Solved: Creating VLAN For Guests - Cisco Community

We no longer support Internet Explorer v10 and older, or you have compatibility view enabled. Disable Compatibility view, upgrade to a newer version, or use a different browser. All CommunityThis categoryThis boardKnowledge baseUsers cancel Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Showing results for  Search instead for  Did you mean:  All Community Networking This board Results: cancel Start a conversation

• Cisco Community
• Technology and Support
• Networking
• Switching
• Creating VLAN for guests

Options

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Bookmark
• Subscribe
• Mute
• Printer Friendly Page

6629 Views 20 Helpful 9 Replies

Creating VLAN for guests

Go to solution Izac ICT Level 1 Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-03-2017 07:25 AM - edited ‎03-08-2019 12:58 PM

Dear All,

I want to create special VLAN for some.

I'll connect one unmanaged switch to Cisco 2960 port. I want to configure special VLAN and route the traffic directly to firewall and if it is possible also enable DHCP on that VLAN. There are other VLANs and DHCP working on the other 3750 switches which 2960 is connected and I don't want to create any disruption on them.

Let's say I want to create 192.168.1.0 network on the vlan on 2960, enable DHCP, route it to 172.16.1.1 and connect unmanaged switch for temporary users and remove it 1 week later.

Please advice the configuration.

regards,

Izac

Solved! Go to Solution.

I have this problem too Labels:

• Labels:
• Other Switching

0 Helpful Reply

• All forum topics
• Previous Topic
• Next Topic

1 Accepted Solution Accepted Solutions Go to solution paul driver VIP In response to Izac ICT Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-04-2017 04:26 AM - edited ‎12-04-2017 04:28 AM

Hello

@Izac ICT wrote:

Hello @paul driver

What do you mean? Can you advise configuration example?

THank you.

cheers.

Izac

Do you have access to the FW?1) create the L3 routed address and dhcp scope for you client on Fw ( NOT on the LAN L3 switch)

Cisco ASA fw config:conf tinterfacex/xnameif Guestsecurity-level 50ip address 192.168.1.1 255.255.255.0object-network Guestsubnet 192.168.1.0 255.255.255.0object-group NAT-Guestnetwork-object Guestnat (Inside,Outside) after-auto source dynamic NAT-Guest interfacedhcpd address 192.168.1.100-192.168.1.200 Guestdhcpd option 3 ip 192.168.1.1dhcpd lease 28800 dhcpd domain stan.localdhcp dns 8.8.8.8 8.8.8.4dhcpd enable Guest

2) on L3 LAN switch create a guest vlanconfig tvlan 100 name Guestexit

3) On lan l2 switch or L3 switch configure a port the unmanaged switch will connect to.

int x/xdescription Unmanaged switchswitchport hostswitchport access vlan 100resPaul

Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.Kind RegardsPaul

View solution in original post

5 Helpful Reply 9 Replies 9 Go to solution Georg Pauwen VIP Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-03-2017 12:46 PM

Hello,

what type of unmanaged switch are you trying to install ? On which device(s) is layer 3 routing and DHCP server functionality configured ?

0 Helpful Reply Go to solution Izac ICT Level 1 In response to Georg Pauwen Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-04-2017 02:20 AM

Hello @Georg Pauwen

The unmanaged switch is netgear gs108. DHCP and routing not configured on the switch I'll connect but on the main switch on other floor.

thank you.

cheers

Izac

0 Helpful Reply Go to solution paul driver VIP Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-03-2017 12:59 PM

Hello

Dont create any L3 interface on your L3 switch for guest users, - Just do exactly has you have mentioned, in that have your guest vlan only L2 on your network and have the FW perform the routing , dhcp etc. for it

That way your guest users have no way into you office network and incur no disruption.

resPaul

Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.Kind RegardsPaul 5 Helpful Reply Go to solution Izac ICT Level 1 In response to paul driver Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-04-2017 02:16 AM

Hello @paul driver

What do you mean? Can you advise configuration example?

THank you.

cheers.

Izac

0 Helpful Reply Go to solution paul driver VIP In response to Izac ICT Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-04-2017 04:26 AM - edited ‎12-04-2017 04:28 AM

Hello

@Izac ICT wrote:

Hello @paul driver

What do you mean? Can you advise configuration example?

THank you.

cheers.

Izac

Do you have access to the FW?1) create the L3 routed address and dhcp scope for you client on Fw ( NOT on the LAN L3 switch)

Cisco ASA fw config:conf tinterfacex/xnameif Guestsecurity-level 50ip address 192.168.1.1 255.255.255.0object-network Guestsubnet 192.168.1.0 255.255.255.0object-group NAT-Guestnetwork-object Guestnat (Inside,Outside) after-auto source dynamic NAT-Guest interfacedhcpd address 192.168.1.100-192.168.1.200 Guestdhcpd option 3 ip 192.168.1.1dhcpd lease 28800 dhcpd domain stan.localdhcp dns 8.8.8.8 8.8.8.4dhcpd enable Guest

2) on L3 LAN switch create a guest vlanconfig tvlan 100 name Guestexit

3) On lan l2 switch or L3 switch configure a port the unmanaged switch will connect to.

int x/xdescription Unmanaged switchswitchport hostswitchport access vlan 100resPaul

Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.Kind RegardsPaul 5 Helpful Reply Go to solution Izac ICT Level 1 In response to paul driver Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-04-2017 05:52 AM

@paul driver thank you for your time but I have already DHCP active on firewall port. Do you think I cannot create this on L3 switch which unmanaged switch connected? Or can I create second DHCP pool on ASA on same interface? I'm confused now.

Thanks again.

Izac

0 Helpful Reply Go to solution paul driver VIP In response to Izac ICT Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-04-2017 01:08 PM

Hello

@Izac ICT wrote:

@paul driver thank you for your time but I have already DHCP active on firewall port. Do you think I cannot create this on L3 switch which unmanaged switch connected? Or can I create second DHCP pool on ASA on same interface? I'm confused now.

Thanks again.

Izac

Use a spare port on the FW and create another L3 interface and dhcp scope for the guest subnet, this interface will also need to a lower security level then the LAN interface.You DONT want to have any routing on the L3 switch relating to the guest network as you want this isolated - there are others way to segregate the guest network but i think this is the most simplistic solution

FW

| |

LAN Guest interface

| | - L3swtich | -

unmanaged switch

resPaul

Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.Kind RegardsPaul 5 Helpful Reply Go to solution Izac ICT Level 1 In response to paul driver Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-05-2017 12:39 PM

Thank you but I don't have available port on firewall.

0 Helpful Reply Go to solution paul driver VIP In response to Izac ICT Options

• Mark as New
• Bookmark
• Subscribe
• Mute
• Subscribe to RSS Feed
• Permalink
• Print
• Report Inappropriate Content

‎12-05-2017 01:19 PM

Hello

@Izac ICT wrote:

Thank you but I don't have available port on firewall.

So then you have the option to create the L3 guest interface on the L3 switch and also apply an routed access-list ( RACL) to negate communication between you other lan users

resPaul

Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.Kind RegardsPaul 5 Helpful Reply Post Reply Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Quick Links Knowledge Articles Nexus Devices Developer Forum Customers Also Viewed These Support Documents