how to configure dhcp for multiple vlans – Expert Network Consultant https://www.expertnetworkconsultant.com Networking | Cloud | DevOps | IaC Sat, 22 Dec 2018 01:27:43 +0000 en-GB hourly 1 https://wordpress.org/?v=6.3.5 How to Configure IP Helper on a Cisco Switch for a number of VLANS https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/how-to-configure-a-dhcp-server-on-a-hypervisor-as-an-ip-helper-on-a-layer-3-switch-for-a-number-of-vlans/ https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/how-to-configure-a-dhcp-server-on-a-hypervisor-as-an-ip-helper-on-a-layer-3-switch-for-a-number-of-vlans/#respond Wed, 31 Oct 2018 15:19:20 +0000 http://www.expertnetworkconsultant.com/?p=1647 Continue readingHow to Configure IP Helper on a Cisco Switch for a number of VLANS]]> If you have ever wanted to know how to configure ip helper on a cisco switch for a number of vlans then this article may be the most helpful you might find regarding the appropriate steps required to successfully architect your desired network. The reason for such could be down to how your network has been designed hierarchically.

Let’s take a brief moment to breakdown the Hierarchical Design Model.

The Hierarchical Design Model architecture uses a hierarchical design model to break the design up into modular groups or layers. Breaking the design up into layers allows each layer to focus on specific functions which is what we would want our network to do, which simplifies the design and provides simplified deployment and management.

Imagine you have a junior network engineer who takes care of port security on the access layer, with a modular design t is easier to grant him the rights to perform the specific functions without the need for access to a hierarchy too advanced for his level of technical ability.
Another important reason for modularity in network design is that it allows you to create design elements that can be replicated throughout the network. Replication provides an easy way to scale the network as well as a consistent deployment method. In flat or meshed network architectures, changes tend to affect a large number of systems.

Hierarchical design helps constrain operational changes to a subset of the network, which makes it easy to manage as well as improve resiliency. Modular structuring of the network into small, easy-to-understand elements also facilitates resiliency via improved fault isolation.

Figure 1.0 – LAN Hierarchical Design

lan-hierachical-network-design

A hierarchical design includes the following three layers:


• Access layer—Provides workgroup/user access to the network.
• Distribution layer—Aggregates access layers and provides connectivity to services.
• Core layer—Provides connection between distribution layers for large LAN environments

The beauty of this design is the ability to create redundancies and practical availability.

Observe the diagram in Figure 1.1 – Enterprise Campus Network (Two Tier Design: Distribution Layer functioning as a collapsed Core).

Figure 1.1
how to configure ip helper on a cisco switch for a number of vlans

In a collapsed core network environment, your servers could be connected directly to your core or hang of a separate vlan off your core layer 3 switch as observed in the diagram above.

Now that we have covered the need for a hierarchical design, let us now dive in today’s discussion or post on how to configure ip helper on a Cisco switch for a number of vlans.

Network Equipment Used in our environment are as follows:

    1. ASA 5506-X Firewall
    2. Cisco Catalyst 2960 Series SI or
    3. HP Aruba 48 PoE Switch
    4. ISP Network Device
    5. VMWare EXSi
    6. Windows Server 2012 R2 Running DHCP Role

Why IP Helper
The reason for IP helper is the fact that many enterprises as per practice have always had a server taking care of their dhcp for the entire network. It is only wise to allow this function which is well versed and loved by server admins to remain. We also want the routers or switches on our network to perform the functions they are best at, i.e, Layer 2 and Layer 3 stuff.

Below is a snippet from a DHCP Server Running Windows Server 2012 R2 . As you can see, there are a number of scopes designed with specific subnets to take care of each associated VLAN on the core switch.

how to configure ip helper on a cisco switch for a number of vlans

For the sake of time, let us open the anatomy of Scope – Doppler Labs Building 700

how to configure ip helper on a cisco switch for a number of vlans

Scope Size: 172.16.70.150-250
DNS Server:8.8.8.8
Default Gateway: 172.16.70.2;

    I used 172.16.70.2 here as I had used on 172.16.70.1 on the the SVI for VLAN 700 on the Core Switch.

router-address-or-ip-default-gateway

Settings for Network Interface Card on VMWare EXSi facing DHCP Server.

vmware-exsi-networking-settings-for-dhcp-server-nic-facing-core-switch

The Windows DHCP Server Configuration

ip-helper address

VLAN Design Per Building

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
110  VLAN0110                         active    Fa0/40 [Interface Link to DHCP Server]
TRUNK INTERFACE                       active    Fa0/47 [Interface Uplink to ASA]


700  VLAN0700                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12

800  VLAN0800                         active    Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24

900  VLAN0900                         active    Fa0/25, Fa0/26, Fa0/27, Fa0/28
                                                Fa0/29, Fa0/30, Fa0/31, Fa0/32
                                                Fa0/33, Fa0/34, Fa0/35, Fa0/36

Step 1: Create a dedicated VLAN for the IP-Helper DHCP Server facing Network Interface

This is the interface which connects directly to the DHCP Server’s Network Interface Card which in our case is vmnic2 on the VMWare EXSi.

On Cisco


!
interface Vlan110
 description "Server VLAN"
 ip address 10.10.10.1 255.255.255.0
 end

!

interface FastEthernet0/40
 description "Link to DHCP Server aka IP-Helper"
 switchport access vlan 110
 switchport mode access
end

On HP Switch

vlan 110
   name "Server Facing VLAN"
   untagged 40 [Interface Connecting DHCP Server]
   tagged 47-48 [Carrying traffic across to other access switches where required]
   ip address 10.10.10.1 255.255.255.0
   exit

Configure Interface to the Firewall Inside Zone’s Interface

On Cisco

!
interface FastEthernet0/47
 description "Trunked Uplink Interface to ASA Inside Zone"
 switchport mode trunk
end

On HP

!
interface 47
 name "Uplink Interface to ASA Inside Interface configured as Trunk or Tagged"
 tagged vlan 700,800,900,1000
end

Step 2. Create VLANS for the Scopes Required

This step really is to have a dedicated VLAN for each department as per the diagram above. So in our case, consider the following buildings

On Cisco Switch


Switch#show run int vlan 700
!
interface Vlan700
 description Department 700 VLAN Scope
 ip address 172.16.70.1 255.255.255.0
 ip helper-address 10.10.10.100
 end
!



Switch#show run int vlan 800
!
interface Vlan800
 description Department 800 VLAN Scope
 ip address 172.16.80.1 255.255.255.0
 ip helper-address 10.10.10.100
 end



Switch#show run int vlan 900
!
interface Vlan900
 description Department 900 VLAN Scope
 ip address 172.16.90.1 255.255.255.0
 ip helper-address 10.10.10.100
!end

On HP Switch

vlan 700
   name "Department 700 Subnet"
   tagged 1,47-48
   ip address 172.16.70.1 255.255.255.0
   ip helper-address 10.10.10.100
   exit
vlan 800
   name "Department 800 Subnet"
   tagged 1,47-48
   ip address 172.16.80.1 255.255.255.0
   ip helper-address 10.10.10.100
   exit
vlan 900
   name "Department 900 Subnet"
   tagged 1,47-48
   ip address 172.16.90.1 255.255.255.0
   ip helper-address 10.10.10.100
   exit

Configure Cisco ASA 5506-X FirePower to Support Multiple VLANS Internet Access

As a good practice, I like to configure the Outside Interface or Zone on my firewall to ensure that it can readily speak to the Internet and so follow the breakdown below and configure your firewall the very same way but make sure you have identified the important IP Addressing Information pertaining to your ISP’s device.

ISP Internet Device’s Public IP: 192.168.1.1 1

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Configure Network Interface to ISP’s Internet Device

!
interface GigabitEthernet1/8
 nameif outside
 security-level 0
 ip address 192.168.1.100 255.255.255.0
!

Configure DNS Settings;

dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.1
 name-server 8.8.8.8
 name-server 8.8.4.4

Enable ICMP Pings to Test Configuration Settings

access-list 100 extended permit icmp any any
access-list from_outside extended permit icmp any any echo

Firewall Inside Interface to CoreSwitch

!
interface GigabitEthernet1/1
 description "Interface Uplink to CoreSwitch"
 nameif inside
 security-level 0
 no ip address
!

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet1/1         unassigned      YES unset  up                    up

GigabitEthernet1/1.700     172.16.70.2     YES CONFIG down                  down
GigabitEthernet1/1.800     172.16.80.2     YES CONFIG down                  down
GigabitEthernet1/1.900     172.16.90.2     YES CONFIG down                  down
GigabitEthernet1/1.1000    172.16.100.2    YES CONFIG down                  down


GigabitEthernet1/8        192.168.1.100   YES CONFIG up                    up

Create Associated Sub-Interfaces

!
interface GigabitEthernet1/1.700
 vlan 700
 nameif Department-700
 security-level 100
 ip address 172.16.70.2 255.255.255.0
!

!
interface GigabitEthernet1/1.800
 vlan 800
 nameif Department-800
 security-level 100
 ip address 172.16.80.2 255.255.255.0
!

!
interface GigabitEthernet1/1.900
 vlan 900
 nameif Department-900
 security-level 100
 ip address 172.16.90.2 255.255.255.0
!

Create Object Groups and NAT for the required Subnets;

object network Department-700
 subnet 172.16.70.0 255.255.255.0
 nat (Department-700,outside) dynamic interface
object network Department-800
 subnet 172.16.80.0 255.255.255.0
 nat (Department-800,outside) dynamic interface
object network Department-900
 subnet 172.16.90.0 255.255.255.0
 nat (Department-900,outside) dynamic interface

How about getting devices on separate vlans to communicate? On the ASA, configure a dhcprelay as the dhcp scope sits on a separate server;

dhcprelay server 10.10.10.100 outside
dhcprelay enable inside
dhcprelay setroute inside

How about giving a go with Configuring a Guest WiFi with VLANS ?

]]>
https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/how-to-configure-a-dhcp-server-on-a-hypervisor-as-an-ip-helper-on-a-layer-3-switch-for-a-number-of-vlans/feed/ 0
Configuring Guest Wireless with VLANS https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/configuring-guest-wireless-with-vlans/ https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/configuring-guest-wireless-with-vlans/#respond Mon, 24 Sep 2018 10:11:47 +0000 http://www.expertnetworkconsultant.com/?p=1556 Continue readingConfiguring Guest Wireless with VLANS]]> [SOLVED] Configuring Guest Wireless with VLANS

Configuring Guest Wireless with VLANS

Is there a need in Configuring Guest Wireless with VLANS?

A shinny access point opens doors to advanced possibilities with your WiFi deployments. Configuring Guest Wireless with VLANS is an amazing way of getting a secured Wireless Solution away from the Corporate Infrastructue. Imagine users bringing their own devices to your corporate offices and needing internet access. Would you have them join your Corporate WiFi? If you are in the slightest clued up on security, you would know that BYOD on Corporate WiFi is an invitation to a big compromise to your network.

Wireless deployment could be as sophisticated as you would wish or otherwise simpler depending on your business needs and requirements.

In this article, I aim to share with you the practical approach to configuring your Layer 2 or 3 Switch with a DHCP Server and an Access Point or Controller to create a secured Guest Wireless Network.

But before we begin you might be wondering about the real benefits of a Guest Wireless Network.

Here are the Top 3 Benefits to a Secure Wireless Guest Access:

1) Separation of Traffic
Implementing a secure Guest Access will seperate and segregate internal and guest traffic, providing iron-clad security for any organizations LAN and servers. Different policies can be applied to different users on the network, allowing different network privileges to each user. So for example Consultants with Guest badges may be allowed on a specific Guest Wireless which allows them to Print.

2) Flexible Control

With Guest Wireless, there are usually a secured captive portal where users attempting to connect to the network are prompted to enter a username and password via a customized webpage. This blocks devices from gaining access without the proper authentication credentials. New guest accounts can quickly be provisioned, as well as accessed. Guest Access can be provided without major reconfiguration of guest computers, eliminating the need to call for technical support.

3) Usage Data
Secure Guest Access provides historical data that accounts for who used the network, when they used it and how it was used. Track specific user accounts and filter out unwanted activity. When properly implemented, a guest access system improves customer satisfaction and enhances the productivity of guests and IT staff alike.

Figure 1.1 shows a network topology of my current setup and the steps I am going to use to deploy a Guest WiFi.

Below are the required steps to configuring your Guest Wireless SSID;

What you will need;

1. DHCP on Switch or a DHCP Server otherwise known as an IP-Helper Address
2. Create VLAN with a good descriptive name
3. Assign VLAN ID an IP Address from the scope you are going to use – obviously exclude that IP Address

Follow the following steps on a Windows Server to create the DHCP Scope for the Guest Wireless VLAN.

Launch DHCP on your Server, in my case this is the address of the IP-Helper at 10.10.10.23
Launch DHCP on your Server, in my case this is the address of the IP-Helper at 10.10.10.23

Right-Click on IPV4 and click on New Scope
Right-Click on IPV4 and click on New Scope

Give a meaningful name to your DHCP Scope, in my case I have called it “Guest Wireless Scope”
Give a meaningful name to your DHCP Scope

Setup your DHCP Scope
Setup your DHCP Scope

My scope starts from 192.168.10.100 to 192.168.10.200
Create DHCP Scope Range

Add any exclusions where required – I had no need of an exclusion and so left it blank
Create DHCP Exclusions

Set the Lease Duration, I have selected 2 days
Set the Lease Duration

Configure the Scope Options
Configure the Scope Options

Configure the Router(Default Gateway) – IP Address of VLAN 10
Configure the Router(Default Gateway)

Configure Domain Name and DNS Servers – I used Google’s DNS as this is purely for Guest Wireless
Configure Domain Name and DNS Servers

Activate the Scope
Activate the DHCP Scope

Click Finish
Apply Scope

Review the New Scope to make sure every requirement has been met

Configure DHCP Pool on Layer 3 Switch or Router

Create a DHCP IP address pool for the IP addresses you want to use.
Switch(config)# ip dhcp pool GuestWirelessNetwork

Specify the network and subnet for the addresses you want to use from the pool.
Switch(dhcp-config)# network 192.168.10.0/24

Specify the DNS domain name for the clients.
Switch(dhcp-config)#domain-name mydomain.com

Specify the primary and secondary DNS servers.
Switch(dhcp-config)#dns-server 8.8.8.8 8.8.4.4

Specify the default router (i.e., default gateway).
Switch(dhcp-config)#default-router 192.168.10.1

Specify the lease duration for the addresses you’re using from the pool.
Switch(dhcp-config)#lease 2

Exit Pool Configuration Mode.
Switch(dhcp-config)#exit

Create the VLAN dedicated for the Guest Wireless;

The Cisco Way

Switch(config)# vlan 10
Switch(config)# name Guest Wireless


Switch(config)# interface VLAN 10
Switch(config-vlan-if)# ip address 192.168.10.1 255.255.255.0
ip helper-address 10.10.10.23

The available encapsulation options

Switch(config-if)#switchport trunk encapsulation ?
  dot1q      Interface uses only 802.1q trunking encapsulation when trunking
  isl        Interface uses only ISL trunking encapsulation when trunking
  negotiate  Device will negotiate trunking encapsulation with peer on interface
Switch(config-if)# interface  Fa0/42

   Switchport Trunk Encapsulation Dot1Q
   Switchport Trunk allowed VLAN 10
   Switchport Access VLAN 1
   exit

The HP Way

Swictch(vlan-10)#
   name "GUEST_WiFi"
   tagged 42
   ip helper-address 10.10.10.23
   ip address 192.168.22.1 255.255.255.0
   

Switch(eth-42)# interface 42
  tagged vlan 10
  untagged vlan 1
  exit

Your router or firewall’s interface connected to your switch must now be informed about the new subnets which would be traversing the network. So you must create a rule to allow the 192.168.10.0/24 to the internet and then you are on your way.

Your assignment is to create an SSID for the Accounts Department on VLAN 20. Configure a DHCP Scope to cater for the Accounts VLAN and then allow the subnet members access to the Internet.

You might want to also know how to configure your Cisco Router for Fiber or PPPoE

]]>
https://www.expertnetworkconsultant.com/expert-approach-in-successfully-networking-devices/configuring-guest-wireless-with-vlans/feed/ 0