Showing results for 
Search instead for 
Did you mean: 

877 With Advanced IP, creating seperate guest VLAN


I have an 877 with the RAM upgrade and advanced IP service.  I plan to use it to share an ADSL internet connection between staff at the office and guests who visit the site.

I intend to do the following...

1.  The office users have proxied internet access therefore only one device on the network (the proxy server) will have outgoing internet access.

2.  The guest users will be on a seperate VLAN, they will be allowed full outgoing internet access.

3.  The guest users will be on a seperate VLAN and IP range and no traffic must be able to pass between the two VLANs.

Point 1 is covered, I configured this using the zone based firewall settings in CCP.  I am a bit stuck on how to achieve points 2 and 3.  I created the guest VLAN and assigned it to one of the switch ports but I can't see how to prevent traffic between the VLANs or how to set the firewall to give them a different access level.

I found a number of similar examples but I may have made a mistake in using CCP.  It is far better than SDM but I know most people still suggest using the terminal...

Thanks for your help


hi alex,

AFAIK, 877 by default is limited to 1 VLAN only, which all 4 FE ports responds to as its GW. i would suggest to do router on a stick with L2 switch or set this up from L3 switch.

877#sh vlan-sw

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0, Fa1, Fa2, Fa3
1002 fddi-default                     active   
1003 token-ring-default               active   
1004 fddinet-default                  active   
1005 trnet-default                    active  

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0  
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

Hi John,

Thanks for swift reply, I believe that with the Advanced IP services it will support more than one VLAN.  Can anyone confirm?



That is correct. With advanced IP Services you can expand beyond a single vlan.

As for blocking the 2 vlans from seeing each other, I would just use an extended access-list.

Sent from Cisco Technical Support iPhone App

Can you use the ACL to block per VLAN at layer 2 or would you just do it based on the IP ranges used on each

vlan?  I don't want anything like DHCP crossing the VLANs.


ACL based on IP ranges.  I can't see of any issues where the DHCP will cross VLANs witout the ip helper-address command.