Create a Secure Server VLAN

Introduction      Requirements      VLAN Overview           Supported VLANs           The Secure Server VLAN      Configure the Router           Enable the VLAN on the Router           Enable Security      Configure the Switch           Enable Secure Server VLAN on the Root Switch           Enable the Secure Server VLAN on a Non-Root Switch      Add Users           Add a Wired Guest User      Next Step      Troubleshoot the Procedure      Related Information

Download PDF   Create a Secure Server VLAN

Introduction

This document provides instructions for how to create a virtual LAN (VLAN) for Secure Server users on your network. A secure server VLAN gives secure server users protected access to the Internet and access to the default VLAN.

Note: VLANs are not supported on Cisco 800 series and SB 100 series routers.

Back to Top

Requirements

• You must have completed these worksheets from the Site Survey:

  • LAN Addressing Worksheet

  • Internet Worksheet

  • Firewall Worksheet

• You must have completed the initial configuration of your router, switch, and access point. If you have not configured these devices, refer to the Site Survey.

Back to Top

VLAN Overview

This section provides an overview of the Secure Server VLAN and how to use VLANs in your network.

Supported VLANs

The Site IP Addressing Plan includes subnets for up to four virtual LANs (VLANs) at each site. Each VLAN has a custom level of security for a specific type of computer on the network, and uses firewalls to control access between VLANs.

The site survey defines these VLANs:

1. Default VLAN (20)

2. Network Management VLAN (21)

3. Secure Server VLAN (22)

4. Guest VLAN (23)

The diagram gives an overview of each VLAN in the network. For more information on other VLANs, refer to the Configuration Overview page.

The Secure Server VLAN

This document provides instructions for how to create a virtual LAN (VLAN) for Secure Server users on your network. A secure server VLAN gives secure server users protected access to the Internet and access to the default VLAN.

The Secure Server VLAN provides these benefits:

• Secure Server users can send traffic to the Internet and receive valid responses

• Secure Server users can send traffic to the Default VLAN and receive valid responses

• The Secure Server VLAN does not provide wireless access

Back to Top

Configure the Router

Follow these steps to configure the Secure Server VLAN on the router:

Enable the VLAN on the Router

To enable the Secure Server VLAN on the router, follow these steps:

1. Follow these steps to create connect to the router with Telnet.

   1. Click Start > Run.

   2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

   3. At the command prompt, type telnet router-ip-address and press Enter. For router-ip-address , use the Router IP address that you entered in field L6A of the LAN Addressing Worksheet.

   4. Log into the router with the router password that you entered in field B11 of the Router Worksheet.

2. Type enable and press Enter to enter privileged mode. Enter the enable password that you entered in field B12 of the Router Worksheet and press Enter.

   Router> enable
   Password:
   Router#

3. Type configure terminal and press Enter to enter configuration mode.

   Router# configure terminal
   Router(config)#

4. Type interface ethernet-interface-name.22 and press Enter. For ethernet-interface-name , use the name of the first Ethernet interface that you entered in field B35 of the Router worksheet.

   Router(config)#interface FastEthernet0/0.22
   

5. Type description Secure Server VLAN and press Enter.

   Router(config-if)#description Secure Server VLAN
   

6. Type encapsulation dot1Q 22 and press Enter.

   Router(config-subif)#encapsulation dot1Q 22
   

7. Type ip address router-ip-address 255.255.255.0 and press Enter. For router-ip-address , use the Secure Server VLAN router IP address that you entered in field L6C of the Secure Server VLAN Addressing Worksheet.

   Router(config-subif)#ip address 192.168.12.1 255.255.255.0
   

8. Type ip nat inside and press Enter.

   Router(config-subif)#ip nat inside
   

9. Type no shutdown and press Enter.

   Router(config-if)#no shutdown
   

10. Type exit and press Enter.

    Router(config-if)#exit
    Router(config)#

Enable Security

To enable security for the Secure Server network, follow these steps:

1. Type access-list 22 permit secure-server-subnet 0.0.0.255 and press Enter. For secure-server-subnet , use the subnet that you entered in field L1C of the Secure Server VLAN Addressing Worksheet.

   Router(config)#access-list 22 permit 192.168.12.0 0.0.0.255
   

2. Type ip nat inside source list 22 interface wan-interface overload and press Enter. For wan-interface , use the Internet interface that you entered in field B37 of the Router worksheet.

   Note: If you have more than one available Internet interface, choose the Internet interface that will be your primary connection to the Internet.

   Router(config)#ip nat inside source list 22 interface Ethernet0/1
   			 overload
   

3. Follow these steps to create firewall rules for the Secure Server VLAN:

   1. Type no access-list 122 and press Enter.

      Router(config)#no access-list 122
      

   2. Type access-list 122 remark Traffic from Secure Server VLAN and press Enter.

      Router(config)#access-list 122 remark Traffic from Secure Server
      			 VLAN
      

   3. Type access-list 122 permit ip default-subnet 0.0.0.255 secure-server-subnet 0.0.0.255 and press Enter. For default-subnet , use the subnet you entered in field L1A of the LAN Addressing Worksheet. For secure-server-subnet , use the subnet that you entered in field L1C of the Secure Server VLAN Addressing Worksheet.

      Router(config)#access-list 122 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
      

   4. Type access-list 122 permit ip management-subnet 0.0.0.255 secure-server-subnet 0.0.0.255 and press Enter. For management-subnet , use the subnet that you entered in field L1B of the Management VLAN Addressing Worksheet.

      Router(config)#access-list 122 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
      

   5. Type access-list 122 permit tcp any secure-server-subnet 0.0.0.255 established and press Enter. For secure-server-subnet , use the subnet that you entered in field L1C of the Secure Server VLAN Addressing Worksheet.

      Router(config)#access-list 122 permit tcp any 192.168.12.0 0.0.0.255 established
      

   6. Type access-list 122 permit udp any any eq domain and press Enter.

      Router(config)#access-list 122 permit udp any any eq domain
      

   7. Type access-list 122 deny ip ip any and press Enter.

      Router(config)#access-list 122 deny ip ip any
      

4. Type interface ethernet-interface-name.22 and press Enter. For ethernet-interface-name , use the name of the first Ethernet interface that you entered in field B35 of the Router worksheet.

   Router(config)#interface FastEthernet0/0.22
   Router(config-if)#

5. Type ip access-group 122 out and press Enter.

   Router(config-if)#ip access-group 122 out
   

6. Type end and press Enter to exit configuration mode.

   Router(config-if)#end
   Router#

7. Type write memory and press Enter to save your configuration.

   Router#write memory
   

8. Type exit and press Enter to exit the Telnet session.

   Router#exit
   

Back to Top

Configure the Switch

Follow these steps to modify your root switch to support the Secure Server VLAN:

Enable Secure Server VLAN on the Root Switch

If you have an external root switch, follow these steps to enable the Secure Server VLAN on the switch:

Note: This procedure assumes that your router is connected to port 2 of the root switch.

1. Follow these steps to create connect to the switch with Telnet.

   1. Click Start > Run.

   2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

   3. At the command prompt, type telnet switch-IP-address and press Enter. For switch-IP-address , use the switch IP address that you entered in field L8 of the LAN Addressing Worksheet.

   4. Log into the switch with the password you entered in field S5 of the Switch Port Assignments Worksheet.

2. Type enable and press Enter. Enter the enable password that you entered in field S5 of the Switch Port Assignments Worksheet and press Enter.

   switch>enable
   switch#

3. Type configure terminal and press Enter.

   switch#configure terminal
   switch(config)#

4. Type vlan 22 and press Enter.

   switch(config)#vlan 22
   

5. Type state active and press Enter.

   switch(config-vlan)#state active
   

6. Type name secure-server and press Enter.

   switch(config-vlan)#name secure-server
   

7. Type interface FastEthernet0/2 and press Enter.

   Note: For the Catalyst 4500, the slot number of the switch module determines the interface number. For example, if the first switch module is installed in slot 2 of the switch, the correct interface is FastEthernet2/2.

   switch(config-vlan)#interface FastEthernet0/2
   switch(config-if)#

8. Type description Internal router port and press Enter.

   switch(config-if)#description Internal router port
   

9. Type switchport trunk allowed vlan add 22 and press Enter.

   switch(config-if)#switchport trunk allowed vlan add
   		  22
   

10. Type exit and press Enter.

    switch(config-if)#exit
    switch(config)#

11. Type spanning-tree vlan 22 root primary and press Enter.

    switch(config)#spanning-tree vlan 22 root primary
    

12. Type end and press Enter.

    switch(config)#end
    switch#

13. Type write memory and press Enter.

    switch#write memory
    

14. Type exit and press Enter.

    switch#exit
    

Enable the Secure Server VLAN on a Non-Root Switch

Follow these steps to enable the Secure Server VLAN on a non-root switch. Repeat these steps for each non-root switch in your network that uses the Secure Server VLAN.

Note: This procedure assumes that port 1 of the non-root switch is connected to the root switch.

1. Follow these steps to create connect to the switch with Telnet.

   1. Click Start > Run.

   2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

   3. At the command prompt, type telnet switch-IP-address and press Enter. For switch-IP-address , use the switch IP address that you entered in field L9-L12 of the LAN Addressing Worksheet.

   4. Log into the switch with the password you entered in field S64 of the Switch Port Assignments Worksheet.

2. Type enable and press Enter. Enter the enable password that you entered in field S64 of the Switch Port Assignments Worksheet and press Enter.

   switch>enable
   switch#

3. Type configure terminal and press Enter.

   switch#configure terminal
   switch(config)#

4. Type vlan 22 and press Enter.

   switch(config)#vlan 22
   

5. Type state active and press Enter.

   switch(config-vlan)#state active
   

6. Type name secure-server and press Enter.

   switch(config-vlan)#name secure-server
   

7. Type interface FastEthernet0/1 and press Enter.

   Note: For the Catalyst 4500, the slot number of the switch module determines the interface number. For example, if the first switch module is installed in slot 2 of the switch, the correct interface is FastEthernet2/1.

   switch(config-vlan)#interface FastEthernet0/1
   switch(config-if)#

8. Type switchport trunk allowed vlan add 22 and press Enter.

   switch(config-if)#switchport trunk allowed vlan add
   		  22
   

9. Type exit and press Enter.

   switch(config-if)#exit
   switch(config)#

10. Type spanning-tree vlan 22 and press Enter.

    switch(config)#spanning-tree vlan 22
    

11. Type end and press Enter.

    switch(config)#end
    switch#

12. Type write memory and press Enter.

    switch#write memory
    

13. Type exit and press Enter.

    switch#exit
    

Back to Top

Add Users

To move users from the Default VLAN to the Secure Server VLAN, follow these steps:

Add a Wired Guest User

Follow these steps to add a wired user to the Secure Server VLAN:

1. Record the device name in the first available field from fields L8-L35 of the Secure Server VLAN Addressing Worksheet.

2. Configure the device with the IP address in the Secure Server VLAN Addressing Worksheet. For example, the first device in the Secure Server VLAN is configured with the IP address 192.168.12.2. For more information about how to configure an IP address on a PC, refer to Configure an IP Address on Your PC.

3. Refer to Move a LAN User Between Groups and follow the instructions to move the user switch port to the Secure Server VLAN.

Back to Top

Next Step

You have now set up a Secure Server VLAN on your network.

To make further changes to your network, refer to the Configuration Overview page.

Back to Top

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

• Site Survey
• Create a HyperTerminal Connection
• Configure Your Router with Security Device Manager
• Configure the Catalyst Switch with Cisco Network Assistant
• Move a LAN User Between Groups