08-17-2022 05:15 AM
Hi,
I'm trying to setup an 897 router to share a single DSL (with cellular failover) connection among 3 apartments - each with their own access point and VLAN, along with a single guest wifi network. I can connect to the access point and ping the router and internet, but I can't seem to reach the BVI on the access point. I can see the ARP request updating the Mac-address table, but no successful pings in either direction. Config for router and access point attached - any feedback would be appreciated.
The config below is a work in progress - the access points attached to gig2 and gig3 are not yet setup for mbssid (trying to get the 1st access point to behave as expected), and are reachable just fine from the BVI interface. The access-lists on vlan7 and vlan8 are to prevent users from reaching outside of their own networks, and appear to work just fine.
AP3602i_unit_1#sh run
Building configuration...
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP3602i_unit_1
!
!
logging rate-limit console 9
enable secret xxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip domain name xxxxxxx
!
!
!
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name UNIT_1 vlan 6
dot11 vlan-name UNIT_1_ITS vlan 106
!
dot11 ssid cisco_wifi_test
vlan 6
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii xxxxxx
!
dot11 ssid guest_wifi
vlan 200
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii xxxxxxx
!
!
!
no ipv6 cef
!
!
username exec_login privilege 15 secret xxxxxxxxxxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
shutdown
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 6 mode ciphers aes-ccm
!
encryption vlan 200 mode ciphers aes-ccm
!
ssid cisco_wifi_test
!
ssid guest_wifi
!
antenna gain 0
peakdetect
no dfs band block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.6
encapsulation dot1Q 6
bridge-group 6
bridge-group 6 subscriber-loop-control
bridge-group 6 spanning-disabled
bridge-group 6 block-unknown-source
no bridge-group 6 source-learning
no bridge-group 6 unicast-flooding
!
interface Dot11Radio1.200
encapsulation dot1Q 200
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 spanning-disabled
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.6
encapsulation dot1Q 6
bridge-group 6
bridge-group 6 spanning-disabled
no bridge-group 6 source-learning
!
interface GigabitEthernet0.200
encapsulation dot1Q 200
bridge-group 200
bridge-group 200 spanning-disabled
no bridge-group 200 source-learning
!
interface BVI1
mac-address xxxx.xxxx.xxxx
no ip address
!
interface BVI6
mac-address xxxx.xxxx.xxxx
ip address 10.1.6.20 255.255.255.0
!
interface BVI200
mac-address xxxx.xxxx.xxxx
ip address 172.16.16.20 255.255.255.0
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip ssh version 2
!
!
!
bridge 1 route ip
bridge 6 route ip
!
!
line con 0
exec-timeout 0 0
line vty 0 4
transport input ssh
!
end
R897VAG-LTE Building configuration...
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R897VAG-LTE_base
!
boot-start-marker
boot-end-marker
!
!
enable secret xxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone AEST 10 0
!
!
!
ip dhcp excluded-address 10.1.6.1 10.1.6.69
ip dhcp excluded-address 10.1.7.1 10.1.7.69
ip dhcp excluded-address 10.1.8.1 10.1.8.69
!
ip dhcp pool ITS_UNIT_1
network 10.1.106.0 255.255.255.0
default-router 10.1.106.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
option 150 ip 10.1.106.1
!
ip dhcp pool ITS_UNIT_2
network 10.1.107.0 255.255.255.0
default-router 10.1.107.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
option 150 ip 10.1.107.1
!
ip dhcp pool ITS_UNIT_3
network 10.1.108.0 255.255.255.0
default-router 10.1.108.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
option 150 ip 10.1.108.1
!
ip dhcp pool PC_UNIT_1
network 10.1.6.0 255.255.255.0
default-router 10.1.6.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
option 150 ip 10.1.106.1
!
ip dhcp pool PC_UNIT_2
network 10.1.7.0 255.255.255.0
default-router 10.1.7.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
option 150 ip 10.1.107.1
!
ip dhcp pool PC_UNIT_3
network 10.1.8.0 255.255.255.0
default-router 10.1.8.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
option 150 ip 10.1.108.1
!
ip dhcp pool GUEST_WIFI
network 172.16.16.0 255.255.255.0
default-router 172.16.16.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
!
ip dhcp pool tftp_server
host 10.1.6.69 255.255.255.0
client-identifier xxxxxx
default-router 10.1.6.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
!
ip dhcp pool raspberrypi
host 10.1.6.50 255.255.255.0
client-identifier xxxxxxx
default-router 10.1.6.1
dns-server 1.1.1.1 76.76.19.19 8.8.4.4 8.8.8.8
!
!
!
ip domain name xxxxxxxx
ip cef
login block-for 120 attempts 2 within 120
login delay 10
login quiet-mode access-class 10
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid xxxxxxxx
!
!
archive
path tftp://10.1.6.50/$h-$t
vtp mode transparent
username exec_login xxxxxxxxxx
!
!
!
!
!
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_39t_B_35j_24m
!
controller Cellular 0
lte sim data-profile 1 attach-profile 1 slot 0
no lte gps enable
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
description WWAN_failover
!
vlan 6
name UNIT_1
!
vlan 7
name UNIT_2
!
vlan 8
name UNIT_3
!
vlan 106
name UNIT_1_ITS
!
vlan 107
name UNIT_2_ITS
!
vlan 108
name UNIT_3_ITS
!
vlan 200
name GUEST
!
track 1 ip sla 1
!
!
!
crypto isakmp policy 1
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp key xxxxxxx address xxxxxxxx
crypto isakmp key xxxxxxx address xxxxxxxx
!
!
crypto ipsec transform-set transform-AES-SHA esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
description xxxxx
set peer xxxxxxx
set transform-set transform-AES-SHA
match address VPN-1
crypto map CMAP 20 ipsec-isakmp
description xxxxxx
set peer xxxxxxxxx
set transform-set transform-AES-SHA
match address VPN-2
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.6 255.255.255.255
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Cellular0
description xxxxxxx
ip address negotiated
ip access-group 199 in
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 2
!
interface Cellular1
no ip address
encapsulation slip
!
interface Ethernet0
description xxxxxxxx
ip dhcp client route track 1
ip address dhcp
ip access-group 199 in
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
interface GigabitEthernet0
switchport access vlan 6
switchport voice vlan 106
no ip address
!
interface GigabitEthernet1
description UNIT_1_AP3702i
switchport mode trunk
no ip address
!
interface GigabitEthernet2
description UNIT_2_AP3702i
switchport access vlan 7
switchport voice vlan 107
no ip address
!
interface GigabitEthernet3
description UNIT_3_AP3702i
switchport access vlan 8
switchport voice vlan 108
no ip address
!
interface GigabitEthernet4
switchport access vlan 6
switchport voice vlan 106
no ip address
!
interface GigabitEthernet5
switchport access vlan 6
switchport voice vlan 106
no ip address
!
interface GigabitEthernet6
switchport access vlan 7
switchport voice vlan 107
no ip address
!
interface GigabitEthernet7
switchport access vlan 8
switchport voice vlan 108
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly in
!
interface Vlan6
ip address 10.1.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan7
ip address 10.1.7.1 255.255.255.0
ip access-group 107 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan8
ip address 10.1.8.1 255.255.255.0
ip access-group 108 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan106
ip address 10.1.106.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan107
ip address 10.1.107.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan108
ip address 10.1.108.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan200
ip address 172.16.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map route1 interface Ethernet0 overload
ip nat inside source route-map route2 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0 100
ip route 8.8.4.4 255.255.255.255 Cellular0
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 8.8.8.8 255.255.255.255 dhcp
ip ssh version 2
!
ip access-list extended VPN-1
permit ip 10.1.6.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.1.6.0 0.0.0.255 10.1.101.0 0.0.0.255
permit ip 10.1.106.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.1.106.0 0.0.0.255 10.1.101.0 0.0.0.255
ip access-list extended VPN-2
permit ip 10.1.6.0 0.0.0.255 10.1.2.0 0.0.0.255
permit ip 10.1.6.0 0.0.0.255 10.1.102.0 0.0.0.255
permit ip 10.1.106.0 0.0.0.255 10.1.2.0 0.0.0.255
permit ip 10.1.106.0 0.0.0.255 10.1.102.0 0.0.0.255
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0
ip sla schedule 1 life forever start-time now
!
dialer-list 2 protocol ip permit
!
route-map route1 permit 10
match ip address 100
match interface Ethernet0
!
route-map route2 permit 10
match ip address 100
match interface Cellular0
!
access-list 10 permit 10.1.6.0 0.0.0.255
access-list 100 deny ip any 10.1.5.0 0.0.0.255
access-list 100 deny ip any 10.1.105.0 0.0.0.255
access-list 100 deny ip any 10.1.4.0 0.0.0.255
access-list 100 deny ip any 10.1.104.0 0.0.0.255
access-list 100 deny ip any 10.1.3.0 0.0.0.255
access-list 100 deny ip any 10.1.103.0 0.0.0.255
access-list 100 deny ip any 10.1.2.0 0.0.0.255
access-list 100 deny ip any 10.1.102.0 0.0.0.255
access-list 100 deny ip any 10.1.1.0 0.0.0.255
access-list 100 deny ip any 10.1.101.0 0.0.0.255
access-list 100 permit ip 10.1.6.0 0.0.0.255 any
access-list 100 permit ip 10.1.106.0 0.0.0.255 any
access-list 100 permit ip 10.1.7.0 0.0.0.255 any
access-list 100 permit ip 10.1.107.0 0.0.0.255 any
access-list 100 permit ip 10.1.8.0 0.0.0.255 any
access-list 100 permit ip 10.1.108.0 0.0.0.255 any
access-list 100 permit ip 172.16.16.0 0.0.0.255 any
access-list 107 permit ip any 10.1.7.0 0.0.0.255
access-list 107 deny ip any 10.1.0.0 0.0.255.255
access-list 107 permit ip any any
access-list 108 permit ip any 10.1.8.0 0.0.0.255
access-list 108 deny ip any 10.1.0.0 0.0.255.255
access-list 108 permit ip any any
access-list 199 deny tcp any any eq www
access-list 199 deny tcp any any eq 1720
access-list 199 deny tcp any any eq 5060
access-list 199 deny udp any any eq 5060
access-list 199 permit ip any any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
speed 384000
line 8
no exec
speed 384000
line vty 0 4
exec-timeout 0 0
transport input ssh
!
scheduler allocate 20000 1000
ntp server xxxxxxx
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide