Solved: Vlan/ACL question

jpgleason · ‎03-28-2012

I am in the process of getting my guest access set up on my network and I have a couple of questions.

1) On my L3 switch I currently have the switch port with the command line of switchport access vlan 2 for my current wireless network. I am looking to add vlan 3 for the guest wireless access. Should I add/change that line to switchport trunk allow vlan 2,3 for each port I have my APs plugged into?

2) I am having issues with my ACLs. All I want my guest vlan to do is go to the internet, nothing more. Is it better to place this ACL on the WCL, L3 switch or ASA? When I try it on the WLC, even when I deny ICMP both ways, I am still able to ping and I do have the ACL applied to the interface.

Thanks,

Jim

Stephen Rodriguez · ‎03-28-2012

If your ap are in local mode you won't Ned ti change the port as the traffic is ingress/egress at the WLC. So long as VLAN 3 is allowed there it will be fine.

As for the ACL, I'd put it on the Layer 3 interface of the switch/router.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Stephen Rodriguez · ‎03-28-2012

If your ap are in local mode you won't Ned ti change the port as the traffic is ingress/egress at the WLC. So long as VLAN 3 is allowed there it will be fine.

As for the ACL, I'd put it on the Layer 3 interface of the switch/router.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered