Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
1
Replies

Restrict Inter-VLAN routing

WRPM4549WNEO
Level 1
Level 1

‎02-24-2014 03:19 PM - edited ‎03-04-2019 10:25 PM

We have a Catalyst 3750G switch with about 10 VLANs.  Most of the VLAN's have helper IP's to a DHCP server.  We've just purchased two Cisco 2600 WAP's to include public access, and we want to connect them to their own VLAN and restrict access on some wireless devices (or some SSID's) to NOT be able to reach devices on the other VLAN's. If it's easier for now we can restrict all wireless devices to their own VLAN and internet access only. 

Is there a way to disable inter VLAN routing for one VLAN only?  I understand I will probably have to set up another DHCP server interface on that VLAN.  Also what about security and setting up a Radius server?  It would be nice to use all the features the 2600's have.

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎02-25-2014 04:44 AM

Anthony

Usually to restrict inter vlan access you would use an access list (acl) on the SVIs (Switched Virtual Interface) ie. the "interface vlan " bit in your configuration.

You can allow DHCP through with an acl to your current DHCP server and then block all other traffic. But it depends on where the internet access is ie. if to get to the internet you need to go via another vlan then you would need to allow that through as well.

If internet access was in the same vlan and you created another DHCP server for that vlan then you could completely disable inter vlan routing by removing the SVI for that vlan and then the wireless clients would not be able to route to any other vlans internally.

But usually DHCP and the physical internet access are not on the same vlan as the wireless clients.

In terms of security you may be better posting that part in the Wireless forums. You can use Radius to authenticate clients but i haven't done that in a long time so i'm not really up to date on that side of things.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card