Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1662
Views
5
Helpful
2
Replies

Configuring a basic network with ISR 1100 WAN router and Catalyst 1000 24 port GE, 4x1G SFP

Go to solution
CiscoGuy1
Level 1
Level 1

‎06-10-2020 01:27 PM

Hallo community,

I'm just setting up a basic network configuration and I would like to know if I did understand the concepts correctly.

 

I have following equipment for example:

- 1x ISR 1100 4 Ports DSL Annex B/J and GE WAN Router

- 1x Catalyst 1000 24 port GE, 4x1G SFP (Switch)

- 4 x Cisco Aironet Mobility Express 1815i Series (Access Points - APs)

 

I think it isn't as difficult to configure what I'd like to.

 

I'd like 3 VLANs.

 

So I have to configure following to separate the subnets and to make the network safer:

 

Switch configuration:

- the first 12 ports are reserved for the Server and it's not important for the moment, it's just about the Wireless APs which should be distributed at the last 12 ports.

-> So I separated the network like following: 13 - 15 (VLAN 10), 16 - 18 (VLAN 20), 19 - 21 (VLAN 30)

 

- VLAN 10: AP1 in port 13 and AP2 in port 14

- VLAN 20: AP3 in port 16 and AP4 in port 17

 

VLAN 30 isn't that important right now.

 

All VLANs shouldn't communicate to each other but they should be able to get out to the internet via the WAN router.

 

There should be two SSIDs, one for VLAN 10 (corporate network) and one for VLAN 20 (guest network).

So AP1 and AP2 have one SSID and AP3 and AP4 have one SSID.

 

So, for the switch I need to configure following, right?

SW1(config)#vlan 10
SW1(config-vlan)#name CORPORATE
SW1(config-vlan)#exit
SW1(config)#vlan 20
SW1(config-vlan)#name GUEST
SW1(config-vlan)#exit

With following switch configuration from the router to the switch, VLAN 10 and 20 have access to the router separately.

 

SW1(config)#interface GigabitEthernet 1/0/18
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk allowed vlan 10,20

So I've chosen Gigabit port 18 as you can see. So, if I assign vlan 10 and 20 to port 18, then I'll be getting access to both VLANs 10 and 20, won't I? The Ethernet cable connected with port 18 on the switch is connected to the WAN router.

 

 

Ok, so AP1, AP2, AP3 and AP4 should be configured as access mode, right?

 

So, all done with the switch configuration.

 

Now the router:

The people within the VLANs are able to get out to the Internet, following has to be configured:

R1(config)#interface vlan 10
R1(config-if)#ip address 192.168.10.254 255.255.255.0
R1(config)#interface vlan 20
R1(config-if)#ip address 192.168.20.254 255.255.255.0

Is it right what I've configured above? Does that make sense?

 

So, all the hosts accessing the APs should get dynamic IP addresses with following configuration:

R1(config)#ip dhcp pool CORPORATE
R1(dhcp-config)#network 192.168.10.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.10.254

 

R1(config)#ip dhcp pool GUEST
R1(dhcp-config)#network 192.168.20.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.20.254

Is this configuration enough so that the hosts accessing the APs are able to communicate with the Internet but corporate not with guest network?

 

I hope you do understand what I mean. So, if I perform this, this might be working, right?

 

Thanks so much for helping!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎06-14-2020 11:36 PM

Hi there,

Your config is mostly correct. I would make the following changes:

* Your APs should be connected via trunk ports. If you need to add more SSIDs it is simply a case of tagging additional VLAN IDs, without causing any downtime.

 

* You DHCP scopes will also need DNS and domain-name options defined:

!
ip dhcp pool CORPORATE
  network 192.168.10.0 255.255.255.0
  default-router 192.168.10.254
  dns-server 1.1.1.1
  domain-name foo.com
!

* If you want to prevent the Wireless SSIDs from communication with each other then you need to configure inbound ACLs on the router SVIs:

 

!
ip access-list ext CORP-IN 
  deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
  permit ip any any
!
ip access-list ext GUEST-IN 
deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
!
int vlan 10
  ip access-group CORP-IN in
!
int vlan 20
  ip access-group GUEST-IN
!

* One thing you haven't mentioned is NAT for you internal networks to reach the internet.

!
ip nat pool LAN-NAT 172.31.1.249 172.31.1.253 netmask 255.255.255.248
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
ip nat inside source list 1 pool LAN-NAT overload
!
int gi0/0/0
 desc <WAN_connection>
 ip address 172.31.1.254 255.255.255.248
 ip nat outside
!
int vlan 10
 ip nat inside
!
int vlan 20
 ip nat inside
!

cheers,

Seb.

View solution in original post

2 Replies 2

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎06-14-2020 11:36 PM

Hi there,

Your config is mostly correct. I would make the following changes:

* Your APs should be connected via trunk ports. If you need to add more SSIDs it is simply a case of tagging additional VLAN IDs, without causing any downtime.

 

* You DHCP scopes will also need DNS and domain-name options defined:

!
ip dhcp pool CORPORATE
  network 192.168.10.0 255.255.255.0
  default-router 192.168.10.254
  dns-server 1.1.1.1
  domain-name foo.com
!

* If you want to prevent the Wireless SSIDs from communication with each other then you need to configure inbound ACLs on the router SVIs:

 

!
ip access-list ext CORP-IN 
  deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
  permit ip any any
!
ip access-list ext GUEST-IN 
deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
!
int vlan 10
  ip access-group CORP-IN in
!
int vlan 20
  ip access-group GUEST-IN
!

* One thing you haven't mentioned is NAT for you internal networks to reach the internet.

!
ip nat pool LAN-NAT 172.31.1.249 172.31.1.253 netmask 255.255.255.248
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
ip nat inside source list 1 pool LAN-NAT overload
!
int gi0/0/0
 desc <WAN_connection>
 ip address 172.31.1.254 255.255.255.248
 ip nat outside
!
int vlan 10
 ip nat inside
!
int vlan 20
 ip nat inside
!

cheers,

Seb.

Go to solution
CiscoGuy1
Level 1
Level 1
In response to Seb Rupik

‎06-14-2020 11:52 PM

Thank you for your effort! I really appreciate it 👍.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card