not go amiss here so we can see what you are trying to achieve and the current model and then we can suggest best ways forward. The theory is very simple for this as I have said above, the security, as unclrico has mentioned, is a totally different thing and does need to be thought out correctly (Depending on your requirements of course).

Please put together a network diagram and post here.

Thanks

 

[kurio71]

Thanks for the replies, I thought the 192.168.4.x subnet would have a firewall at the router. We probably don't need the netgear switch now. If we connect the resident VLAN on the main switch to the newly created subnet on the router, the intermediate switches can get internet connectivity through the trunk. I'll post a net diagram so not to confuse. Got PacketTracer somewhere. Thanks

Level 1 Support Technician