10-17-2015 03:06 PM - edited 03-05-2019 02:32 AM
I am trying to add an isolated guest network to my router/ap. I was able to trunk vlan 1 at the AP but I am unable to get a dhcp address or ping the router with a manual address from SSID 'tmp' on vlan100
Router
LAR#sh run
Building configuration...
Current configuration : 5519 bytes
!
! Last configuration change at 20:48:47 UTC Sat Oct 17 2015 by mlar
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LAR
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
!
!
!
!
!
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.1 10.0.0.64
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.1 192.168.1.64
!
ip dhcp pool LAR
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 10.0.0.2
!
ip dhcp pool TMP
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
!
!
no ip domain lookup
ip domain name lariv
ip host itxfiler 10.0.0.2
ip name-server 10.0.0.2
ip cef
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki...
!
license accept end user agreement
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
hw-module ism 0
!
!
!
username mlar privilege 15 secret 5 ...
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description " *** LAN ACCESS PORT *** "
no ip address
shutdown
duplex auto
speed auto
!
interface wlan-ap0
description " *** AP MGMT *** "
ip unnumbered Vlan1
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
description " *** WAN DHCP ***
ip ddns update hostname lariv.servebeer.com
ip ddns update no-ip
ip address dhcp hostname lar
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0/0
description " *** BUILTIN 3502 AP *** "
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/0
description " *** LAN ACCESS PORT *** "
no ip address
!
interface GigabitEthernet0/1/1
description " *** LAN ACCESS PORT *** "
no ip address
!
interface GigabitEthernet0/1/2
description " *** LAN ACCESS PORT *** "
no ip address
!
interface GigabitEthernet0/1/3
description " *** LAN ACCESS PORT *** "
no ip address
power inline never
!
interface GigabitEthernet0/1/4
description " *** LAN ACCESS PORT *** "
no ip address
!
interface GigabitEthernet0/1/5
description " *** LAN ACCESS PORT *** "
no ip address
!
interface GigabitEthernet0/1/6
description " *** NAS 2x GE LACP *** "
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet0/1/7
description " *** NAS 2x GE LACP *** "
no ip address
no cdp enable
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
description TMP
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no autostate
!
ip forward-protocol nd
!
no ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.0.2 51413 interface GigabitEthernet0/1 51413
ip nat inside source static udp 10.0.0.2 51413 interface GigabitEthernet0/1 51413
!
!
route-map INCOMING permit 10
match ip address 199
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input ssh
transport output ssh
line vty 0 4
access-class 1 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 1 in
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
LAR#sh vlans
No Virtual LANs configured.
LAR#sh vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1/0, Gi0/1/1, Gi0/1/2, Gi0/1/3, Gi0/1/4, Gi0/1/5, Gi0/1/6, Gi0/1/7
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
local.ap#sh run
Building configuration...
Current configuration : 3584 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname local.ap
!
logging rate-limit console 9
enable secret 5 $1$8CzD$PqkVaQHWA.tZ6F078QUgs/
enable password 7 073C71405D5A09
!
no aaa new-model
no ip source-route
ip domain name lariv
!
!
dot11 syslog
!
dot11 ssid lar
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 03075A0D031D204F4B1B
!
dot11 ssid tmp
vlan 100
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 111D1C16031C0E18557878
!
!
!
username mlar privilege 15 password 7 ...
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 100 mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid lar
!
ssid tmp
!
antenna gain 0
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
beacon period 1000
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 100 mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid lar
!
antenna gain 0
dfs band 3 block
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root
beacon period 1000
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
no keepalive
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
!
interface BVI1
ip address 10.0.0.3 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.0.1
no ip http server
no ip http secure-server
bridge 1 protocol ieee
bridge 1 route ip
bridge 100 protocol ieee
!
!
!
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
transport input all
!
cns dhcp
end
10-17-2015 06:27 PM
Hello,
I do not see vlan 100 on LAR. Did you create it?
Create BVI100 on Local.ap and ping 192.168.1.1 to make sure your trunk works properly. Then delete it.
interface BVI100
ip address 192.198.1.3 255.255.255.0
no ip route-cache
If I understood correctly, your wireless users connect to local.ap and then go on LAR to access internet. It would be more clear if you share your topology.
Masoud
10-18-2015 01:07 PM
LAR is management and internet traffic for the server/IT network.
TMP is the isolated guest network that should only be able to reach 10.0.0.2 port 53
BVI100 fails to respond to ping
10-18-2015 07:48 AM
LAR is my management network (vlan1) which is used only by me to get to the internet
There is a caching dns server sitting on this network the router uses.
I get dhcp lease for 10.0.0.0/24
Can access everything
the TMP ssid (vlan100) is supposed to have isolated access only to the internet
Manual ip of 192.168.1.65/24 does not respond to ping.
AP responds to ping, but traceroute shows its going through 10.0.0.1 (10.0.0.3 BVI1?)
It was to my understanding that I do not want a BVI on that network for better security?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide