12-29-2012 06:17 AM - edited 07-03-2021 11:16 PM
Hi all and Merry Christmas to you.
So I have been off work for a few days now playing in my lab, I have configured a number of VLAN’s to separate Data, Voice, Servers, Games Consoles and Guest on my Cisco 1142, I know it may be a bit of an over kill but it’s just me doing a bit of lab work and learning
What I’m after doing now is setting up ACL’s to deny the Guest and Games Console VLAN from accessing my LAN and I’m not sure where to start, I want to consoles only to be able to connect to PSN and Xbox networks as well as my DHCP server, and the guest network to connect to the web but again not my LAN, this is for users who come round with phones and tablets.
My lab look like this:-
Broadband > Cisco RVS4000 (soon to be ASA) > WS-C3560 > 1142 AP.
My DHCP server is on VLAN 6 with an IP address of 192.168.6.241
VLANs are: -
interface Vlan5
description *****DATA VLAN*****
ip address 192.168.5.253 255.255.255.240
ip helper-address 192.168.6.241
!
interface Vlan6
description *****Servers*****
ip address 192.168.6.254 255.255.255.240
!
interface Vlan7
description *****VOICE*****
ip address 192.168.7.254 255.255.255.240
ip helper-address 192.168.6.241
!
interface Vlan8
description *****VOICE WIFI*****
ip address 192.168.8.254 255.255.255.240
ip helper-address 192.168.6.241
!
interface Vlan9
description *****WIFI CONSOLES*****
ip address 192.168.9.254 255.255.255.240
ip helper-address 192.168.6.241
!
interface Vlan10
description *****WiFi Home*****
ip address 192.168.10.254 255.255.255.240
ip helper-address 192.168.6.241
!
interface Vlan11
description *****WiFi Guest*****
ip address 192.168.11.254 255.255.255.240
ip helper-address 192.168.6.241
!
interface Vlan12
description *****Management*****
ip address 192.168.12.254 255.255.255.240
The AP config looks like:
dot11 ssid Console
vlan 9
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 094F4107170A051103
!
dot11 ssid Home
vlan 10
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
mbssid guest-mode
interface Dot11Radio0.9
encapsulation dot1Q 9
ip helper-address 192.168.6.241
no ip route-cache
bridge-group 9
bridge-group 9 subscriber-loop-control
bridge-group 9 block-unknown-source
no bridge-group 9 source-learning
no bridge-group 9 unicast-flooding
bridge-group 9 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10
ip helper-address 192.168.6.241
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.12
encapsulation dot1Q 12 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
At the minutes I’m just trying to stop Console getting to the Home network before I move onto the rest
I have not got a clue where to start or where to place the ACL’s, would they be on the Switch or the AP itself?
Hope you can help me out.
Happy new year
Martyn
Solved! Go to Solution.
12-29-2012 07:12 AM
Here is a suport document in regards to autonomous ACL:
https://supportforums.cisco.com/docs/DOC-13768
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
12-29-2012 07:12 AM
Here is a suport document in regards to autonomous ACL:
https://supportforums.cisco.com/docs/DOC-13768
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide