Create a Secure Server VLAN on an Integrated Services Router
|
|
|
|
Introduction
This document provides instructions for how to create a virtual LAN
(VLAN) for Secure Server users on your network. A secure server VLAN gives
secure server users protected access to the Internet and access to the default
VLAN.
Note: VLANs are not supported on Cisco 800 series and SB 100 series
routers.
Back to Top
Requirements
-
You must have completed these worksheets from the
Site
Survey:
-
LAN Addressing Worksheet
-
Internet Worksheet
-
Firewall Worksheet
-
You must have completed the initial configuration of your router. If
you have not configured your router, refer to the
Site
Survey.
Back to Top
VLAN Overview
This section provides an overview of the Secure Server VLAN and how to
use VLANs in your network.
Supported VLANs
The Site IP Addressing Plan includes subnets for up to four virtual
LANs (VLANs) at each site. Each VLAN has a custom level of security for a
specific type of computer on the network, and uses firewalls to control access
between VLANs.
The site survey defines these VLANs:
-
Default VLAN (20)
-
Network Management VLAN (21)
-
Secure Server VLAN (22)
-
Guest VLAN (23)
The diagram gives an overview of each VLAN in the network. For more
information on other VLANs, refer to the
Configuration
Overview page.
The Secure Server VLAN
This document provides instructions for how to create a virtual LAN
(VLAN) for Secure Server users on your network. A secure server VLAN gives
secure server users protected access to the Internet and access to the default
VLAN.
The Secure Server VLAN provides these benefits:
-
Secure Server users can send traffic to the Internet and receive
valid responses
-
Secure Server users can send traffic to the Default VLAN and receive
valid responses
-
The Secure Server VLAN does not provide wireless
access
Back to Top
Enable the Secure Server VLAN
Follow these steps to configure the Secure Server VLAN on an Integrated
Services Router:
Enable the VLAN on the Router
To enable the Secure Server VLAN on the router, follow these
steps:
-
Follow these steps to create connect to the router with
Telnet.
-
Click Start > Run.
-
In the Run dialog box, type cmd or
command, and then click OK to open a command
prompt window.
-
At the command prompt, type telnet
router-ip-address
and press
Enter. For
router-ip-address
, use the
Router IP address that you entered in field L6A of the LAN Addressing
Worksheet.
-
Log into the router with the router password that you entered in
field B11 of the Integrated Services Router Worksheet. For more information
about how to access the router, refer to
Configure
Your Router with Security Device Manager.
-
Type enable and press
Enter to enter privileged mode. Enter the enable password that
you entered in field B12 of the Integrated Services Router
Worksheet.
Router> enable
Router#
-
Type configure terminal and press
Enter to enter configuration mode.
Router# configure terminal
Router(config)#
-
Type interface vlan 22 and press
Enter.
Router(config)#interface vlan 22
-
Type description Secure Server VLAN and
press Enter.
Router(config-if)#description Secure Server VLAN
-
Type encapsulation dot1Q 22 and press
Enter.
Router(config-if)#encapsulation dot1Q 22
-
Type ip address
router-ip-address 255.255.255.0 and press
Enter. For
router-ip-address
, use the
Secure Server network router IP address that you entered in field L6C of the
Secure Server VLAN Addressing Worksheet.
Router(config-if)#ip address 192.168.12.1 255.255.255.0
-
Type ip nat inside and press
Enter.
Router(config-if)#ip nat inside
-
Type no shutdown and press
Enter.
Router(config-if)#no shutdown
-
Type exit and press
Enter.
Router(config-if)#exit
Router(config)#
Enable Security
To enable security for the Secure Server VLAN, follow these
steps:
-
Type access-list 22 permit
secure-server-subnet 0.0.0.255 and press
Enter. For
secure-server-subnet
, use the
subnet that you entered in field L1C of the Secure Server VLAN Addressing
Worksheet.
Router(config)#access-list 22 permit 192.168.12.0 0.0.0.255
-
Type ip nat inside source list 22 interface
wan-interface overload and press
Enter. For
wan-interface
, use the
Internet interface that you entered in field B37 of the Router
worksheet.
Note: If you have more than one available Internet interface, choose
the Internet interface that will be your primary connection to the
Internet.
Router(config)#ip nat inside source list 22 interface Ethernet0/1
overload
-
Follow these steps to create firewall rules for the Secure Server
VLAN:
-
Type no access-list 122 and press
Enter.
Router(config)#no access-list 122
-
Type access-list 122 remark Traffic to Secure Server
VLAN and press Enter.
Router(config)#access-list 122 remark Traffic from Secure Server
VLAN
-
Type access-list 122 permit ip
default-subnet 0.0.0.255
secure-server-subnet 0.0.0.255 and press
Enter. For
default-subnet
, use the
subnet you entered in field L1A of the LAN Addressing Worksheet. For
secure-server-subnet
, use the
subnet that you entered in field L1C of the Secure Server VLAN Addressing
Worksheet.
Router(config)#access-list 122 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
-
Type access-list 122 permit ip
management-subnet 0.0.0.255
secure-server-subnet 0.0.0.255 and press
Enter. For
management-subnet
, use the
subnet that you entered in field L1B of the Management VLAN Addressing
Worksheet.
Router(config)#access-list 122 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
-
Type access-list 122 permit tcp any
secure-server-subnet 0.0.0.255 established
and press Enter. For
secure-server-subnet
, use the
subnet that you entered in field L1C of the Secure Server VLAN Addressing
Worksheet.
Router(config)#access-list 122 permit tcp any 192.168.12.0 0.0.0.255 established
-
Type access-list 122 permit udp any any eq
domain and press Enter.
Router(config)#access-list 122 permit udp any any eq domain
-
Type access-list 122 deny ip ip any
and press Enter.
Router(config)#access-list 122 deny ip ip any
-
Type interface vlan 22 and press
Enter.
Router(config)#interface vlan 22
-
Type ip access-group 122 out and press
Enter.
Router(config-if)#ip access-group 122 out
-
Type end and press
Enter to exit configuration mode.
Router(config-if)#end
Router#
-
Type write memory and press
Enter to save your configuration.
Router#write memory
Enable the VLAN on an Integrated Switch
Follow these steps to enable the Secure Server VLAN on an integrated
switch:
-
Type enable and press
Enter to enter privileged mode. Enter the enable password that
you entered in field B12 of the Router Worksheet and press
Enter.
Router>enable
Router#
-
Type vlan database and press
Enter.
Router#vlan database
Router(vlan)#
-
Type vlan 22 name Secure Server media ethernet state
active and press Enter.
Router(vlan)#vlan 22 name Secure Server media ethernet state
active
-
Type exit and press
Enter.
Router(vlan)#exit
APPLY completed.
Exiting....
Router#
-
Type configure terminal and press
Enter.
Router#configure terminal
Router(config)#
-
Type spanning-tree vlan 22 root primary
and press Enter.
Router(config-if)#spanning-tree vlan 22 root primary
VLAN 22 bridge priority set to 8192
VLAN 22 bridge max aging time unchanged at 20
VLAN 22 bridge hello time unchanged at 2
VLAN 22 bridge forward delay unchanged at 15
-
Type end and press
Enter.
Router(config-if)#end
Router#
-
Type write memory and press
Enter.
Router#write memory
Back to Top
Add Users
To move users to the Secure Server VLAN, follow these steps:
Add a Wired Guest User
Follow these steps to add a Secure Server user connected directly to a
switch port on the ISR:
-
Type configure terminal and press
Enter.
Router#configure terminal
Router(config)#
-
Type interface FastEthernet
interface-number
and press
Enter. For
interface-number
, use the
number of the switch port that you want to assign to a Secure Server user. The
available switch ports are listed in field B36 of the Router Worksheet.
Router(config)#interface FastEthernet0/2
Router(config-if)#
-
Type description Secure Server Switch
Port and press Enter.
Router(config-if)#description Secure Server Switch Port
-
Type switchport access vlan 22 and press
Enter.
Router(config-if)#switchport access vlan 22
-
Type end and press
Enter.
Router(config-if)#end
Router#
-
Type write memory and press
Enter.
Router#write memory
-
Record the device name in the first available field from fields
L8-L35 of the Secure Server VLAN Addressing Worksheet.
-
Configure the device with the IP address in the Secure Server VLAN
Addressing Worksheet. For example, the first device in the Secure Server VLAN
is configured with the IP address 192.168.12.2. For more information about how
to configure an IP address on a PC, refer to
Configure
an IP Address on Your PC.
Back to Top
Next Step
You have now set up a Secure Server VLAN on your network.
To make further changes to your network, refer to the
Configuration
Overview page.
Back to Top
Troubleshoot the Procedure
This section provides information about common problems that you may
encounter. If this information does not solve your problem, contact the
SMB
Technical Assistance Center (SMB TAC) for assistance.
Back to Top
Related Information
