Keep wired and wireless vlans separate yet both have internet connectivity

What would be your method for implementing the following scenario

You have a couple wired workstations, server, and couple wireless devices.
All devices should have access to the internet
All wired devices including server should have connectivity to each other
Wireless devices should NOT have connectivity to any of the wired devices.

You have a L2 switch and 1 router (let's call it Edge), and 1 ap.

Couple things come to mind.
Edge router is connected to the cable modem for internet connectivity.
Setup fe0/0 to get ip from the cable modem via dhcp
Set this up as outside interface

Setup dhcp scope as needed.

Setup nat/pat overload on the fe0/0
Setup acl for pat

Setup fe0/1 with subinterfaces for the two vlans (2 / 3) below
Setup each subinterface as "outside1" and "outside2" for ACL?

On the L2 switch, setup two vlans, one for wired connectivity and one for wireless.
On the L2 switch, setup a trunk to the Edge router fe 0/1 interface.
All wired workstations+server connect to Vlan 2
Wireless AP connects to the Vlan 3.

Now, with InterVLAN Routing 802.1Q Trunking , devices on vlan 2 and 3 will have connectivity to each other.

Question is, what is the best practice for letting vlan 2 and vlan 3 out to the internet and back, but to not have connectivity between the two vlans?

Setup ACL on the edge router accordingly, as in each subinterface can pat overload fe0/0 , but block the traffic between the two subinterfaces?

Or is there another way?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

MickQ

How about having wired on one VLAN and wireless on another (as you've said), and filter traffic between them using VACLs or whatever other ACL you see fit.

Freestuff212

I'm just taking a shot in the dark. There maybe an easier way. But you should be able to set up private vlans (PVLAN). One for the wired connection and one for the wireless. Both should be able to connect to the internet but not each other. We will wait and see if there are any better answers.

JeanM

Freestuff212 wrote: »

I'm just taking a shot in the dark. There maybe an easier way. But you should be able to set up private vlans (PVLAN). One for the wired connection and one for the wireless. Both should be able to connect to the internet but not each other. We will wait and see if there are any better answers.

Ideally I would like to be able to configure 1811 which has 2fe L3 interfaces (one going to the cable modem) + 8 L2 switch ports. 1811 supports up to 8 vlans, which is more than enough for me.

Problem is, how to configure it in such way. Testing things out in PT right now, using router + switch

JeanM

I think maybe ideally you want 3 subnets here, like 192.168.1.0 for "outside" going towards cable modem and internet,
then 192.168.2.0 for wired and 192.168.3.0 for wireless for example? This way there is no overlap with having to allow wifi subnet access to wired subnet gateway ip?

Using router + switch. Still need to play with how to make this work in 1811 router that has 8 L2 switch ports though.

"edge router"

!
ip dhcp pool WIRELESS
network 192.168.3.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
ip dhcp pool WIRED
network 192.168.2.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!

interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description For LAN use
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.2
description For WiFi use
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip access-group TEST in
ip access-group TEST out
ip nat inside
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
ip classless
!
!
ip access-list extended TEST
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any

"Access switch"

hostname Access_SW
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport access vlan 2
!
interface FastEthernet0/2
switchport access vlan 2
!
interface FastEthernet0/3
switchport access vlan 2
!
interface FastEthernet0/10
switchport access vlan 3
!
interface FastEthernet0/11
switchport access vlan 3
!
interface GigabitEthernet1/1
switchport mode trunk
!
interface GigabitEthernet1/2
!
interface Vlan1
ip address 192.168.1.10 255.255.255.0
!
interface Vlan2
ip address 192.168.2.10 255.255.255.0
!
interface Vlan3
ip address 192.168.3.10 255.255.255.0
!
ip default-gateway 192.168.1.1
!
!

JeanM

So, now I am trying to get the 1811 built in FE ports to work with the the vlans and dhcp but it's failing.
L2 switch connected to the trunk port of 1811 is working fine, and dhcp and vlan access is working for the configuration and ACL for the devices connected on the L2 switch access ports.

But, the same logic (vlan 2 and vlan 3 access , and access to default gateway) isn't working on the 1811 built in ports 1-4. Devices aren't pulling IP from the dhcp pools, and even with static ip can't ping 192.168.1.1 loopback 1 interface?

If I assign static IP's for devices on ports 0/1/0 - 0/1/3 then 0/1/0 CAN ping device on 0/1/1 , and device on 0/1/2 CAN ping device on 0/1/3. So it seems vlan access assignment on these switch ports IS working, but that's where it stops?

Any ideas?

Interfaces on the router in question.

interface FastEthernet0/1/0
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/1/1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/1/2
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/1/3
switchport access vlan 3
switchport mode access

Router config -

!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.10
!
ip dhcp pool WIRELESS
network 192.168.3.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
ip dhcp pool WIRED
network 192.168.2.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description For LAN use
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group TEST in
ip access-group TEST out
ip nat inside

!
interface FastEthernet0/1.2
description For WiFi use
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip access-group TEST in
ip access-group TEST out
ip nat inside
!
interface FastEthernet0/1/0
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/1/1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/1/2
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/1/3
switchport access vlan 3
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
ip classless
!
!
ip access-list extended TEST
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip any any
!
!

JeanM

Okay.... got DHCP to work on the internal interfaces (after created vlan 2 and vlan 3 interfaces and assigning ip [after shutting down the subinterfaces) now to figure out how to apply ACL to these ports?

Question, since the ip access-group does not work for these L2 interfaces interfaces FastEthernet0/1/0 to 0/1/3 what is the trick here?

!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.10
!
ip dhcp pool WIRELESS
network 192.168.3.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
ip dhcp pool WIRED
network 192.168.2.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description For LAN use
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group TEST in
ip access-group TEST out
ip nat inside
shutdown
!
interface FastEthernet0/1.2
description For WiFi use
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip access-group TEST in
ip access-group TEST out
ip nat inside
shutdown
!
interface FastEthernet0/1/0
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/1/1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/1/2
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/1/3
switchport access vlan 3
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.2.10 255.255.255.0
!
interface Vlan3
ip address 192.168.3.10 255.255.255.0
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
!
ip classless
!
!
ip access-list extended TEST
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip any any
!
!

JeanM

Okay, I think I figured it out. Assigned ACL on the vlan2 and vlan3 interfaces.

interface Vlan2
ip address 192.168.2.10 255.255.255.0
ip access-group TEST in
ip access-group TEST out
!
interface Vlan3
ip address 192.168.3.10 255.255.255.0
ip access-group TEST in
ip access-group TEST out

MAC_Addy

Is this just an assignment that you've created for yourself? Just wondering where you got this information from. Also, you want all WIRED devices to NOT have connectivity to each other?

eten

We have separate vrf for wired and wireless users in our production network.

JeanM

MAC_Addy wrote: »

Is this just an assignment that you've created for yourself? Just wondering where you got this information from. Also, you want all WIRED devices to NOT have connectivity to each other?

MAC_Addy - yep, for my personal home env so to speak. Devices on wired vlan (wd live for tv, nas, two pc's) are on one subnet/vlan and wireless devices such as tablets and cell phones on another. Wired devices have connectivity, just the wired and wireless don't have connectivity to each other is what I was after. I am changing it up a bit and adding a dmz port lol

I know this is probably overkill, but I got a 1811 specifically for this task as it's got a built in switch. Ideally I wanted an 1811W but they cost more than the non W, so I just got a tp-link AP to connect to one of the L2 ports.