VLAN and ACL Qs

set the port to switchport mode access - but you only get 1 vlan at that point.

no - CDP etc seem to use vlan 1 even if it is not configured on a port

- even if there is no native vlan.

there is a lot of background info in a Cat 6500 doc:

does anyone still use ISL? not tried this, but the 6500 doc implies it is still in vlan 1.

yes

I presume that would be VLAN 1. Do I need to do anything besides turn on routing to make this port admit traffic from VLAN 10 and VLAN 20?

It seems to me that since all outgoing traffic (regardless of source VLAN) will use this port, I would not lose any useful information by untagging the packets. Is this correct?

Also, putting the port in access mode makes it a L2 interface, right? Doesn't it need to be a L3 interface in order to route packets from other VLANs to this one?

Thanks for the pointer. I will read that later today.

I hadn't even considered ISL until I read that the switch uses ISL if both sides negotiate the encapsulation method (and switchport mode dynamic auto is the default mode). Since Cisco made ISL the default, this made me think that maybe I should use it instead of dot1q.

I hope someone else will explain how to apply the ACL to the interface. I would especially like to understand where in the switching process filtering occurs so I can apply "in" and "out" correctly.

yes - it is in 2 steps. port stuff is all about layer 2, routing is L3, and on a cisco switch they are decoupled.

So commands to make vl 123 appear on a port, with no tags would be int Fa 0/17 switchport mode access switchport access vlan 123

if you want to route to this vlan then you need a routed interface to it

int vlan 123 ip address blah

if you want just routing on the port, then you need

int Fa 0/17 no switchport ip address blah

3rd option is to have a tagged port and 1 or more vlans, then possible route to each vlan.

all 3 kinds of port config by default will "find" another cisco switch or router using CDP. it is that way by default since CDP etc is only useful if it doesnt need much setup.

you need to go and look at the manuals for the switch - there are lots of examples that cover this stuff.

which way you go depends on whether you need just IP on the port, or a subnet smeared across multiple ports, or ip traffic using tags.

yes

yes - but you attach a L3 interface to the VLAN.

think of the "model" of the box as a set of L2 logical switches, optionally linked together by a back end L3 router.

no - i suspect this is either backward compatability with older cisco gear that only understands ISL, or "lock in" to the cisco proprietary trunking scheme.

having said that ISL seems to be dying out since it isnt supported on some new Cisco hardware lines.

i have used ip access-group filtername out

on a routed vlan interface. same should work on a routed port.

Stephen, I think the L3 scenario sounds best for my situation: This port will connect to the edge router (without VLAN trunking) and will transport packets from two VLANs on the switch. Given what I want to do, would you select this option also?

from what you have said that looks reasonable - but remember L3 routing glues any routed interfaces together, so if you have several you need to think about what to filter and where.

you may want inbound filters on the AP interface as well to limit where the traffic may go - a security team would regard the wireless as a potential weak point for injecting "bad" traffic. Or you could look at using vrfs to split the box into 2 or more logical routers (enhanced feature set only AFAIR).

the thing to watch is whether you get the security you want or not - the only way to tell is to test.

also - running a routing protocol (or anything better than RIP), will need enhanced IOS feature set.