08-07-2023 06:17 AM - edited 08-08-2023 11:03 PM
Hi,
I have Cisco 3750X switches connected in series. there are currently 6 VLANs configured with inter-vlan routing (VLAN 10, VLAN 20, VLAN 30, VLAN 40, VLAN 50, and VLAN 60). All these VLANs can communicate and send traffic in and out with each other.
I have recently got Cisco AP(AIR-CAP3702I-K-K9) with autonomous setup (without WLNC) and have configured it in the below configuration.
Two SSID are being broadcasted.
SSID1 is tagged with VLAN 40 and SSID2 is tagged with VLAN 60(user who connects with SSID2 with be tagged with VLAN60 and get the DHCP from the VLAN60 pool via domain controller)
and I have configured a switch port in the below configuration.
interface GigabitEthernet1/0/40
switchport trunk encapsulation dot1q
switchport trunk native vlan 60
switchport trunk allowed vlan 40,60
switchport mode trunk
spanning-tree portfast
In this way, AP with get the IP in VLAN 60, and users connected to any SSID will fall in their respective VLAN as shown above.
my concern is to block the incoming and outgoing from VLAN 60 to all the other VLANs in the network such that if a guest user joins
SSID2 should fall in VLAN 60 without having to access other VLANs.
I've included the configurations below for the switch.
interface Vlan1
no ip address
!
interface Vlan10
ip address 172.16.1.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan20
ip address 172.16.2.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan30
ip address 172.16.3.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan40
ip address 172.16.4.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan50
ip address 172.16.5.100 255.255.255.128
!
interface Vlan60
ip address 172.16.6.100 255.255.255.128
ip helper-address 172.16.5.5
!
interface Vlan100
ip address 192.168.10.10 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip http server
ip http secure-server
!
ip access-list standard telnet-access
!
access-list 1 permit 192.168.10.10
access-list 1 permit 172.16.0.1
access-list 101 permit ip any any
!
please advise how to configure the switch to achieve the above outcome
08-07-2023 07:46 AM
- Just make sure that VLAN60 remains isolated , does not take part on Intervlan routing (Intranet) , and or has a route(s) to the 'outside world' only ,
M.
08-07-2023 12:01 PM - edited 08-07-2023 12:15 PM
Hi @marce1000
What should be the configuration on the switch? What commands/steps I should follow?
08-08-2023 11:04 PM
Please Help!!!
08-09-2023 07:58 AM
The first thing I would point out is that your configured default route is not correct ip route 0.0.0.0 0.0.0.0 172.16.0.1. The problem is that there is not anything in your config that identifies where subnet 172.16.0.0 is.
Am I correct in understanding that you want any device connecting to vlan 60 to have access to the DHCP server in vlan 50 but to have no access to any other devices in the other connected vlans/subnets? If so I suggest something like this:
access-list 160 permit ip 172.16.6.0 0.0.0.127 host 172.16.5.5
access-list 160 deny ip 172.16.6.0 0.0.0.127 172.16.0.0 0.0.255.255
access-list 160 permit ip 172.16.6.0 0.0.0.127 any
interface Vlan60
ip access-group 160 in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide