Cisco 877 Router for Internet access to a private and guest LAN?

wspendlove · ‎08-06-2009

Hi,

Could someone please take a look at the attached configuration and advise me if I can firstly use a Cisco 877 router for the job and secondly point me in the right direction of the config. My goal is to share an existing ADSL connection with LAN1 (existing private LAN 10.55.0.0) and the proposed hotel 'guest' LAN (192.168.0.0). Obviously I do not want any kind of connectivity between the private and guest LAN. The router is running C870-ADVSECURITYK9-M Version 12.4(11) and I'm guessing I'll need to upgrade to ADVSERVICES.

The current LAN (10.55.0.0) consists of a switched network that plugs into Eth0 on the 877 router. The proposed guest LAN (192.168.0.0) will consist of a small switch plugged into Eth1 and DHCP services will be provided locally by the wireless routers out of different areas of the buildings.

The current configuration (slight amendments for security reasons) is attached.

Thanks.

iyde · ‎08-07-2009

Hi.

I believe it should be possible, and also with the feature set you already have in your router.

I would create a new VLAN interface for the guest net and then assign this VLAN to the FastEthernet1 port.

On Vlan 1 I'd make a new ACL102 to match the 10.55.0.0/16 network and deny the 192.168.0.0 network:

access-list 102 deny ip 10.55.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 10.55.0.0 0.0.255.255 any

!

interface Vlan1

ip address 10.55.254.55 255.255.0.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

Then for the hotel network:

access-list 103 deny ip 192.168.0.0 0.0.255.255 10.55.0.0 0.0.255.255

access-list 103 permit ip 192.168.0.0 0.0.255.255 any

Then on new VLAN (e.g. VLAN 2):

interface Vlan2

ip address 192.168.0.1 255.255.0.0

ip access-group 103 in

ip nat inside

ip virtual-reassembly

I have not tried myself to set it up and test it, but it should work. Try it out and see if it does the trick :-)

HTH