Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SG300 - Wifi Vlan

Hello,

I want to set up a vlan only for the wifi APs and wifi clients on my network. They can't access to any server, only internet acces

I already implement this configuration and its working, but now I want to allowed a couple of laptops to connect to servers in other vlan. what should I do?

Should I do it using Mac address of laptops or IP? how?

thanks a lot.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: SG300 - Wifi Vlan

Hi Angel,

It sounds to me like you;

  • know what you want to do with the switch,
  • have DHCP services in place and it's working
  • You understand how to filter (permit or deny) traffic with ACLs. These ACL will deny traffic from or to wireless clients even before the ethernet frames leaves my switch

You still can have VLAN 3 on the switch terminating on the firewall, there maybe no

need to add a IP interface to VLAN 3 on the switch.

If all is working, we are finished. But if you have further questions , more than happy to assist with advice or a configuration example.

regards David

9 REPLIES

Re: SG300 - Wifi Vlan

Hi Angel,

You said "I already implement this configuration and its working"

To know what to do,  the community have to know exactly what you did "can't access to any server..."

Could you please describe what you did so that the wireless clients cannot get to the servers.

regards Dave

New Member

SG300 - Wifi Vlan

David,

thanks for your reply. You are very helpful.

You are right.

I configured the switch in layer 3 mode with 3 vlans and 3 vlans interfaces.

One of the Vlans (vlan 20) is only for access point and wireless clients. That Vlan only have access to internet (the switch have a routing rule 0.0.0.0. 0.0.0.0. 10.0.0.2 where 10.0.0.2 is the firewall). And I will block any other comunication with ACL doing a deny everything from this vlan 20 to others vlans, like you point me in the other post.

But I need some wireless laptop can connect to servers (support laptops). Should I allow this communication with a a rule on the ACL? permit laptop ip to server? or should I do it another way?

Please, sorry about my english and thanks a lot.

Angel

Re: SG300 - Wifi Vlan

Hi Angel.

You must be highly intelligent, you can speak and write multiple languages, but i can only speak one.

Is the firewall VLAN aware , in other words can you assign multiple vlans on it's ethernet port or ports ?

If yes is the answer i would also guess that this firewall may also provide DHCP services to Local Area Networks that are attached to it.

To me it seems simpler to just run the switch in layer 2 mode like the diagram below;

I would have thought that if your firewall , which may be VLAN aware, and like my ASA5500,  can provide multiple DHCP scopes for different networks.

Still seems easier to leave the network in Layer 2 mode  and engineer the network so that the firewall can provide basic DHCP services for the different VLANs.  in another question you ask how to configure the DHCP server  for multiple vlans using with dhcp request using option 82. 

If this is a problem for you, it just seems simpler to just run the switch in layer 2 mode and allow the firewall to DHCP (if possible).

regards Dave

New Member

SG300 - Wifi Vlan

David,

I have this scenario.

      INTERNET

            I

            I

            I

       Firewall   10.0.0.2

            I

            I

            I

Switch Layer 3 10.0.0.1

     I           I

     I           I

     I        Switch layer 2

     I            I

     I            I

     I      AccessPoints (vlan3)

     I

     I

Switch layer2

  I            I

  I         vlan1

vlan2

Vlan 1 administration

Vlan 2 HR

Vlan 3 is only for access point and wireless client.

My switch layer 3 does the intervlan communication and it have one ip route 0.0.0.0 0.0.0.0 10.0.0.2

I configured vlan interfaces on each vlan on the switch layer 3 so every host on the vlans uses that interface as gateway.

But I want to do this:

I want vlan3 only can access internet an not the other vlans.

Can I delete vlan 3 interface on the switch and use the firewall as gateway of that vlan? I mean create a vlan 3 interface on firewall. This way I have more specific control on that vlan. Can I do that? should i set something in the switch layer 3?

Thanks a lot

Angel

SG300 - Wifi Vlan

Hi Angel

I prefer to run the switch in Layer 2 mode for the following reasons.

It will be easier for you to configure services such as DHCP if your firewall device supports multiple DHCP scopes..

I cannot tell you if you can configure VLAN3 on your firewall.  You really have to know if Vlan3 can be created on a firewall Ethernet interface.  You also have to know if your firewall is capable of providing DHCP services for separate VLANs.

My concern is,  can wireless client within VLAN 3 get a response to DHCP requests ?

The switch can always bind a ACL to a ingress interface for the purpose of restricting  access of VLAN3 IP hosts  to other VLANs.

New Member

SG300 - Wifi Vlan

David,

Thanks again for your reply.

I prefer to run core switch in layer 3 mode because of the intervlan routing between vlans except vlan 3 for wireless devices. That vlan I think is better if it goes all to the firewall. And the firewall can filter better.

My firewall support multiple DHCP scopes.

I also have a DHCP server on my network so I think I can configured the layer 3 switch to relay that DHCP to vlans 1 and 2. Am I right?

So in this scenario, my DHCP server for ethernet vlans (admin and HR) are a server on the network.

And my DHCP for my wireless client vlan it will be the firewall. I should test if client within vlan 3 can get a response from firewall dhcp.

I only will have vlan interfaces for vlan 1 and 2 but not for vlan3, so if i have no vlan 3 interface on the switch how do i tell the switch to forward all vlan3 comunication to firewall? I mean the some especial route? some especial configuration on switch-firewall trunk?

Thanks a lot and sorry to bother you!

Re: SG300 - Wifi Vlan

Hi Angel,

It sounds to me like you;

  • know what you want to do with the switch,
  • have DHCP services in place and it's working
  • You understand how to filter (permit or deny) traffic with ACLs. These ACL will deny traffic from or to wireless clients even before the ethernet frames leaves my switch

You still can have VLAN 3 on the switch terminating on the firewall, there maybe no

need to add a IP interface to VLAN 3 on the switch.

If all is working, we are finished. But if you have further questions , more than happy to assist with advice or a configuration example.

regards David

New Member

SG300 - Wifi Vlan

David

thanks a lot for your advice. you are very helpful.

I try that configuration and it works perfect. Now I'm going to test the dhcp relay of the switch.

Thanks !!!

New Member

SG300 - Wifi Vlan

I have windows DHCP server with 2 scopes. AP 1040 and Switch SG300. two SSID associated with VLANs 1 and 5. VLAN 1 is on the management subnet and get the IP from DHCP ok. But not the the client from 2nd SSID on the VALN 5.

How do you make the DHCP assign the IP to guest wirelesss VALN 5?

Thanks in advance.

1784
Views
0
Helpful
9
Replies