cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1157
Views
0
Helpful
5
Replies

2960 SI lan lite acl's

jay
Level 1
Level 1

I have a 2960 SI lan lite switch that I am conifguring for admin and guest access.  I have wireless AP's plugged into trunked ports 2 and 3.  I am using two vlan's (in addition to the native VLAN).  Vlan 5 for Admin and Vlan 10 for guest access.  I have ACL configured on the router preventing guest users from accessing the Admin network.  I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's.  Does anyone know of a way to accomplish this with this switch.  Please see configs below.  Thanks!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 2960-Switch

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXXXX

!

username Admin privilege 15 password 7 XXXXXX

no aaa new-model

system mtu routing 1500

ip subnet-zero

!

!

crypto pki trustpoint TP-self-signed-517132928

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-517132928

revocation-check none

rsakeypair TP-self-signed-517132928

!

!

crypto pki certificate chain TP-self-signed-517132928

certificate self-signed 01

  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 35313731 33323932 38301E17 0D393330 33303130 30303035

  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 37313332

  39323830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  CE51D961 E486A3EC 42AA364D 5B2AF823 4C1AAF9E 6CA2A044 555193A0 CD7078F5

  1B3C5D0E F0FCBA6A 9FCE9FF2 1B2133CB D1D41963 863D37FB EA349266 D66FBBDF

  6D557836 9D7F1B99 3F5F9DB9 C86B2356 A9288A70 11257BE8 2AD27D4D 819527A4

  CC7FCDF5 B5142B3B BE800603 C19D15E2 DF96FA94 FFDE24AA C4D46DB9 2EB91D35

  02030100 01A37030 6E300F06 03551D13 0101FF04 05300301 01FF301B 0603551D

  11041430 12821046 43432D32 3936302D 53776974 63682E30 1F060355 1D230418

  30168014 CE9A89B5 75200833 356F4920 08F14E3A 0CAC357F 301D0603 551D0E04

  160414CE 9A89B575 20083335 6F492008 F14E3A0C AC357F30 0D06092A 864886F7

  0D010104 05000381 81002EEF A276FC1D 8D48862F 2D40BD0F EA6B51F5 7FB66558

  45724690 164A721C F1D8B3B3 947F6363 5884A8C9 F42CA988 BC128EEB 1B387EB8

  2998759C 9CDA5B54 83FEF2C2 4462E038 0328680E D78D73FE 0130658F 61A8CF8B

  727843E1 0DC7707A D6E4A3E9 861CE1E9 F8838F45 374DA3E7 8489EDFA F1076E3B

  7244A41E 0D3C85F5 5F47

  quit

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport mode trunk

!

interface FastEthernet0/2

switchport mode trunk

!

interface FastEthernet0/3

switchport mode trunk

!

interface FastEthernet0/4

switchport access vlan 5

!

interface FastEthernet0/5

switchport access vlan 5

!

interface FastEthernet0/6

switchport access vlan 5

!

interface FastEthernet0/7

switchport access vlan 5

!

interface FastEthernet0/8

switchport access vlan 5

!

interface FastEthernet0/9

switchport access vlan 5

!

interface FastEthernet0/10

switchport access vlan 5

!

interface FastEthernet0/11

switchport access vlan 5

!

interface FastEthernet0/12

switchport access vlan 5

!

interface FastEthernet0/13

switchport access vlan 5

!

interface FastEthernet0/14

switchport access vlan 5

!

interface FastEthernet0/15

switchport access vlan 5

!

interface FastEthernet0/16

switchport access vlan 5

!

interface FastEthernet0/17

switchport access vlan 5

!

interface FastEthernet0/18

switchport access vlan 5

!

interface FastEthernet0/19

switchport access vlan 5

!

interface FastEthernet0/20

switchport access vlan 10

!

interface FastEthernet0/21

switchport access vlan 10

!

interface FastEthernet0/22

switchport access vlan 10

!

interface FastEthernet0/23

switchport access vlan 10

!

interface FastEthernet0/24

switchport access vlan 10

!

interface Vlan1

ip address 10.35.1.2 255.255.255.0

no ip route-cache

!

ip http server

ip http secure-server

!

control-plane

!

line con 0

password 7 XXXXXX

login

line vty 0 4

login local

line vty 5 15

login local

!

end

5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

Hi,

if it is supported you can use the switchport protected command  also called pvlan edge which will prevent hosts in the same vlan to communicate. you'll have to enter this command on all access ports belonging to this vlan.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Alain,

Thanks for your help again.  The lan lite software does support pvlan edge however can this be applied to trunked ports connected to autonomous AP's?

You would need to configure your AP with private vlan
Here is link that maybe helpful

https://learningnetwork.cisco.com/thread/43894

HTH

Sent from Cisco Technical Support iPhone App

Leo Laohoo
Hall of Fame
Hall of Fame

Where is your VLAN Database/Instance in your config?

Sorry it has taken a while to apply the recommended changes.  I have entered the switchport protected command on all vlan 10 access ports and on all trunked ports going to autonomous AP's.  I am still able to ping and see shared drives between PC's on the same guest SSID when they are connected to an AP.

Leolaohoo - Is this the information you asked for?

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/2

5    FCC-Admin                        active    Fa0/4, Fa0/5, Fa0/6, Fa0/7

                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11

                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15

                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19

10   FCC-Guest                        active    Fa0/20, Fa0/21, Fa0/22, Fa0/23

                                                Fa0/24

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        0      0

5    enet  100005     1500  -      -      -        -    -        0      0

10   enet  100010     1500  -      -      -        -    -        0      0

1002 fddi  101002     1500  -      -      -        -    -        0      0

1003 tr    101003     1500  -      -      -        -    -        0      0

1004 fdnet 101004     1500  -      -      -        ieee -        0      0

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

Review Cisco Networking for a $25 gift card