04-14-2015 06:42 PM - edited 03-07-2019 11:32 PM
Hello,
I am trying to add a public access point to a network. The access point will be open and I need it to be on a separate vlan than the rest of the network. Before this the network had no need for vlans. So there was no vlan configuration.
So I set ports fa0/2-23 on the switch to VLAN 10. The public access point is on port fa0/24 and I have set that port to vlan 20. This works as expected, every device (on this switch) on vlan 10 can ping eachother, but vlan 10 can't ping devices on the access point (vlan 20) and vice versa which is good. Thats what I want.
But here is where I am confused. The switch is connected to a router with port fa0/1. So I set the fa0/1 as a trunk port and configured it to accept all vlans. I set the native vlan as vlan 10 for the trunk port.
So now vlan 10 can ping the router but vlan 20 can't (both vlans are in the same subnet). I need both vlans to be able to ping the router and reach the internet.
Whichever vlan I set as the native on the trunk can ping just fine, and any other vlan can't.
Of course I can set up inter-vlan routing on the router with subinterfaces and both vlans can ping the router just fine, but this allows the vlans to also ping eachother. Im trying to keep "public" vlan 20 from being able to ping any devices on the "internal" vlan 10. So "inter" vlan routing is not really what I want.
The LAN is on subnet 172.16.7.x /26, im trying to keep both vlans on the same subnet.
Is there not a way to route both vlans without inter-vlan connectivity?
Thanks in advance
04-15-2015 12:18 AM
Do inter-vlan routing, but on the public interface on the router, put an ACL there for input.
Deny all RFC1918 address space apart from things like DHCP, DNS, and then permit everything else.
ip access-list extended BLK-RFC1918
#[ LOCK DOWN TO THINGS LIKE DHCP, DNS] Permitted IP should be the respective servers
1 permit ip any host 172.16.7.1
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 172.16.0.0 0.15.255.255
100 permit ip any any
!
interface gix/x.20
ip access-group BLK-RFC1918 in
If you want to block your other vlans going to this public vlan the just do an opposite ACL and apply the ACL on same interface but outbound.
hth.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide