Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

two Cat4006 how-tos: 1-ACL to prevent specific VLAN routing,2-subnetting

Hello folks,

First time posting here so go easy on me.

I have two projects/issues on our relatively simple network with Cat4006 (supII+, IOS 12.3.(20)) as the core.

1 - I need to roll out a wireless network using 2006 wireless lan controller and 1130AG APs. I want to put the APs and controller on a new Vlan (call it Vlan 3). I want this Vlan to only have access to one other Vlan (Vlan 300) which is connected to our internet access side. I want no other VLAN access for wireless clients connecting to the APs. My feeling is that ACLs are the way to go, but I'm not clear on how those work and the docs I've read are cryptic at best. Also, I'd like to apply the ACLs only on the wireless Vlan side to avoid complications with other Vlans (we have many) accessing the internet...Can anyone point me in the right direction and/or suggest some configs?

2- All the vlans are setup with private address space like this: Vlan2 interface is 10.64.2.1/255.255.255.0 So all hosts on Vlan2 must have 10.64.2.xxx IPs. All's well until we run out of IPs on 10.64.2.x subnet. My question is, what is the advice for getting more IPs on the Vlan with minimal disruption to rest of setup? My thinking is to change subnet mask to a classB network? but what is the pain involved there?

Thanks for reading this far and excuse any mistakes I have due to my understanding of networking. Below I post partial config of the 4006.

Regards,

Eli

partial config:

interface Vlan1

description VLAN #1

ip address 10.64.1.1 255.255.255.0

no ip route-cache cef

no ip mroute-cache

!

interface Vlan2

description VLAN #2

ip address 10.64.2.1 255.255.255.0

no ip route-cache cef

no ip mroute-cache

!

interface Vlan4

description VLAN#4

ip address 10.64.4.1 255.255.255.0

no ip route-cache cef

no ip mroute-cache

!

interface Vlan5

description Test

no ip address

no ip route-cache cef

no ip mroute-cache

shutdown

!

interface Vlan6

description VLAN#6

ip address 10.64.6.1 255.255.255.0

no ip route-cache cef

no ip mroute-cache

!

interface Vlan8

ip address 10.64.8.1 255.255.255.0

no ip route-cache cef

!

interface Vlan10

ip address 10.64.10.1 255.255.255.0

no ip route-cache cef

!

interface Vlan12

ip address 10.64.12.1 255.255.255.0

no ip route-cache cef

!

interface Vlan20

ip address 10.64.20.1 255.255.255.0

no ip route-cache cef

shutdown

!

interface Vlan30

ip address 10.64.30.1 255.255.255.0

no ip route-cache cef

!

interface Vlan300

description Internet

ip address 10.64.0.2 255.255.255.0

no ip route-cache cef

!

ip route 0.0.0.0 0.0.0.0 10.64.0.1

ip route 10.65.1.0 255.255.255.0 10.64.0.1

  • Other Network Infrastructure Subjects
2 REPLIES
Super Bronze

Re: two Cat4006 how-tos: 1-ACL to prevent specific VLAN routing,

Hi

1. You can configure ACLs either on the VLAN300 interface (an inbound acl denying access to all internal subnets, with a final permit all to allow access to web destinations) on the Wireless Controller itself (create it then apply it to the VLAN300 interface) or on the 4500 VLAN300 interface.. Or both.

To clarify a little more - basically the APs will be connected to access ports in a VLAN (i.e. your VLAN 3).. these will communicate to the WLC's manager interface also in VLAN 3.

The WLCs will connect to a trunk port... All traffic from the APs is tunnelled to the WLC, at which point it is put onto whichever VLAN the SSID a client is associated to is paired with.

So here you have a point where you could connect 'Internet' users to a VLAN with the ACL attached.

Other wireless users on another SSID would get into a different VLAN, and could have a different ACL or no ACL as desired...

2. If you change the subnet mask you will still have to go round and change the subnet mask on all your devices to avoid problems... Why not just add another VLAN, with a new subnet (with more host bits this time)??

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
New Member

Re: two Cat4006 how-tos: 1-ACL to prevent specific VLAN routing,

Hello Aaron,

Thanks for your reply and willingness to help!

If you don?t mind I'd like to ask some additional questions...

On issue 1:

I am now a little more confused. We have only one WLC and four APs. Our plan is to connect all of these toVlan3. We will not have separate SSID/Vlan pairs; we only want to allow wireless clients to surf the net. So:

-Does the inbound ACL as you first describe exist on the Vlan3 interface? Could you indulge with an example?

-I have not yet looked at the WLC, does that have ACL capability on its physical interface to the 4006? Also, you said the WLC must connect to a trunk port, that would be a Vlan3 trunk port, right?

- You mentioned SSID/Vlan pairs. If the SSIDon all APs is paired only with VLAN300 would that give the desired result?

-I have looked into Vlan maps and VACLs a little bit today. Would that be a simpler way to go?

On issue 2:

- My understanding is that netbios traffic will not go across the ip routing between Vlans. Since we use that a lot (windows and mac clients) I dont think creating another vlan will work?

Many thanks,

Eli

136
Views
3
Helpful
2
Replies
This widget could not be displayed.