Here's how to configure a Cisco 877 with a second VLAN for guest access. The guests should be allowed access to the Internet but not the private LAN; however, we have the option to open up some resources on the private LAN which they *can* access.
Note: You'll need the Advanced IP Services firmware for this. The Advanced Security firmware only allows a single VLAN.
For this example we'll assume the private LAN is 192.168.1.0 attached to fa0 and the guests are 192.168.2.0 on fa1. Remember that each VLAN must be on a different subnet.
First, check if there are any existing VLANs:
show vlan-switch brief
Now create a new VLAN:
conf t vlan 2 name Guests VLAN int fa1 no shut switchport access vlan 2 ip address 192.168.2.254 255.255.255.0 ip access-list extended nat-candidates permit ip 192.168.2.0 0.0.0.255 any
We've just put the two switchports on separate VLANs. The PCs on the guest VLAN can access the internet, which is good, but they can also access any device on the private VLAN, which is bad.
We can fix it by creating an ACL for the guest VLAN. The following ACL denies all IP traffic from the guest VLAN to the private VLAN:
ip access-list extended out-from-vlan2 deny ip any 192.168.1.0 0.0.0.255 permit ip any any int vlan2 ip access-group out-from-vlan2 in
Now if you want to allow access from the guest VLAN to a single IP address on your private VLAN (for example 192.168.1.10) you could add another line to your ACL, above the deny:
ip access-list extended out-from-vlan2 5 permit ip any host 192.168.1.10
Creating VLAN's Voice VLAN Switch#conf t Switch(config)#vlan <VLAN ID> Switch(config-vlan)#name Voice - description of the VLAN Similarly for the Data VLAN Creating VLAN interfaces (SVI's) and assigning IP address to them: Switch#conf t Switch(config)#interface vlan <VLAN ID> Switch(config-if)#ip address <X.X.X.X> <X.X.X.X> - IP address Subnet Mask (The ip address should be one of the useable IP addresses of the phone or data subnet) Similarly for the Data VLAN Interface configuration - Data/Voice Switch#conf t Switch(config)#interface GigabitEthernet <interface ID> Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk native vlan <VLAN ID> - Data VLAN Switch(config-if)#switchport access vlan <VLAN ID> - Voice VLAN OR Switch#conf t Switch(config)#interface GigabitEthernet <interface ID> Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport mode access Switch(config-if)#switchport voice vlan <Voice VLAN ID> Switch(config-if)#switchport access vlan <VLAN ID> * With newer IOS it is not required that a switchport connecting a phone piggybacking a PC to be configured as a trunk specifically. Please see the secondary configuration above.