Cisco Support Community
Community Member

Guest Smartport

I was looking at the Catalyst 500 for a specific purpose, but I am not sure if it will work or not.

We are wanting to set up a small network in one of our buildings for our clients to be able to access the internet, but we do not want them to have access to the rest of our network. At first glance, putting them behind a Catalyst 500 on a Guest Smartport sounds ideal, restricting their routing only to the gateway, but there are two HP switches between where the clients will be and the Internet gateway.

Will this matter? Does the route have to be all-Cisco, or can it be mixed like this?


Community Member

Re: Guest Smartport

No, the other switches don't matter. When the clients want to go outside of their internal network, they will go to the DFGW. However, you want to make sure that on the DFGW that you setup acl's to make sure that they are blocked from anything else.

I think port security (I took a quick look at 'guest smartport') is just mac filtering so I'm not sure (without digging further) that it will actually firewall/acl your traffic.

To do it fairly securely, you need to create a separate subnet on your network for this guest network. Make your router's ethernet interface a trunk and configure subinterfaces on the router's ethernet interface with ip addresses in your various subnets. Example:

int f0/0

no ip address

int f0/0.1

description Internal network

ip address

encapsulation dot1q (may have to define native vlan here)

int f0/0.2

description Guest network

ip address 255.255.2550

encapsulation dot1q

ip access-group 101 in

Access-list 101 would deny any traffic to your internal network but then allow all, to let them get to the Internet.

You will have to make the switchport that the router's ethernet currently plugs into is a trunk port running the same encapsulation (dot1q or isl, just make the necessary adjustments on the ethernet interface).

You will also need to setup a dhcp scope and then also the vlan ports on the switch they are behind so when they do a dhcp request, they get an ip out of the correct subnet.

If you want to make it to where they can plug in anywhere on the network and still only get to the Internet, look into dot1x.

CreatePlease to create content