Cisco 877W and DHCP

MarkA-007 · ‎02-22-2013

Hello All,

I've an 877W with four VLANS, All bridged (group) onto a BVI which is bonded to ATM etc for ADSL

c870-advipservicesk9-mz.124-15.T5.bin"

1 is the backbone, and for the switch, and has DHCP running and working with no problems - x.y.1.z

Multicast is enabled so that various multimedia bits of kit can find each other.

2 is the "primay" wifi, which has android devices as they cannot handle SSID not being broadcast or devices that can only do wep.(wifi radio) it has DHCP, x.y.2.z which works fine. Multicast is enabled so that various multimedia bits of kit can find each other.

3 is a seconday wifi for the kids, "hidden" ssid. They are firewalled so that bugs can't infect any other windows pc DHCP x.y.3.z

4 is a secondary wifi for our laptops, "hidden" ssid

For some reason, DHCP is not working on 4. it was working until the good lady of the house quizzed why her net was not working... I've concentrated on vlan4, as there are no "local" access-lists diffinitions to stop anything.

I've enabled debug ip dhcp server, and can see requests serviced on Vlan2, but not on 4, I've enabled/reenabled encrption/sheilds on Vlan4, but still can't see dhcp requests arrving and do not see them being stopped somwhere. I can see that the station authenticates ok, but if I connect the same laptop to vlan 02, requests pour in and are answerd, proving it's maybe not a microsoft problem

let me just say, I'm more or less self taught with the the net, no real mentoring, so 'think' I have the general idear of the diffrent layers, access-lists etc. so this config is probably not ideal, but it works, lacking any real guidance, so any suggestions to improve, would be much appreciated as would explanations of why "not best practise" you'll also see some ipv6 stuff in there, I'm just starting on that path, so bear with me!

Many thanks

Mark

!

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service internal

!

hostname <name>

!

boot-start-marker

boot system flash c870-advipservicesk9-mz.124-15.T5.bin

boot-end-marker

!

logging buffered 4096

enable secret 5 <a secret>

!

aaa new-model

!

aaa authentication login root local

!

aaa session-id common

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

dot11 syslog

!

dot11 ssid <ssid>02

vlan 2

max-associations 20

authentication open

guest-mode

mbssid guest-mode

!

dot11 ssid <ssid>03

vlan 3

max-associations 1

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 <a secret>

!

dot11 ssid <ssid>04

vlan 4

max-associations 2

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 <a secret>

!

ip wccp web-cache

ip cef

!

ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.4.1 192.168.4.10

ip dhcp excluded-address 192.168.3.1 192.168.3.10

ip dhcp excluded-address 192.168.2.1 192.168.2.10

ip dhcp excluded-address 192.168.2.200 192.168.2.254

ip dhcp excluded-address 192.168.2.110 192.168.2.119

!

ip dhcp pool V-LAN01

network 192.168.1.0 255.255.255.0

dns-server 192.168.1.254

default-router 192.168.1.254

lease infinite

!

ip dhcp pool V-WLAN02

network 192.168.2.0 255.255.255.0

dns-server 192.168.1.254

default-router 192.168.1.254

lease infinite

!

ip dhcp pool V-WLAN03

network 192.168.3.0 255.255.255.0

default-router 192.168.3.254

dns-server 192.168.3.254

lease infinite

!

ip dhcp pool V-WLAN4

network 192.168.4.0 255.255.255.0

default-router 192.168.4.254

dns-server 192.168.4.254

lease infinite

!

ip domain name <a secret>

ip host <loads of fixed ip/machine names>

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip multicast-routing

ip inspect audit-trail

ip inspect tcp max-incomplete host 300 block-time 0

ip inspect name firewall tcp

ip inspect name firewall udp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

appfw policy-name firewall

application http

strict-http action allow alarm

content-type-verification unknown-type match-req-rsp action allow alarm

port-misuse tunneling action allow alarm

!

ipv6 unicast-routing

ipv6 cef

ipv6 dhcp pool DHCP_LAN01_IP6

prefix-delegation pool DHCP_LAN01_IP6

dns-server AAAA:1::19

domain-name <a secret>

!

multilink bundle-name authenticated

!

no spanning-tree vlan 1

no spanning-tree vlan 2

no spanning-tree vlan 3

no spanning-tree vlan 4

username root privilege 15 password <a secret>

!

archive

log config

hidekeys

!

ip ssh rsa keypair-name <sssshhhhh>

ip ssh version 2

ip scp server enable

!

track 10 rtr 10 reachability

delay down 30 up 5

!

class-map match-all torrents

match protocol bittorrent

match protocol edonkey

match protocol fasttrack

match protocol gnutella

match protocol kazaa2

class-map match-any irc

match protocol irc

!

policy-map deny

class irc

drop

class torrents

drop

!

bridge irb

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

dsl bitswap both

!

interface ATM0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

snmp trap link-status

pvc 0/101

!

bridge-group 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

ip nbar protocol-discovery

ip flow ingress

!

encryption vlan 3 mode ciphers <type>

!

encryption vlan 2 key 1 size 128bit 7 <a secret> transmit-key

encryption vlan 2 mode ciphers wep128

!

encryption vlan 4 mode ciphers <type>

!

ssid <a secret>02

!

ssid <a secret>03

!

ssid <a secret>04

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

antenna transmit right

antenna gain 128

world-mode dot11d country GB both

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

ip flow ingress

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.2

encapsulation dot1Q 2

ip address 192.168.2.254 255.255.255.0

ip access-group play-time in

ip flow ingress

ip pim dense-mode

ip nat inside

ip virtual-reassembly

ip igmp join-group 239.255.255.250

ip igmp join-group 224.0.1.40

ip igmp version 3

ip igmp proxy-service

no cdp enable

!

interface Dot11Radio0.3

encapsulation dot1Q 3

ip address 192.168.3.254 255.255.255.0

ip access-group outgoing-two in

ip flow ingress

ip nat inside

ip virtual-reassembly

no cdp enable

service-policy input deny

!

interface Dot11Radio0.4

encapsulation dot1Q 4

ip address 192.168.40.254 255.255.255.0

ip flow ingress

ip pim dense-mode

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.1.254 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip pim dense-mode

ip nat inside

ip virtual-reassembly

ip igmp join-group 239.255.255.250

ip igmp join-group 224.0.1.40

ip igmp version 3

ipv6 address AAAA::1/64

ipv6 nd managed-config-flag

ipv6 nd other-config-flag

ipv6 dhcp server DHCP_LAN01_IP6 rapid-commit preference 1 allow-hint

!

interface BVI1

description $FW_OUTSIDE$

ip address <external> 255.255.248.0 < supplied by isp, so correct !>

ip access-group incoming-one in

ip access-group outgoing-one out

no ip redirects

no ip unreachables

no ip proxy-arp

ip wccp web-cache redirect out

ip flow ingress

ip nat outside

ip inspect firewall in

ip inspect firewall out

ip virtual-reassembly

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 <my extrnal ip>

!

ip flow-cache timeout active 1

ip flow-export version 5

ip flow-export destination 192.168.1.205 9996

!

no ip http server

no ip http secure-server

ip dns server

ip pim ssm range 4

ip nat inside source static tcp 192.168.1.205 80 interface BVI1 80

ip nat inside source static tcp 192.168.1.205 25 interface BVI1 25

ip nat inside source list accepted-lans interface BVI1 overload

!

ip access-list extended accepted-lans

permit ip 192.168.0.0 0.0.255.255 any

deny ip any any

ip access-list extended incoming-one

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any log

permit icmp any host 93.97.186.62 echo-reply

permit icmp any host 93.97.186.62 time-exceeded

permit icmp any host 93.97.186.62 unreachable

deny icmp any any log fragments

remark ---------------------------------------

remark INBOUND lets things in

permit udp any any eq ntp log

permit udp any any eq domain

permit tcp any host 93.97.186.62 eq smtp log

permit tcp any host 93.97.186.62 eq www log

deny ip any any log

ip access-list extended incoming-two

permit tcp any any eq 3389 log

permit udp any any eq snmp log

permit udp any any eq snmptrap

deny ip any any log

ip access-list extended outgoing-one

deny tcp any any eq 445 log

deny udp any any eq 135 log

deny tcp any any eq 135 log

deny udp any any eq netbios-ns log

deny udp any any eq netbios-dgm log

permit udp any any eq domain

permit icmp any any echo

permit tcp any any eq www

permit tcp any any eq smtp

permit tcp any any eq 443

permit tcp any any eq pop3

permit tcp any any eq 143

permit udp any any eq ntp

permit ip any any log

ip access-list extended outgoing-two

permit icmp any any echo

permit udp 192.168.0.0 0.0.255.255 eq bootpc host 192.168.0.0 eq bootps

permit udp any eq bootpc host 255.255.255.255 eq bootps

permit udp any any eq domain

permit udp any any eq ntp

permit tcp any any eq www

permit udp any any eq snmp

permit udp any any eq snmptrap

permit tcp any any eq 443

permit tcp any any eq lpd log

deny ip any any log

ip sla 10

icmp-echo 8.8.8.8 source-interface Vlan1

timeout 3000

threshold 3000

frequency 10

ip sla schedule 10 life forever start-time now

ip sla 20

icmp-echo 208.67.222.222 source-interface Vlan1

timeout 3000

threshold 3000

frequency 10

ip sla schedule 20 life forever start-time now

logging 192.168.1.205

logging 192.168.1.10

access-list 700 permit <mac address> 0000.0000.0000

access-list 700 deny 0000.0000.0000 ffff.ffff.ffff

snmp-server community public RO

snmp-server ifindex persist

snmp-server enable traps snmp linkdown linkup coldstart warmstart

snmp-server enable traps authenticate-fail

snmp-server enable traps atm pvc

snmp-server enable traps atm subif

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps firewall serverstatus

snmp-server host 192.168.1.10 version 2c public

snmp-server host 192.168.1.205 v2c

no cdp run

arp 192.168.2.220 <mac address> ARPA <<< strange peice of kit that needs an arp entry!

!

ipv6 local pool DHCP_LAN01_IP6 AAAA:1::/48 64

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

no modem enable

line aux 0

login authentication local

line vty 0 4

access-class 23 in

exec-timeout 3600 0

authorization exec local

login authentication local

transport input ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp logging

ntp clock-period 17175415

ntp peer 193.0.0.228

ntp peer 130.88.200.98

ntp peer 158.152.1.76 prefer

time-range any-time

periodic daily 0:00 to 23:59

!

time-range overnight

periodic daily 1:00 to 5:30

!

time-range play-time

periodic Friday 17:00 to 23:00

periodic Saturday 17:00 to 23:00

periodic weekdays 17:00 to 21:00

periodic Sunday 17:00 to 21:00

!

time-range play-time-hols

periodic daily 12:00 to 22:00

periodic daily 12:00 to 22:30

!

event manager applet ADSL-Link-Down

event track 10 state down

action 1.1 syslog priority emergencies msg "Event Manager detects ADSL routing issue."

action 2.1 cli command "enable"

action 2.2 cli command "conf t"

action 2.3 cli command "int atm0.1"

action 2.4 cli command "shut"

action 2.5 cli command "no shut"

event manager applet ADSL-Link-Up

event track 10 state up

action 1.1 syslog priority informational msg "Event Manager Reset ADSL"

action 1.2 mail server "192.168.1.205" to "<me>" from "<router>" subject "Event Manager detected an event, and reset ADSL interface"

!

end

MarkA-007 · ‎02-28-2013

... Anyone ?

I've completely reload the routers, building bit by bit, but just using the basic to have a working router.

Vlan3 and 4 will not work.. (i.e. setting a manual ip on the wireless client, I can't even ping 192.168.x.254, ?

MarkA

Leo Laohoo · ‎02-28-2013

Vlan3 and 4 will not work..

If I remembered correctly ...

870 router, if running IOS versions 12.4, will only support up to 4 VLANs.

If you downgrade your IOS to 12.3 then the 870 can support up to 10 VLANs.

MarkA-007 · ‎02-28-2013

I was wondering if was something to do with VLANs being mucked up, since I only use 4 (it tells me I can't use more than four if I try to use more), plus it used to all work until a power interuption.. hah!

would removing vlan.dat then a reload force the router to re-write without any suspected problems ?

I've just pulled off all the encryption, and vlan3 works, but simple wep back on... and the client can't see the dhcp-offer going back....

Leo Laohoo · ‎02-28-2013

would removing vlan.dat then a reload  force the router to re-write without any suspected problems ?

You can delete the VLAN.dat and then issue the "write" and the VLAN.dat will get recreated.

Also, do you have the VLANs in the VLAN database? You can find out with the enable command "sh vlan-switching".

kcnajaf · ‎02-28-2013

HI Mark,

This could be a problem with the WPA key as well.

wpa-psk ascii 7

Are using the encrypted key on the client?

Could you try open authetication (with out any wpa keys) on these SSID and verify if that works?

Regards

Najaf