Educause Security Discussion mailing list archives
Re: Public Use VLAN (x-posted to netman listserv)
From: Aaron Hockett <AHockett () WARNERPACIFIC EDU>
Date: Tue, 2 Oct 2012 20:49:50 -0700
Jeff, Good read. How are you handling DHCP on what I'm assuming is your core firewall that keeps the public away from the private? We're facing a similar push and I'm looking at moving all resnet and wireless to a "public" vlan that just dumps it to the net with public DNS (Google or Century link) but I'm looking for suggestions on how to handle DHCP off a single public IP via NAT. Thanks. -Aaron Warner Pacific College Network Engineer Jeff Kell <jeff-kell () UTC EDU> wrote: You have a couple of options. What we do is have split DNS (our inside network is RFC1918, outside is public, only public servers are on our external DNS). The external nameservers technically live inside our firewall/IPS/etc protection, so they're "on-campus". We can point guest/etc "outside" users at the external DNS, and they get "outside" IPs for any internal resources, so they "hair-pin" out to the edge and back through the firewalls to gain access (we also ACL block direct). It sounds like you have uniform DNS. You can still point them there, allow their range recursive access, but be careful that you don't do "DNS inspection" on that traffic or they'll get converted back to private inside addresses. If you have true internal vs external DNS, this is much easier to swing that trying to make a uniform one "dual personality" :) If you have them using public DNS (I don't know if you are referring to "your" public DNS, or a 3rd-party "public" DNS) they should be getting outside IPs, and it's just a matter of allowing their range to hair-pin back through the firewall (you may need to loop through your edge/border if you don't allow same-interface traffic). Or are you "wanting" them to get internal IPs? In the latter case you might reinstate the DNS inspection / NAT rewrites, but again, be careful with the split-personality roles. Jeff On 10/2/2012 9:56 PM, Allen Wood wrote:
As much as I hate it, I've been told to setup an open wireless network for our campus. I created a vlan with access lists that deny all traffic to inside our network, and created the open SSID to put on it. Traffic can flow freely now from the open wireless to the internet. However, I'm using a public DNS for the clients and they're unable to reach our locally hosted (NAT'd) web servers. We're currently using a Cisco ASA at the edge of our network which does all of our NAT'ing. I could open up the VLAN access list a bit and allow them access to our internal DNS & web servers, but I'd rather not. Has anyone run into this issue before? What's the "best practices" at this point... other than removing the public network in the first place! Thanks in advance, Allen
Current thread:
- Public Use VLAN (x-posted to netman listserv) Allen Wood (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Kell (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Moore (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) H Morrow Long (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) David Gillett (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) Morrow Long (Oct 04)
- Re: Public Use VLAN (x-posted to netman listserv) David Gillett (Oct 03)
- <Possible follow-ups>
- Re: Public Use VLAN (x-posted to netman listserv) Aaron Hockett (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Kell (Oct 03)