03-25-2013 12:24 PM - edited 03-04-2019 07:24 PM
My IT Director want to have guest wireless in the fron office. I suggested a VLAN, but with little knowledge of setting one up, I figured I'd ask here. The switch he wants the AP connected to is like the third in line from the router and firewall. Question is; Do I have to configure a port on every switch leading to the router, or just the one the AP is connected to? I know how to make subinterfaces on the router for the seperate VLAN, but are there any ACL rules or subinterfaces that I have to include on the router or firewall? It doesn't really seem that complicated, but I'd appreciate the help.
03-25-2013 03:52 PM
Hello Jamie,
You have to configure port on switch where AP will be connected with some VLAN which will be dedicated to wireless guests. This VLAN has to be allowed on all trunks leading to router or firewall, depend on where you will terminate it (create subinterface).
Also you should create inbound ACL on this subinterface to restric access to wireless guest. They should not have to access to your internal LAN, just internet or whatever is your plan.
Best Regards
Please rate all helpful posts and close solved questions
03-27-2013 08:20 AM
Ok, so if I'm understanding correctly. The switch that the AP is on, is the only one that the seperate (Vlan 10) has to be created. Traffic tagged for that (vlan 10) will traverse the other two switches until it reaches the subinterface on the router or firewall that has that (vlan 10).
Do I have to create a subinterface on the firewall for the vlan (let's call it vlan 10) or just on the router, or both? This is where I get confused. I'm pretty sure the ACL would have to only be applied to the vlan subinterface on the firewall, but I'm not sure. What ACL would I have to apply, and where?
You've been a great help, and I appreciate it.
03-28-2013 01:42 AM
Hello Jamie,
You have to create subinterface on firewall or router. It depend on where you have terminated internet connection. If users access internet through firewall, subinterface will be created there.
VLAN10 is separated from other vlans, if you want to access another vlan, you have to configure intervlan routing, on router/firewall or L3 switch, in your case it will be router or firewall where you also configure subinterface as L3 termination point for VLAN.
ACL will be applied on this subinterface in inbound direction. ACL will deny access to entire internal LAN networks and allow everything else (internet).
If you have any further question, please attach some sketch of your topology, it will really help.
Best Regards
Please rate all helpful posts and close solved questions
03-27-2013 08:58 AM
Hi
U need to create the vlan on all the switches
U can create the subunterface on router
Sent from Cisco Technical Support iPhone App
03-27-2013 11:53 AM
Just For Example
AP > Switch > Router > Internet
AP will be connected to switch port fe 0/24
that swith prot will be in vlan 24
In that Switch you will create
interface vlan 24
no shut
Fe 0/24
Connected to AP
switch Access vlan 24
Switch Gig 0/1 will be connected to Router Gig 0/1
On Switch it will be
Interface Gig 0/1
Switch port mode trunk
switch port trunk encap dot1q
switch port trunk allowed vlan 24,a,b,c(What Ever Vlan)
On Router
You will create Sub Interface
gig 0/1.24
encapsulation dot1q 24
ip add 192.168.24.1 255.255.255.0
Access List to be applied on Subinterface
ip access-group abc in
*** Do Rate All Helpful Posts****
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: