04-30-2010 08:55 AM - edited 03-04-2019 08:19 AM
I am trying to use a 3Com wireless router in one of our training rooms to allow public internet access when in that room. We have it
jacked into a port in a Cisco Catalyst 3500XL, which is jacked directly into our Cisco Catalyst 4507R. We have 6 vlans in the 4507
switch. I created a 7th vlan (vlan 700) on both switches and assigned the interface on the port in the 3500 to that vlan. I'm not sure what to do on the 4507
though. The firewall that the users need to go through to get to the internet is on one of the vlans (vlan 100 -- 172.16.0.x) that I'm trying to avoid access to for vlan 700. I tried assigning an acl to vlan 700, but I must have done something wrong, because it caused current users on the wired network to lose access to the switch. I used:
access-list 101 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit 192.168.100.0 0.0.0.255 any
What I want to do is this:
Wireless router & dhcp addresses on 192.168.100.0 network = internet
only access
All other networks: 172.16.0.0, 192.168.30,40,50,60 = all access
except 192.168.100.0
I'm very confused as to what I need to do, and on which switch.
04-30-2010 09:03 AM
lovembsc89 wrote:
The firewall that the users need to go through to get to the internet is on one of the vlans (vlan 100 -- 172.16.0.x) that I'm trying to avoid access to for vlan 700. I tried assigning an acl to vlan 700, but I must have done something wrong, because it caused current users on the wired network to lose access to the switch. I used:
access-list 101 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit 192.168.100.0 0.0.0.255 any
What I want to do is this:
Wireless router & dhcp addresses on 192.168.100.0 network = internet
only access
All other networks: 172.16.0.0, 192.168.30,40,50,60 = all access
except 192.168.100.0
I'm very confused as to what I need to do, and on which switch.
You need to create a L3 SVI for vlan 700 on your 4507 switch ie.
int vlan 700
ip address 192.168.100.x 255.255.255.0
then you need to apply the acl 101 in the inbound direction on vlan 700 interface ie.
int vlan 700
ip address 192.168.100.x 255.255.255.0
ip access-group 101 in
Jon
04-30-2010 11:35 AM
Thanks, Jon! I did what you said. Now, two more questions:
1. Do I need vlan 700 on the port on the 3500XL?
2. If I have a 100 mb connection jacked into a gigabit ethernet port in the 4507, do I need to set the duplexing and speed of that port, or will the auto setting be enough for this connection?
At least this time, nothing has blown up.
04-30-2010 11:50 AM
lovembsc89 wrote:
Thanks, Jon! I did what you said. Now, two more questions:
1. Do I need vlan 700 on the port on the 3500XL?
2. If I have a 100 mb connection jacked into a gigabit ethernet port in the 4507, do I need to set the duplexing and speed of that port, or will the auto setting be enough for this connection?
At least this time, nothing has blown up.
1) If the 3500XL is only for vlan 700 then yes the port on the 3500XL and the corresponding port on the 4507 should be set to vlan 700. If there are multiple vlans on the 3500XL then you will need to make the connection at both ends a L2 trunk.
2) auto-negotiation should be fine as long as both ends are set to auto-negotiate.
Glad to hear nothing else has blown up
Jon
04-30-2010 12:19 PM
Ok. Just to make sure I understand. There are two vlans on the 3500. The port that connects the 3500 to the 4507 is on vlan 100 (private network). I have the router coming into the 3500 from the patch panel, and have set that port to vlan 700 (public network). In this scenario, I can't configure an L2 trunk, can I?
04-30-2010 12:32 PM
lovembsc89 wrote:
Ok. Just to make sure I understand. There are two vlans on the 3500. The port that connects the 3500 to the 4507 is on vlan 100 (private network). I have the router coming into the 3500 from the patch panel, and have set that port to vlan 700 (public network). In this scenario, I can't configure an L2 trunk, can I?
If the path to your firewall is via the 4507 switch then you need to configure the connection between the 3500 and the 4507 as a L2 trunk because you need 2 vlans, vlan 100 and vlan 700 to go from the 3500 switch to the 4507 switch. So the port on the 3500 connecting to the 4507 needs to be a trunk port and so does the port on the 4507 connecting to the 3500.
Don't do this during production hours because changing it from an access port in vlan 100 to a L2 trunk will create an outage. Not a huge outage but it could be a couple of minutes. You also need to be aware of VTP if you change the connection to a L2 trunk. You would be advised to change the 3500 to VTP transparent mode if it isn't already so it cannot overwrite the VTP database on the 4507 switch which would really break things. Do this before configuring the trunk link.
Alternatively if you have a spare connection between the 4507 and 3500 ie. not the existing one in vlan 100 then you could simply configure that to be in vlan 700 and leave the original connection alone.
Jon
04-30-2010 02:07 PM
Jon,
I'm going to do this Monday after hours. I'll let you know how it goes. This is just the first phase of this project, so I want to make sure that I have a good handle on it before we open it up and roll out more wireless access points.
Thanks so much for your help, and have a great weekend.
~T
05-12-2010 07:19 AM
I was finally able to try this, and I get the same result.
Traffic on the 192.168.100.x network can still see the other networks. I added the ACL to the Cat 3500, thinking maybe it needed to go there too, and I added connected spare ports between the switches and added them to vlan700. The other ports use spanning-tree portfast. Should I take this away from this port in the 3500?
The vtp mode is transparent. I am copying the relevant pieces of the configs from both switches. Thanks for any assistance you can offer.
Pieces of config from 4507 (why does vlan 700 say "shutdown" even after I issue "no shut"?)
interface GigabitEthernet7/23
switchport access vlan 100
switchport mode access
vlan 600
name SocSvc
!
vlan 700
name RCACBOSW
shutdown
interface Vlan600
description SocSvc
ip address 192.168.60.1 255.255.255.0
!
interface Vlan700
description RCACBOSW
ip address 192.168.100.24 255.255.255.0
ip access-group 102 in
access-list 102 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
Pieces of config from 3500:
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 700
interface VLAN200
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN700
ip access-group 102 in
no ip directed-broadcast
no ip route-cache
shutdown
access-list 102 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
spanning-tree portfast
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide