Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1314
Views
0
Helpful
2
Replies

Restricting a VLAN to only access one IP address on other VLAN

JasLindsey
Level 1
Level 1

‎03-18-2016 02:28 PM - edited ‎03-08-2019 05:02 AM

Hello,

I currently have an SG200-26 26-Port Gigabit Smart Switch using all default settings and I am trying to gather some information about restricting VLAN's on it.  I would like to set up a wireless access point on its own VLAN that will only have access to one specific static IP address on my LAN.  Ideally, the wireless access point will be on a different subnet as well.  My goal is to have the wireless access point be a "guest network" that is completely separated from my LAN, but still have access to one specific IP address.  How would I go about setting this up?  This is an area I have not spent much time with so I am trying to figure out what my options are for this type of setup.  Access Control Lists appear to be what I may need to utilize, but I don't believe the Smart Switches are capable of that, although maybe I am wrong. 

If using VLAN's is not the best way to achieve what I am trying to do then I am definitely open to other suggestions as well.

Any information is appreciated.

Thank you 

Labels:
0 Helpful
2 Replies 2

pwwiddicombe
Level 4
Level 4

‎03-19-2016 06:18 AM

Depending on what you want to accomplish, this might be simple?  If you are looking for just wireless guest access to the Internet and you happen to have a typical DSL-style Internet access, then you simply need to have a wireless router connected to the provider DSL router.  It will be isolated from your internal network.

Caveat - if your internal network has no firewall or other isolation from the Internet at all (i.e. you just plug your SG200 directly into the DSL router, then this wouldn't provide the isolation  from the guest connections; and a more involved setup would be necessary.

0 Helpful

JasLindsey
Level 1
Level 1
In response to pwwiddicombe

‎03-21-2016 08:13 AM

Thank you for the information.  My primary goal is to have the wireless guest subnet be completely isolated from my internal network, but still have access to one specific IP address.  The wireless guests need to be able to see a static IP address I assigned to a device, but that is it.  One way I thought may be able to achieve this is by setting up a separate VLAN with an ACL list on the Cisco switch that allows access to only the one IP address on my internal network, but in order to do that I believe I would have to upgrade my layer 2 SG-200 switch to a layer 3 SG-300 series.  Would I be correct to assume that, or would there be an easier way to achieve what I am trying to do? 

One user mentioned creating an ACL on the Cisco switch like this, but as I said, it seems I would have to step up to a 300 series managed switch to do so.

access-list 100 permit   ip 192.168.20.0 0.0.0.255 host 10.1.1.52
access-list 100 deny   ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 100 deny   ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 deny   ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip any any

interface vlan 50
 ip access-group 100 in

0 Helpful
Customers Also Viewed These Support Documents