01-27-2013 09:49 AM - edited 03-07-2019 11:20 AM
I have a 2960 SI lan lite switch that I am conifguring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Does anyone know of a way to accomplish this with this switch. Please see configs below. Thanks!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2960-Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXX
!
username Admin privilege 15 password 7 XXXXXX
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
crypto pki trustpoint TP-self-signed-517132928
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-517132928
revocation-check none
rsakeypair TP-self-signed-517132928
!
!
crypto pki certificate chain TP-self-signed-517132928
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35313731 33323932 38301E17 0D393330 33303130 30303035
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 37313332
39323830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CE51D961 E486A3EC 42AA364D 5B2AF823 4C1AAF9E 6CA2A044 555193A0 CD7078F5
1B3C5D0E F0FCBA6A 9FCE9FF2 1B2133CB D1D41963 863D37FB EA349266 D66FBBDF
6D557836 9D7F1B99 3F5F9DB9 C86B2356 A9288A70 11257BE8 2AD27D4D 819527A4
CC7FCDF5 B5142B3B BE800603 C19D15E2 DF96FA94 FFDE24AA C4D46DB9 2EB91D35
02030100 01A37030 6E300F06 03551D13 0101FF04 05300301 01FF301B 0603551D
11041430 12821046 43432D32 3936302D 53776974 63682E30 1F060355 1D230418
30168014 CE9A89B5 75200833 356F4920 08F14E3A 0CAC357F 301D0603 551D0E04
160414CE 9A89B575 20083335 6F492008 F14E3A0C AC357F30 0D06092A 864886F7
0D010104 05000381 81002EEF A276FC1D 8D48862F 2D40BD0F EA6B51F5 7FB66558
45724690 164A721C F1D8B3B3 947F6363 5884A8C9 F42CA988 BC128EEB 1B387EB8
2998759C 9CDA5B54 83FEF2C2 4462E038 0328680E D78D73FE 0130658F 61A8CF8B
727843E1 0DC7707A D6E4A3E9 861CE1E9 F8838F45 374DA3E7 8489EDFA F1076E3B
7244A41E 0D3C85F5 5F47
quit
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport mode trunk
!
interface FastEthernet0/3
switchport mode trunk
!
interface FastEthernet0/4
switchport access vlan 5
!
interface FastEthernet0/5
switchport access vlan 5
!
interface FastEthernet0/6
switchport access vlan 5
!
interface FastEthernet0/7
switchport access vlan 5
!
interface FastEthernet0/8
switchport access vlan 5
!
interface FastEthernet0/9
switchport access vlan 5
!
interface FastEthernet0/10
switchport access vlan 5
!
interface FastEthernet0/11
switchport access vlan 5
!
interface FastEthernet0/12
switchport access vlan 5
!
interface FastEthernet0/13
switchport access vlan 5
!
interface FastEthernet0/14
switchport access vlan 5
!
interface FastEthernet0/15
switchport access vlan 5
!
interface FastEthernet0/16
switchport access vlan 5
!
interface FastEthernet0/17
switchport access vlan 5
!
interface FastEthernet0/18
switchport access vlan 5
!
interface FastEthernet0/19
switchport access vlan 5
!
interface FastEthernet0/20
switchport access vlan 10
!
interface FastEthernet0/21
switchport access vlan 10
!
interface FastEthernet0/22
switchport access vlan 10
!
interface FastEthernet0/23
switchport access vlan 10
!
interface FastEthernet0/24
switchport access vlan 10
!
interface Vlan1
ip address 10.35.1.2 255.255.255.0
no ip route-cache
!
ip http server
ip http secure-server
!
control-plane
!
line con 0
password 7 XXXXXX
login
line vty 0 4
login local
line vty 5 15
login local
!
end
01-27-2013 10:15 AM
Hi,
if it is supported you can use the switchport protected command also called pvlan edge which will prevent hosts in the same vlan to communicate. you'll have to enter this command on all access ports belonging to this vlan.
Regards
Alain
Don't forget to rate helpful posts.
01-27-2013 10:28 AM
Alain,
Thanks for your help again. The lan lite software does support pvlan edge however can this be applied to trunked ports connected to autonomous AP's?
01-27-2013 12:32 PM
You would need to configure your AP with private vlan
Here is link that maybe helpful
https://learningnetwork.cisco.com/thread/43894
HTH
Sent from Cisco Technical Support iPhone App
01-27-2013 01:49 PM
Where is your VLAN Database/Instance in your config?
01-31-2013 10:02 AM
Sorry it has taken a while to apply the recommended changes. I have entered the switchport protected command on all vlan 10 access ports and on all trunked ports going to autonomous AP's. I am still able to ping and see shared drives between PC's on the same guest SSID when they are connected to an AP.
Leolaohoo - Is this the information you asked for?
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2
5 FCC-Admin active Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
10 FCC-Guest active Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1005 trnet 101005 1500 - - - ibm - 0 0
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide