Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
3
Replies

Add guest mbssid 'tmp' to a working 1941w config

malarivi
Cisco Employee
Cisco Employee

‎10-17-2015 03:06 PM - edited ‎03-05-2019 02:32 AM

I am trying to add an isolated guest network to my router/ap. I was able to trunk vlan 1 at the AP but I am unable to get a dhcp address or ping the router with a manual address from SSID 'tmp' on vlan100

 

Router

LAR#sh run

Building configuration...

 

Current configuration : 5519 bytes

!

! Last configuration change at 20:48:47 UTC Sat Oct 17 2015 by mlar

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname LAR

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

service-module wlan-ap 0 bootimage autonomous

!

!

!

!

!

 

 

!

ip dhcp excluded-address 10.0.0.1

ip dhcp excluded-address 10.0.0.1 10.0.0.64

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.1 192.168.1.64

!         

ip dhcp pool LAR

 import all

 network 10.0.0.0 255.255.255.0

 default-router 10.0.0.1 

 dns-server 10.0.0.2 

!

ip dhcp pool TMP

 import all

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.1 

 dns-server 192.168.1.1 

!

!

!

no ip domain lookup

ip domain name lariv

ip host itxfiler 10.0.0.2

ip name-server 10.0.0.2

ip cef

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

no ipv6 cef

!

multilink bundle-name authenticated

!

!

crypto pki...

!

license accept end user agreement

license boot module c1900 technology-package securityk9

license boot module c1900 technology-package datak9

hw-module ism 0

!

!

!         

username mlar privilege 15 secret 5 ...

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 description " *** LAN ACCESS PORT *** "

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface wlan-ap0

 description " *** AP MGMT *** "

 ip unnumbered Vlan1

 arp timeout 0

 no mop enabled

 no mop sysid

!

interface GigabitEthernet0/1

 description " *** WAN DHCP ***

 ip ddns update hostname lariv.servebeer.com

 ip ddns update no-ip

 ip address dhcp hostname lar

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface Wlan-GigabitEthernet0/0

 description " *** BUILTIN 3502 AP *** "

 switchport mode trunk

 no ip address

!

interface GigabitEthernet0/1/0

 description " *** LAN ACCESS PORT *** "

 no ip address

!

interface GigabitEthernet0/1/1

 description " *** LAN ACCESS PORT *** "

 no ip address

!

interface GigabitEthernet0/1/2

 description " *** LAN ACCESS PORT *** "

 no ip address

!         

interface GigabitEthernet0/1/3

 description " *** LAN ACCESS PORT *** "

 no ip address

 power inline never

!

interface GigabitEthernet0/1/4

 description " *** LAN ACCESS PORT *** "

 no ip address

!

interface GigabitEthernet0/1/5

 description " *** LAN ACCESS PORT *** "

 no ip address

!

interface GigabitEthernet0/1/6

 description " *** NAS 2x GE LACP *** "

 no ip address

 shutdown

 no cdp enable

!

interface GigabitEthernet0/1/7

 description " *** NAS 2x GE LACP *** "

 no ip address

 no cdp enable

!

interface Vlan1

 ip address 10.0.0.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface Vlan100

 description TMP

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 no autostate

!

ip forward-protocol nd

!

no ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 10.0.0.2 51413 interface GigabitEthernet0/1 51413

ip nat inside source static udp 10.0.0.2 51413 interface GigabitEthernet0/1 51413

!

!

route-map INCOMING permit 10

 match ip address 199

!

!

access-list 1 permit 10.0.0.0 0.0.0.255

!

control-plane

!

!

!

line con 0

 login local

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport output ssh

 stopbits 1

line 67

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output ssh

line vty 0 4

 access-class 1 in

 privilege level 15

 login local

 transport input ssh

line vty 5 15

 access-class 1 in

 privilege level 15

 login local

 transport input ssh

!

scheduler allocate 20000 1000

!

end

LAR#sh vlans

 

No Virtual LANs configured.

 

LAR#sh vlan-switch 

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi0/1/0, Gi0/1/1, Gi0/1/2, Gi0/1/3, Gi0/1/4, Gi0/1/5, Gi0/1/6, Gi0/1/7

1002 fddi-default                     act/unsup 

1003 token-ring-default               act/unsup 

1004 fddinet-default                  act/unsup 

1005 trnet-default                    act/unsup 

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        1002   1003

1002 fddi  101002     1500  -      -      -        -    -        1      1003

1003 tr    101003     1500  1005   0      -        -    srb      1      1002

1004 fdnet 101004     1500  -      -      1        ibm  -        0      0   

1005 trnet 101005     1500  -      -      1        ibm  -        0      0

 

 

local.ap#sh run                

Building configuration...

 

Current configuration : 3584 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname local.ap

!

logging rate-limit console 9

enable secret 5 $1$8CzD$PqkVaQHWA.tZ6F078QUgs/

enable password 7 073C71405D5A09

!

no aaa new-model

no ip source-route

ip domain name lariv

!

!

dot11 syslog

!

dot11 ssid lar

   vlan 1

   authentication open 

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii 7 03075A0D031D204F4B1B

!

dot11 ssid tmp

   vlan 100

   authentication open 

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii 7 111D1C16031C0E18557878

!

!

!

username mlar privilege 15 password 7 ...

!

!

bridge irb

!

!

interface Dot11Radio0

 no ip address

 no ip route-cache

 !

 encryption mode ciphers aes-ccm tkip 

 !

 encryption vlan 100 mode ciphers aes-ccm tkip 

 !

 encryption vlan 1 mode ciphers aes-ccm tkip 

 !

 ssid lar

 !

 ssid tmp

 !

 antenna gain 0

 mbssid

 speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

 station-role root

 beacon period 1000

!

interface Dot11Radio0.1

 encapsulation dot1Q 1 native

 no ip route-cache

 bridge-group 1

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.100

 encapsulation dot1Q 100

 no ip route-cache

 bridge-group 100

 bridge-group 100 block-unknown-source

 no bridge-group 100 source-learning

 no bridge-group 100 unicast-flooding

 bridge-group 100 spanning-disabled

!

interface Dot11Radio1

 no ip address

 no ip route-cache

 !

 encryption mode ciphers aes-ccm tkip 

 !

 encryption vlan 100 mode ciphers aes-ccm tkip 

 !

 encryption vlan 1 mode ciphers aes-ccm tkip 

 !

 ssid lar

 !        

 antenna gain 0

 dfs band 3 block

 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

 channel dfs

 station-role root

 beacon period 1000

!

interface Dot11Radio1.1

 encapsulation dot1Q 1 native

 no ip route-cache

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio1.100

 encapsulation dot1Q 100

 no ip route-cache

 bridge-group 100

 bridge-group 100 subscriber-loop-control

 bridge-group 100 block-unknown-source

 no bridge-group 100 source-learning

 no bridge-group 100 unicast-flooding

 bridge-group 100 spanning-disabled

!

interface GigabitEthernet0

 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

 no ip address

 no ip route-cache

 no keepalive

 bridge-group 1

 no bridge-group 1 source-learning

 bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.100

 encapsulation dot1Q 100

 no ip route-cache

 no keepalive

 bridge-group 100

 no bridge-group 100 source-learning

 bridge-group 100 spanning-disabled

!

interface BVI1

 ip address 10.0.0.3 255.255.255.0

 no ip route-cache

!

ip default-gateway 10.0.0.1

no ip http server

no ip http secure-server

bridge 1 protocol ieee

bridge 1 route ip

bridge 100 protocol ieee

!

!

!

line con 0

 privilege level 15

 login local

 no activation-character

line vty 0 4

 login local

 transport input all

!

cns dhcp

end

   

Labels:
0 Helpful
3 Replies 3

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎10-17-2015 06:27 PM

Hello,

I do not see vlan 100 on LAR. Did you create it?

Create BVI100 on Local.ap and ping 192.168.1.1 to make sure your trunk works properly. Then delete it.

interface BVI100
 ip address 192.198.1.3 255.255.255.0
 no ip route-cache

 

If I understood correctly, your wireless users connect to local.ap and then go on LAR to access internet. It would be more clear if you share your topology.

Masoud

0 Helpful

malarivi
Cisco Employee
Cisco Employee
In response to Masoud Pourshabanian

‎10-18-2015 01:07 PM

LAR is management and internet traffic for the server/IT network.

 

TMP is the isolated guest network that should only be able to reach 10.0.0.2 port 53

 

BVI100 fails to respond to ping

0 Helpful

malarivi
Cisco Employee
Cisco Employee

‎10-18-2015 07:48 AM

LAR is my management network (vlan1) which is used only by me to get to the internet

There is a caching dns server sitting on this network the router uses.

I get dhcp lease for 10.0.0.0/24

Can access everything

 

the TMP ssid (vlan100) is supposed to have isolated access only to the internet

Manual ip of 192.168.1.65/24 does not respond to ping.

AP responds to ping, but traceroute shows its going through 10.0.0.1 (10.0.0.3 BVI1?)


It was to my understanding that I do not want a BVI on that network for better security?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card