Wireless VLAn - Nortel 450BT setups...and more!

[SaigonK]

Here is my idea...

A VLAN from my 450-BT to my wireless access points, from the 450 i plugin a Nortel 1700 series VPn box.

Anyone got any ideas on the best way t setup the VLAN?

 

[SaigonK]

no one ?

 

[spidey07]

Saigon,

Been a while since I messed with a 450. Can you possible describe what you're trying to do and leave the hardware out of it? Once we understand your goal, then we can discuss the hardware involved.

 

[SaigonK]

man..i always do that and then expect an people to know what i am asking for.
Let me be a bit more clear.

I am going to begin deploying a wireless network in our conference rooms at work, this will work out to be about 16 rooms each with it's own AP.
My plans for security have been coming and going and now I am trying to get some opinions on my idea.

My intentions would be this:

Setup a VLAN on my network, using 192.168.1.x IP's, I will probably start with just one switch for now..maybe two.
I have a Nortel Contivity 1700 series VPN box that has three ports on it, one for access for users to the LAN, one for management and one to plugin your backend to. (the switch, a wireless AP, etc.)

Create the VLAN from my 450 switch..plug it into the VPN box.
Setup the VPN box to access the corporate lan and internet.
Users would get ontot he AP, get an IP of 192.168.1.x, they would then have to use the VPN software to authenticate to the VPN box, which woud then allow them to make a connection to the real lan instead of the VLAN.

If they "hack" onto the VLAn..who cares, it doesnt route to anywhere.
This way my traffic is encrypted via VPN, and if a blackhat somewhere gets on the lan then he/she will be stuck (i know nothign is foolproof) on the VLAn.

Sound right?

 

[Gand1]

Let me get this straight, you are setting up a wireless network and if a user wants to get to the corp network they would VPN in. Sounds good!

VLAN 1 - corp network (not really a VLAN)
VLAN 2 - wireless

Hmm... make sure your wireless VLAN can trace all the way back to your cores. If you don't name the VLAN in each physical port, including the uplink and then back to your core you'll never get any connection.

I have a Contivity 2600 and when someone connects via VPN there is an ip pool for the users in the same range as our network, reserved in DHCP. I'm assuming that is how these people will get an IP in your setup?

How are ip's going to be distibuted on the wireless?

Just out of curiosity, are you all Nortel or do you just have a small smathering of it?

 

[SaigonK]

I am all Nortel, we also have a 2600 as our main external vpn solution.
We just bought an 8600 core setup. sweet unit!

i use 450-bt's in all my closets at all my sites. (95% anyway) i have about 65 in my current building.

As far as DHCP addresses, I was figuring I would create a pool on my Novell server and use it.
My next option is to setup Novell BorderManager as my VPN solutionm, with this I would get the best of both worlds, a vpn solution as well as a DHCP server on one box.

 

[Santa]

Might as well just authenticate the wireless clients via some sort of TACACTS+ (cisco) or Radius. This way they can't even jump onto the network instead of having a potential of security threats through split tunneling.

Sounds pretty complex and perhaps speed / resource limiting but with the above authentication + your VPN scheme it would make a pretty nice setup.

 

[SaigonK]

If I have a VLAn setup, they wont be making any conneciton back to the real LAN, as the VLAn wont route anywhere anyway. Radius would be overkill...
One thing if i do go to Border Manager , it can run VPN and DHCP, so that way i would be able to hand out internal IP's 192.168.1.x to the users, then once they ran the client software and connected, they would get a "real" LAN address to get onto company resources and what not.

Split tunneling will not be implemented, I want them to go through my PIX and what not, that way i can block the ports on my end.