03-30-2011 02:16 AM - edited 03-04-2019 11:55 AM
Hi,
I have an 877 with the RAM upgrade and advanced IP service. I plan to use it to share an ADSL internet connection between staff at the office and guests who visit the site.
I intend to do the following...
1. The office users have proxied internet access therefore only one device on the network (the proxy server) will have outgoing internet access.
2. The guest users will be on a seperate VLAN, they will be allowed full outgoing internet access.
3. The guest users will be on a seperate VLAN and IP range and no traffic must be able to pass between the two VLANs.
Point 1 is covered, I configured this using the zone based firewall settings in CCP. I am a bit stuck on how to achieve points 2 and 3. I created the guest VLAN and assigned it to one of the switch ports but I can't see how to prevent traffic between the VLANs or how to set the firewall to give them a different access level.
I found a number of similar examples but I may have made a mistake in using CCP. It is far better than SDM but I know most people still suggest using the terminal...
Thanks for your help
03-30-2011 02:30 AM
hi alex,
AFAIK, 877 by default is limited to 1 VLAN only, which all 4 FE ports responds to as its GW. i would suggest to do router on a stick with L2 switch or set this up from L3 switch.
877#sh vlan-sw
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0, Fa1, Fa2, Fa3
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
03-30-2011 03:08 AM
Hi John,
Thanks for swift reply, I believe that with the Advanced IP services it will support more than one VLAN. Can anyone confirm?
Thanks
03-30-2011 06:30 AM
That is correct. With advanced IP Services you can expand beyond a single vlan.
As for blocking the 2 vlans from seeing each other, I would just use an extended access-list.
Sent from Cisco Technical Support iPhone App
03-30-2011 08:35 AM
Can you use the ACL to block per VLAN at layer 2 or would you just do it based on the IP ranges used on each
vlan? I don't want anything like DHCP crossing the VLANs.
Thanks
03-30-2011 09:22 AM
ACL based on IP ranges. I can't see of any issues where the DHCP will cross VLANs witout the ip helper-address command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide