Routing VLAN Question

Jamie_ABSNet · ‎03-25-2013

My IT Director want to have guest wireless in the fron office. I suggested a VLAN, but with little knowledge of setting one up, I figured I'd ask here. The switch he wants the AP connected to is like the third in line from the router and firewall. Question is; Do I have to configure a port on every switch leading to the router, or just the one the AP is connected to? I know how to make subinterfaces on the router for the seperate VLAN, but are there any ACL rules or subinterfaces that I have to include on the router or firewall? It doesn't really seem that complicated, but I'd appreciate the help.

blau grana · ‎03-25-2013

Hello Jamie,

You have to configure port on switch where AP will be connected with some VLAN which will be dedicated to wireless guests. This VLAN has to be allowed on all trunks leading to router or firewall, depend on where you will terminate it (create subinterface).

Also you should create inbound ACL on this subinterface to restric access to wireless guest. They should not have to access to your internal LAN, just internet or whatever is your plan.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Jamie_ABSNet · ‎03-27-2013

Ok, so if I'm understanding correctly. The switch that the AP is on, is the only one that the seperate (Vlan 10) has to be created. Traffic tagged for that (vlan 10) will traverse the other two switches until it reaches the subinterface on the router or firewall that has that (vlan 10).

Do I have to create a subinterface on the firewall for the vlan (let's call it vlan 10) or just on the router, or both? This is where I get confused. I'm pretty sure the ACL would have to only be applied to the vlan subinterface on the firewall, but I'm not sure. What ACL would I have to apply, and where?

You've been a great help, and I appreciate it.

blau grana · ‎03-28-2013

Hello Jamie,

You have to create subinterface on firewall or router. It depend on where you have terminated internet connection. If users access internet through firewall, subinterface will be created there.

VLAN10 is separated from other vlans, if you want to access another vlan, you have to configure intervlan routing, on router/firewall or L3 switch, in your case it will be router or firewall where you also configure subinterface as L3 termination point for VLAN.

ACL will be applied on this subinterface in inbound direction. ACL will deny access to entire internal LAN networks and allow everything else (internet).

If you have any further question, please attach some sketch of your topology, it will really help.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

mahmoodmkl · ‎03-27-2013

Hi
U need to create the vlan on all the switches
U can create the subunterface on router

Sent from Cisco Technical Support iPhone App

jawad-mukhtar · ‎03-27-2013

Just For Example

AP > Switch > Router > Internet

AP will be connected to switch port fe 0/24

that swith prot will be in vlan 24

In that Switch you will create

interface vlan 24

no shut

Fe 0/24

Connected to AP

switch Access vlan 24

Switch Gig 0/1 will be connected to Router Gig 0/1

On Switch it will be

Interface Gig 0/1

Switch port mode trunk

switch port trunk encap dot1q

switch port trunk allowed vlan 24,a,b,c(What Ever Vlan)

On Router

You will create Sub Interface

gig 0/1.24

encapsulation dot1q 24

ip add 192.168.24.1 255.255.255.0

Access List to be applied on Subinterface

ip access-group abc in

*** Do Rate All Helpful Posts****

Jawad