Hi to all,
I'm looking to create two LAN isolated on a single physical switch with port-based VLAN (untagged).
One port from each VLAN will be plugged to switch (link in yellow and green), see picture below.
VLAN 2000, name = GUEST, subnet = 172.16.1/24
VLAN 3000, name = WIFI, subnet = 10.0.1/24
I need to be sure that both VLAN cannot communicate to each one for security reason.
Currently, my switch has only VLAN1, setup is like this :
Using 3379 out of 524288 bytes ! ! Last configuration change at 13:25:47 CET Sat Feb 16 2019 ! NVRAM config last updated at 13:26:02 CET Sat Feb 16 2019 ! version 15.2 no service pad service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname C2960XR#1 ! boot-start-marker boot-end-marker ! enable secret 5 XXXXXXXXXXXXXXX enable password 7 XXXXXXXXXXXXXXXXX ! username Cisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX. no aaa new-model clock timezone CET 1 0 clock summer-time CET recurring last Sun Mar 1:00 last Sun Oct 1:00 switch 1 provision ws-c2960xr-48lpd-i system mtu routing 1500 ! ! ! crypto pki trustpoint TP-self-signed-XXXXXXXXXXXXX enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXXXX revocation-check none rsakeypair TP-self-signed-XXXXXXXXXXXXXXXX ! ! crypto pki certificate chain TP-self-signed-XXXXXXXXXXXXXX certificate self-signed 01 nvram:IOS-Self-Sig#1.cer ! spanning-tree mode pvst spanning-tree extend system-id ! ! ! interface Bluetooth0 no ip address shutdown downshift disable ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet1/0/1 ! interface GigabitEthernet1/0/2 ! interface GigabitEthernet1/0/3 ! interface GigabitEthernet1/0/4 ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 ! interface GigabitEthernet1/0/13 ! interface GigabitEthernet1/0/14 ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 ! interface GigabitEthernet1/0/24 ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface GigabitEthernet1/0/27 ! interface GigabitEthernet1/0/28 ! interface GigabitEthernet1/0/29 ! interface GigabitEthernet1/0/30 ! interface GigabitEthernet1/0/31 ! interface GigabitEthernet1/0/32 ! interface GigabitEthernet1/0/33 ! interface GigabitEthernet1/0/34 ! interface GigabitEthernet1/0/35 ! interface GigabitEthernet1/0/36 ! interface GigabitEthernet1/0/37 ! interface GigabitEthernet1/0/38 ! interface GigabitEthernet1/0/39 ! interface GigabitEthernet1/0/40 ! interface GigabitEthernet1/0/41 ! interface GigabitEthernet1/0/42 ! interface GigabitEthernet1/0/43 ! interface GigabitEthernet1/0/44 ! interface GigabitEthernet1/0/45 ! interface GigabitEthernet1/0/46 ! interface GigabitEthernet1/0/47 ! interface GigabitEthernet1/0/48 ! interface GigabitEthernet1/0/49 ! interface GigabitEthernet1/0/50 ! interface TenGigabitEthernet1/0/1 ! interface TenGigabitEthernet1/0/2 ! interface Vlan1 ip address 192.168.1.233 255.255.255.0 ! ip default-gateway 192.168.1.1 ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ! ! no vstack ! line con 0 password 7 XXXXXXXXXXXXXXXXXX login line vty 0 4 password 7 XXXXXXXXXXXXXXXXXX login line vty 5 15 password 7 XXXXXXXXXXXXXXXXXX login ! ntp server ntp.deuza.net ntp server pool.ntp.org ! end
I think that i need to use these command, do you confirm that is correct ? Is it enough ?
configure #vlan 2000 #name VLAN GUEST #no shutdown #exit configure #vlan 3000 #name VLAN WIFI #no shutdown #exit configure #interface vlan 2000 #ip address 172.16.1.254 255.255.255.0 #no shut #exit configure #interface vlan 3000 #ip address 10.0.1.254 255.255.255.0 #no shut #exit configure #interface range Gi1/0/3-48,Te1/1/1,Te1/1/2 #switchport mode access #switchport access vlan 2000 #exit #interface range Gi1/0/1, Gi1/0/2,Te1/0/1,Te1/0/2 #switchport mode access #switchport access vlan 3000 #exit
Best Regards,
Elrick
