Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Private VLAN or other options?

Hello all,

I have a client whose network uses sonicwall as their firewall. In order for client to get out to the Internet you must install the McAfee Anti-Virus software. I can make exceptions to this rule in the Sonicwall web interface by IP addresses.

Well I now have a situation where I want to put a wireless access point on one of the Cisco 3550 switches and basically create a seperate network off of that access point. Then I would give the access point's interface connecting to the 3550 a static ip address and therefore exclude all traffic coming from that ip address from having to download the McAfee AV software.

I also do not want any of the clients connection to the WAP to be able to communicate with the internal network. The ideal situation is the clients would connect to the access point then the access point would only be able to communicate with the default gateway of the network. The access point will be providing a DHCP address that is seperate from the internal network and then receive a NAT address that is on the same subnet as the internal network.

The WAP is a sonicwall Tz170. I am going to configure its WAN port to be and connect this port to the 3550. The TZ170 will then give out a DHCP address of 192.168.10.X to all clients connecting to it. The default gateway of the internal network is

Any advice on how to do this would be greatly appreciated. Thank you.


Re: Private VLAN or other options?

if the AP is going to perform NAT for it's clients, then all you would need is a few VACLs to keep the WAP clients from talking to anything but the internet.

to keep WAP clients from communicating to the rest of the network, you should use VACLs/ACLs at the switch/router levels to allow or restrict subnets from talking to one another. this way you can tell the WAP clients all they can do is goto the internet, not internal network devices.

the default-gateway for your WAP devices will not be the address. instead it will be the 192.168.10.x address assigned to the routing interface that is able to communicate with the rest of the VLANs (or at least the internet subnet/VLAN)

the default-GW for the WAP device can be the INSIDE interface if it is connected to the same subnet as the inside interface. (otherwise it will be the router interface for the subnet/VLAN that it resides on)

some info on 3550 VLAN & routing is at the link below:

New Member

Re: Private VLAN or other options?


Great suggestion. I like the idea of being able to implement this with ACL's but would I still need to have VLAN's configured on the switch?

Currently the 3550 is unmanaged and it connects directly to the firewall. The 3550 will be acting as the Layer 3 router.



CreatePlease login to create content