Right. Create a new security zone (policy-class) and assign interface vlan 3 to it. This is an IP interface. You'll need a NAT overload policy (Internet Connection Sharing) to allow traffic from VLAN 3 to the Internet. That's basically the gist of it. Traffic from this new security zone to anywhere else will be blocked unless you were to add policies.
If the 7100 will be a DHCP server for WiFi clients, then you'll need to allow traffic to the 7100 itself so that DHCP requests aren't blocked. You don't want guests to be able to access the http/https/telnet/ssh management interfaces, so consider allowing only bootp/dhcp (I think just UDP 67) from 10.10.200.0/24 to self. This is describing a policy/rule you'll add to the new security zone.
Does that help? I recommend thorough testing afterward.
Hi tschupp:
The 7100, like other AOS switches, can provide multiple Layer 2 VLANs and traffic will be inherently private to each VLAN, unless you also setup an IP interface for each VLAN and provide inter-VLAN routing. This article provides a very good explanation about VLANs (Layer 2) and VLAN interfaces (Layer 3): The difference between VLANs and VLAN interfaces
If you merely create VLAN 3 without creating a VLAN interface (with IP address), then you're all set to achieve your goal. Simply set some access ports for VLAN 3 and you'll have a separate network.
However, if you plan to have an IP interface in VLAN 3, then the firewall must be enabled. Interface vlan 3 (the ip interface) must be in a separate policy-class (security zone) from interface vlan 1 and 2. The default behavior is for all traffic to be blocked between different security zones, so you must create firewall rules to allow any traffic between them you might want. Here's a useful guide for setting up the firewall: Configuring the Firewall (IPv4) in AOS
Does that point you in the right direction? Don't hesitate to follow up or ask for clarification!
Best,
CJ
The customer is putting in a wireless network in their building. They want to allow visitors to connect to the wifi so they have access to the web but not the local network. Vlans 1 & 2 use 10.10.10.xxx and 10.10.20.xxx. The 3rd vlan would use 10.10.200.xxx so since I am assigning these ip's I am guessing I need the vlan interface and should be able to only allow internet access through the firewall and block anything directed to the vlans 1 & 2?
Right. Create a new security zone (policy-class) and assign interface vlan 3 to it. This is an IP interface. You'll need a NAT overload policy (Internet Connection Sharing) to allow traffic from VLAN 3 to the Internet. That's basically the gist of it. Traffic from this new security zone to anywhere else will be blocked unless you were to add policies.
If the 7100 will be a DHCP server for WiFi clients, then you'll need to allow traffic to the 7100 itself so that DHCP requests aren't blocked. You don't want guests to be able to access the http/https/telnet/ssh management interfaces, so consider allowing only bootp/dhcp (I think just UDP 67) from 10.10.200.0/24 to self. This is describing a policy/rule you'll add to the new security zone.
Does that help? I recommend thorough testing afterward.
I must be doing something wrong. I can surf but I can still ping a phone on 10.10.20.5 from an ip on vlan 3.
This is in the GUI
Policy Action-NAT
Destination security zone- any security zone
interface- eth 0/0
Maybe try to change destination zone to your public/outside zone. Sorry--don't meant to throw random suggestions at you. If you prefer to attach your config, it might be productive. Just be sure to sanitize it and expunge sensitive info. Definitely passwords, pre-shared keys, WiFi passwords (as applicable). You might want to remove phone numbers too, and anything you don't want the world to see.
That seems to be working now thanks but explain the bootp/dhcp further.
I have a policy that allows NAT to the public security zone and a traffic selector of permit any.
I have a policy that allows self bound traffic with a traffic selector of permit any.
Where would I put the info for UDP 67?
I'm a little rusty in the GUI (it's a fantastic interface; I should spend more time there). I think you edit the policy so that source network is any; source port any. Destination network any; destination port UDP 67 (bootps). You can get to these granular settings by clicking the "Permit" line in the list of selectors.
CJ
I am new to the board and couldn't figure out how to add an attachment. So here it is.
!
!
! ADTRAN, Inc. OS version R10.11.0.HA.E
! Boot ROM version A2.06.B2.01
! Platform: NetVanta 7100, part number 1200796E1
! Serial number LBADTN1206AF838
!
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
domain-name
domain-proxy
name-server 10.72.53.75 8.8.8.8
!
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
portal-list "phones" ftp
!
!
!
ip firewall
ip firewall stealth
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
ip dhcp database local
!
ip dhcp pool "LAN_pool"
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.1
netbios-node-type h-node
default-router 10.10.10.1
tftp-server tftp://10.10.10.1
ntp-server 10.10.10.1
timezone-offset -6:00
option 157 ascii TftpServers=0.0.0.0,FtpServers=10.10.20.1:/ADTRAN,FtpLogin=po
lycomftp,FtpPassword=password,Layer2Tagging=True,VlanID=2
!
ip dhcp pool "VoIP_pool"
network 10.10.20.0 255.255.255.0
dns-server 10.10.20.1
netbios-node-type h-node
default-router 10.10.20.1
tftp-server tftp://10.10.20.1
ntp-server 10.10.20.1
timezone-offset -6:00
option 157 ascii TftpServers=0.0.0.0,FtpServers=10.10.20.1:/ADTRAN,FtpLogin=po
lycomftp,FtpPassword=password,Layer2Tagging=True,VlanID=2
!
ip dhcp pool "Test 1"
network 10.10.200.0 255.255.255.0
dns-server 10.10.200.1
default-router 10.10.200.1
tftp-server tftp://10.10.200.1
ntp-server 10.10.200.1
timezone-offset -6:00
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
vlan 2
name "VoIP"
!
vlan 3
name "Test 1"
!
!
interface eth 0/0
description Uplink
ip address dhcp hostname
ip access-policy Public
media-gateway ip primary
no awcp
no shutdown
no lldp send-and-receive
!
!
interface eth 0/1
spanning-tree edgeport
no shutdown
switchport access vlan 3
!
!
interface eth 0/2
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/3
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/4
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/5
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/6
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/7
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/8
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/9
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/10
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/11
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/12
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/13
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/14
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/15
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/16
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/17
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/18
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/19
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/20
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/21
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/22
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/23
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
interface eth 0/24
spanning-tree edgeport
no shutdown
switchport mode trunk
!
!
!
interface gigabit-eth 0/1
no shutdown
switchport mode trunk
!
!
interface gigabit-eth 0/2
no shutdown
switchport mode trunk
!
!
!
!
interface vlan 1
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
media-gateway ip primary
no shutdown
!
interface vlan 2
ip address 10.10.20.1 255.255.255.0
ip access-policy Private
media-gateway ip primary
no shutdown
!
interface vlan 3
description Test 1
ip address 10.10.200.1 255.255.255.0
ip mtu 1500
ip access-policy "test 1"
media-gateway ip primary
no awcp
no shutdown
!
!
interface fxs 0/1
description
no shutdown
!
interface fxs 0/2
description
no shutdown
!
!
interface fxo 0/1
impedance 900r
no shutdown
!
interface fxo 0/2
description
impedance 900r
no shutdown
!
isdn-number-template 1 prefix "" subscriber NXX-XXXX
isdn-number-template 2 prefix "" national NXX-NXX-XXXX
isdn-number-template 3 prefix 011 international X$
isdn-number-template 4 prefix "" unknown NXX
isdn-number-template 5 prefix "" unknown NXXX
isdn-number-template 6 prefix 1 national NXX-NXX-XXXX
!
!
!
!
!
!
!
ip access-list standard NAT
remark Internet Connection Sharing
permit any
!
ip access-list standard wizard-ics
remark NAT list wizard-ics
permit any log
!
!
ip access-list extended Admin
remark Admin Access
permit tcp any any eq https log
permit tcp any any eq ssh log
permit tcp any any eq www log
permit tcp any any eq telnet log
permit icmp any any echo log
!
ip access-list extended InterVLAN
remark Voice / Data VLAN Traffic
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-11
remark admin
permit tcp 204.87.167.104 0.0.0.3 any eq www log
permit tcp 204.87.167.104 0.0.0.3 any eq telnet log
permit tcp 204.87.167.104 0.0.0.3 any eq ssh log
permit tcp 204.87.167.104 0.0.0.3 any eq ftp log
!
ip access-list extended web-acl-15
permit ip any any log
!
ip access-list extended web-acl-4
remark admin
permit tcp 204.87.167.104 0.0.0.3 any eq www log
permit tcp 204.87.167.104 0.0.0.3 any eq telnet log
permit tcp 204.87.167.104 0.0.0.3 any eq ssh log
permit tcp 204.87.167.104 0.0.0.3 any eq ftp log
!
ip access-list extended web-acl-7
permit ip any any
!
!
!
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface eth 0/0 overload
!
ip policy-class Public
allow list web-acl-11 self
!
ip policy-class "test 1"
nat source list wizard-ics interface eth 0/0 overload policy Public
allow list web-acl-15 self
!
!
!
tftp server
tftp server overwrite
tftp server default-filesystem cflash
http server
http secure-server
no snmp agent
ip ftp server
ip ftp server default-filesystem cflash
no ip scp server
ip sntp server
ip sntp server send-unsynced
!
!
!
!
!
!
!
!
!
sip
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
I would add an ACL (AOS uses access-lists only to match traffic, not to take action; we'll use this ACL in a policy later):
!
ip access-list extended guest-dhcp
remark guest-dhcp
permit udp any any eq bootps
!
Then edit the Private policy-class (note the policy to allow traffic between the two VLANs in the Private zone):
!
ip policy-class Private
allow list self self
allow list InterVLAN policy Private
nat source list wizard-ics interface eth 0/0 overload policy Public
!
Last, the "test 1" zone:
!
ip policy-class "test 1"
allow list guest-dhcp self
nat source list wizard-ics interface eth 0/0 overload policy Public
!
Significant points:
Cheers,
CJ
I made the changes but now only dhcp seems to work. I can't surf from this vlan.
DNS issue. You'll need to also allow DNS into the 7100 since that's the DNS server you give out in DHCP. Or else give guest clients outside DNS servers (OpenDNS are great, for example, 208.67.222.222 208.67.220.220). I think you're almost there!
CJ
That may have done it. I seem to be working again. Time to do some testing. Thanks
Awesome!