I have a CIsco 2900XL Switch with Release 12.0(5)WC11 installed on it. In the commands, there are a global command for "Show access-lists" and a configuration command for access-list.
I have the switch connected to a router using port fa0/1. I want to put a router on port fa0/24 and have it provide an open wi-fi hotspot. My local network is on fa0/2 through fa0/6. What I want, is an access-list that allows the traffic from the wi-fi to go out to my router, but not be able to go to my local network.
The IP's involved are 192.168.2.254 for the router hosting the wireless (Linksys WRT54G) and 192.168.2.1 for my ethernet interface on the Cisco router (Cisco 2514 Router).
I created the access-list on the switch like this:
access-list 110 permit ip 192.168.2.254 0.0.0.0 192.168.2.1 0.0.0.0
access-list 110 deny ip 192.168.2.254 0.0.0.0 any
My two questions are these:
1. Will this work for what I want? (knowing that the router will provide dhcp on 192.168.3.0 network)
2. How do I implement this on the actual ports?
I know how to implement this on routers, so I'm wondering whether the manner is the same (int fa0/x ip access-group 110 in). And will I want to implement it on all of the ports, or should I just put it on the out (or in) on int fa0/24 (which will have the router)
Thanks and have a great day:)
I don't think this particular access list will work, because the traffic (from an IP perspective) won't actually be between the wifi hotspot and your router. It will be between your wifi clients' IP and their destination IP address.
Wouldn't it be easier to create separate vlans for your router to wifi hot spot connection and your local network? That way, they won't be able to talk to each other unless they go through your router. You can then apply a firewall policy on the router to prevent the wifi clients from connecting to your internal network.
- put your internal router interface and the local network device on fa0/2-fa0/6 in, say, vlan 100.
- put your external router interface and the wifi hotspot on fa0/24 in, say, vlan 200.
- configure 192.168.2.1/30 on the external router interface and 192.168.2.2/30 on the wifi hotspot ethernet interface.
- configure 192.168.3.1/24 on the internal router interface and configure your local network to match.
- configure another IP subnet on the wifi hot spot for dhcp to the wifi clients
- statically route this IP subnet from your router to the wifi hotspot
- configure default gateway on the wifi hotspot to point to your router
- configure an access list on the router to prevent traffic from entering your local network and permit for wherever it needs to go
Alternatively, if you don't want to separate them out at layer 3, you could try private vlans (pvlans), but I'm not 100% sure whether that is supported on the 2900XL series.
2900/3500XL, sadly, are layer 2 only switches. Only MAC access lists are supported.