Educause Security Discussion mailing list archives
Re: Public Use VLAN (x-posted to netman listserv)
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 3 Oct 2012 09:26:15 -0400
On 10/2/2012 11:49 PM, Aaron Hockett wrote:
Jeff, Good read. How are you handling DHCP on what I'm assuming is your core firewall that keeps the public away from the private? We're facing a similar push and I'm looking at moving all resnet and wireless to a "public" vlan that just dumps it to the net with public DNS (Google or Century link) but I'm looking for suggestions on how to handle DHCP off a single public IP via NAT.
We are also an Aruba shop (to follow-on to Bruce Osborne's reply) so all of the wireless users traffic comes back to the controllers, but the traffic is routed by an attached router that terminates each of the user "roles" (vlans). The "guest" role consists of a couple of vlans (to differentiate what sort of guest, we have slightly different policies) in a guest VRF. We also have some wired guest vlans in the same VRF and can offer the same limited/restricted access over wired and wireless (wired being popular with media folks at sporting events). The guest VRF is basically just a default route to our border, and DHCP hands out our external name servers (rather than internal) so you get only the public services we offer to anyone else on the internet. As for DHCP, you're going to have to hand out some RFC1918 network to the guests; the NAT will be handled by your router and/or firewall. If you "truly" terminate the guests outside your firewall, you're going to have to find another way to handle NAT. Ours are physically inside our firewall, but the traffic is "escorted to the door" (outside access) as soon as it lands, and NAT occurs on the way out. Jeff
Current thread:
- Public Use VLAN (x-posted to netman listserv) Allen Wood (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Kell (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Moore (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) H Morrow Long (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) David Gillett (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) Morrow Long (Oct 04)
- Re: Public Use VLAN (x-posted to netman listserv) David Gillett (Oct 03)
- <Possible follow-ups>
- Re: Public Use VLAN (x-posted to netman listserv) Aaron Hockett (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Kell (Oct 03)