Hi,

Criterion · ‎01-24-2016

Hi everyone,

I'm trying to setup cisco 877w router and wifi in routed configuration as opposed to bridged. Also aiming to have a guest vlan that is separated from the main network as the guest ssid.

Problem I'm having at the moment is routing (or any communication) between my main wifi subnet (which is configured as 'test' at the moment) and my wired subnet, both on vlan 1. I must be missing something really simple but I'm learning so please explain or refer to documentation that explains what I had missed and the solution to it.

Below is my config (thanks in advance):


version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <name>
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone Bri 10 0
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2977923712
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2977923712
 revocation-check none
 rsakeypair TP-self-signed-2977923712
!
!
dot11 mbssid
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid test
 vlan 1
 authentication open
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 <key>
!
no ip source-route
!
!
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
 import all
 network 172.16.0.0 255.255.255.0
 default-router 172.16.0.1
 dns-server 203.12.160.35 203.12.160.36 4.2.2.2
!
ip dhcp pool testwifi
 import all
 network 172.16.1.0 255.255.255.0
 default-router 172.16.0.1
 dns-server 203.12.160.35 203.12.160.36 4.2.2.2
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip name-server 203.12.160.35
ip name-server 203.12.160.36
ip name-server 4.2.2.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
 log config
  hidekeys
username <admin/root user>
!
!
ip ssh version 2
!
!
!
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip virtual-reassembly in
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 pvc 8/35
  tx-ring-limit 3
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Dot11Radio0
 no ip address
 ip virtual-reassembly in
 ip virtual-reassembly out
 ip tcp adjust-mss 1400
 !
 encryption vlan 1 mode ciphers aes-ccm tkip
 !
 ssid test
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ip virtual-reassembly out
 ip tcp adjust-mss 1460
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1460
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username <dsl creds>
 no cdp enable
!
router rip
 network 172.16.0.0
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source list NAT_PERMIT_RANGE interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ACL_PERMIT_INTERNAL
 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
 permit ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.0.255
ip access-list extended NAT_PERMIT_RANGE
 permit ip 172.16.0.0 0.0.0.255 any
 permit ip 172.16.1.0 0.0.0.255 any
!
access-list 700 permit 0000.0000.0000   ffff.ffff.ffff
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 logging synchronous
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
ntp server 130.102.128.23
ntp server 203.14.0.250
end

Philip D'Ath · ‎01-25-2016

The default router is wrong in the dhcp pool.

ip dhcp pool testwifi
 import all
 network 172.16.1.0 255.255.255.0
 default-router 172.16.0.1
 dns-server 203.12.160.35 203.12.160.36 4.2.2.2

It should be:

ip dhcp pool testwifi
 import all
 network 172.16.1.0 255.255.255.0
 default-router 172.16.1.1
 dns-server 203.12.160.35 203.12.160.36 4.2.2.2

Criterion · ‎01-25-2016

Hey Phillip, Thanks for the response. Just because it's a different interface of the SAME router, I didn't see the effect it could have and had it configured like that originally to test to see if it will work. Worked fine for the internet and nat. I realise that technically it should be how you pointed it out to be.

I just changed it, but to no avail. I can ping the VLAN1 interface on 172.16.0.1 but not anything else in that subnet. Does that sound right?

C:\Users\surface>ping 172.16.0.1

Pinging 172.16.0.1 with 32 bytes of data:
Reply from 172.16.0.1: bytes=32 time=2ms TTL=255
Reply from 172.16.0.1: bytes=32 time=197ms TTL=255
Reply from 172.16.0.1: bytes=32 time=135ms TTL=255
Reply from 172.16.0.1: bytes=32 time=184ms TTL=255

Ping statistics for 172.16.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 197ms, Average = 129ms

C:\Users\surface>ping 172.16.0.22

Pinging 172.16.0.22 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.0.22:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

johnd2310 · ‎01-25-2016

Hi,

On the wireless, if you are not bridging why not have the following:

dot11 ssid test
 authentication open
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 <key>


interface Dot11Radio0 
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip virtual-reassembly out
 ip tcp adjust-mss 1400
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid test
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root

**Please rate posts you find helpful**

Criterion · ‎01-25-2016

Hi, thanks for the response John. You must have missed the part where I stated that I was going to have more than one vlan for the purposes of a segregated guest network that would be isolated from the main network. Hence the reason why I have mbssid and sub-interfaces for DotRadio configured :)

johnd2310 · ‎01-25-2016

Hi,

Okay, you will need to bridge and have different vlans. Have a look at the following doc:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116579-configure-technology-00.html

Thanks

John

**Please rate posts you find helpful**

Criterion · ‎01-25-2016

I think I have a bigger problem. I tried to ping a device on the Vlan1 subnet; i.e.172.16.0.0 subnet, specifically 172.16.0.3; a device which can ping and receive a response from the router but the router cannot ping it:

RTR01#ping 172.16.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Vlan1 interface on the router responds:

RTR01#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Criterion · ‎01-25-2016

Things I've tried so, thinking it might to do with a routing problem, or ACL or whatever is as follow (added or modified to):

added:

router rip 
 network 172.16.1.0

ip route 172.16.0.0 255.255.255.0 vlan1
ip route 172.16.1.0 255.255.255.0 Dot11Radio 0.1

interface Dot11Radio0.1
 ip tcp adjust-mss 1460

no dot11 association mac-list 700

Modified to:

interface Dot11Radio0
 ip tcp adjust-mss 1460

Philip D'Ath · ‎01-25-2016

You do not need static routes for directly connected interfaces. Delete:

ip route 172.16.0.0 255.255.255.0 vlan1
ip route 172.16.1.0 255.255.255.0 Dot11Radio 0.1

If the host can ping the router but the router can not ping the host then it is more likely to be an issue with a local host firewall, such as Windows Firewall.

Criterion · ‎01-25-2016

Lastly, now that I got it working, Philip, I tested it out just for learning sake; Having both default router settings as 172.16.0.1 does not prevent pings from being routed. Technically speaking though, for consistency's sake, I've set it back to 172.16.1.1. Only logical to have it like that....

Criterion · ‎01-25-2016

Would you believe it? I had windows FW on which was blocking ICMP request and I finally got ping and other communications on vlan1 working now. Don't know if the any of the changes I made helped, but that was the final change I made before it worked.

877w router WIFI routed configuration not bridged