- Cisco Community
- Technology and Support
- Networking
- Switching
- Re: Cannot get VLANs to work on an 800
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cannot get VLANs to work on an 800
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2021 01:05 PM - edited 02-28-2021 01:17 PM
Hi all
We have a fairly simple network, but I now want to add a separate vlan 20 for guest traffic. Until now, we have not had any vlans configured.
We have wireless access points and they can attach an SSID to a VLAN. This is working correctly on another network with a different router, so I am confident that the access points (Ubiquiti Unifi) are working correctly.
Pasted below is my config. The ONLY sections I have added are the interface vlan20 section and DHCP section, these are new and everything else was already present and the rest of the network is working fine. I have put these in bold.
If I connect to the SSID on VLAN20 I can connect to the WIFI, but cannot ping anything either internally or externally.
I am probably missing something simple, but I don't know what.
Please can someone advise me on the most straightforward changes required. NB VLAN20 should have internet access, with public DNS, and have no access to the internal network 192.168.9.x.
Our main network, 192.168.9.x, has a Windows Server DHCP.
Many thanks.
Jim
! Last configuration change at 16:36:53 GMT Sun Feb 28 2021 by root ! NVRAM config last updated at 16:37:05 GMT Sun Feb 28 2021 by root ! NVRAM config last updated at 16:37:05 GMT Sun Feb 28 2021 by root version 15.3 no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption service internal no service dhcp ! hostname Fibre ! boot-start-marker boot-end-marker ! aqm-register-fnf ! logging buffered 16386 logging rate-limit 100 except warnings no logging console no logging monitor enable secret 5 xxx ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local ! ! aaa session-id common memory-size iomem 10 clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! ! ip dhcp excluded-address 192.168.101.1 192.168.101.100 ip dhcp excluded-address 192.168.101.201 192.168.101.254 ! ip dhcp pool Vlan20 network 192.168.101.0 255.255.255.0 default-router 192.168.101.1 dns-server 8.8.4.4 ! ! ! ip domain name xxx.local ip inspect log drop-pkt ip inspect WAAS flush-timeout 10 ip inspect name firewall tcp timeout 3600 ip inspect name firewall udp timeout 3600 ip cef login block-for 180 attempts 3 within 180 login on-failure log login on-success log no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 ! multilink bundle-name authenticated ! license udi pid C887VA-K9 sn xxx ! archive log config hidekeys path ftp://192.168.9.89/xxx/$h ! username xxx privilege 15 secret 5 xxx ! controller VDSL 0 ! track 10 ip sla 10 reachability delay down 180 up 10 ! track 20 ip sla 20 reachability delay down 180 up 10 ! ip ftp username xxx ip ftp password 7 xxxx ip ssh version 2 ! ! interface ATM0 no ip address ip nbar protocol-discovery no atm ilmi-keepalive ! interface Ethernet0 no ip address ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 description Our LAN ip address 192.168.11.1 255.255.255.0 secondary ip address 192.168.9.1 255.255.255.0 ip access-group acl-INT-IN in ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip nat enable ip inspect firewall in ip virtual-reassembly in ip tcp adjust-mss 1452 hold-queue 100 in hold-queue 100 out ! interface Vlan20 description Guest Wifi Network VLAN 20 ip address 192.168.101.1 255.255.255.0 ip access-group acl-INTVLAN20-IN in ip nbar protocol-discovery ip nat inside ip nat enable ip inspect firewall in ip virtual-reassembly in ip tcp adjust-mss 1452 hold-queue 100 in hold-queue 100 out ! interface Dialer0 bandwidth inherit ip address negotiated ip access-group acl-EXT-IN in ip access-group acl-EXT-OUT out ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp header-compression iphc-format ip tcp adjust-mss 1452 dialer pool 1 ppp authentication chap callin ppp chap hostname xx@zen ppp chap password 7 xx ppp ipcp dns request ppp ipcp wins request no cdp enable ip rtp header-compression iphc-format ! ip forward-protocol nd no ip http server no ip http secure-server ! ip flow-top-talkers top 20 sort-by bytes ! ip dns server ip nat inside source list acl-NAT-Ranges interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.8.0.0 255.255.255.0 192.168.9.89 ! ip access-list standard acl-NAT-Ranges remark Define NAT internal ranges permit 192.168.9.0 0.0.0.255 permit 192.168.11.0 0.0.0.255 permit 10.8.0.0 0.0.0.255 permit 192.168.101.0 0.0.0.255 ! ip access-list extended acl-EXT-IN remark Inbound external interface remark The below set the rfc1918 private exclusions deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip any any fragments deny tcp object-group og-L1-BlockedIPs any remark =================================================== remark Allow established sessions back in permit tcp any any established remark =================================================== remark Allow selected SSH traffic and log all blocked SSH traffic permit tcp object-group og-L2-Allow-SSH any eq 22 deny tcp any any eq 22 log remark =================================================== remark General DNS stuff permit udp any eq domain any remark =================================================== remark Standard acceptable icmp rules permit icmp any any echo permit icmp any any echo-reply permit icmp any any source-quench permit icmp any any packet-too-big permit icmp any any time-exceeded remark =================================================== remark Block everything else deny ip any any log ip access-list extended acl-EXT-OUT permit tcp any gt 60000 any eq www log permit udp any gt 60000 any eq 80 log deny udp any any eq bootps log deny udp any any eq bootpc log remark Allow all outbound IP permit ip any any ip access-list extended acl-INT-IN deny tcp any any eq smtp log DisallowedSMTP deny udp any host 239.255.255.250 eq 1900 permit tcp any gt 60000 any eq www log permit udp any gt 60000 any eq 80 log permit ip any any ip access-list extended acl-INTVLAN20-IN deny tcp any any eq smtp log DisallowedSMTP permit ip any any ! ip sla 10 icmp-echo 8.8.8.8 source-interface Vlan1 threshold 3000 frequency 10 ip sla schedule 10 life forever start-time now ip sla 20 icmp-echo 208.67.222.222 source-interface Vlan1 threshold 3000 frequency 10 ip sla schedule 20 life forever start-time now ip access-list logging interval 10 logging host 192.168.9.89 dialer-list 1 protocol ip permit ! snmp-server community public RO access-list 199 permit tcp any any eq smtp ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 4 privilege level 15 length 40 width 160 transport input ssh transport output all ! no scheduler allocate ntp master ntp server 129.6.15.28 event manager applet ema-FIBRE-Down event tag PingDown1 track 10 state down event tag PingDown2 track 20 state down trigger correlate event PingDown1 and event PingDown2 action 10 syslog msg "********** WARNING! Fibre Line Down! **********" action 20 reload event manager applet ema-FIBRE-Up event tag PingUp1 track 10 state up event tag PingUp2 track 20 state up trigger correlate event PingUp1 or event PingUp2 action 10 syslog msg "********** Fibre Line UP **********" ! end
Fibre#sh ip int br Interface IP-Address OK? Method Status Protocol ATM0 unassigned YES NVRAM initializing down Dialer0 82.71.3.59 YES IPCP up up Ethernet0 unassigned YES NVRAM up up Ethernet0.101 unassigned YES unset up up FastEthernet0 unassigned YES unset up down FastEthernet1 unassigned YES unset up down FastEthernet2 unassigned YES unset up down FastEthernet3 unassigned YES unset up up NVI0 192.168.9.1 YES unset up up Virtual-Access1 unassigned YES unset up up Virtual-Access2 unassigned YES unset up up Vlan1 192.168.9.1 YES NVRAM up up Vlan20 192.168.101.1 YES NVRAM down down
Fibre#sh vlans
Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: Ethernet0
This is configured as native Vlan for the following interface(s) :
Ethernet0 Native-vlan Tx-type: Untagged
Protocols Configured: Address: Received: Transmitted:
Ethernet0 (1)
0 packets, 0 bytes input
0 packets, 0 bytes output
Virtual LAN ID: 101 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: Ethernet0.101
Protocols Configured: Address: Received: Transmitted:
Ethernet0.101 (101)
Other 0 906647
1161485 packets, 1104657539 bytes input
906647 packets, 447929891 bytes output
ButchersFibre#
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2021 01:41 PM
Hi,
You need to create vlan 20. See the link on how to do it. Also, once vlan 20 is created and a port added to it, the vlan interface should come up.
config t
vlan 20
exit
now add an interface to vlan 20 as below and connect a device to this port.
interface FastEthernet0 no ip address
switchport mode access
switchport access vlan 20
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2021 01:42 PM
Haven't used these routers but your vlan 20 interface is down which means you won't be able to reach anything outside of vlan 20.
I think the issue is you have not added vlan to vlan database -
Fibre(conf t)# vlan 20
and then when you do a "sh ip int br" you should see the vlan 20 interface as up/up.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2021 01:46 PM
Thank you, Reza and Jon. I had indeed missed the seemingly pointless step of
vlan 20
exit
I will give this another go. Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2021 02:31 PM
Hello,
in addition to creating the Vlan, there are a few things in your config that look odd. You disabled the 'service dhcp', which effectively disables the Cisco DHCP server, is that on purpose ?
Also, remove the 'ip nat enable' from both your Vlan interfaces, as this is necessary for domainless NAT only.
! Last configuration change at 16:36:53 GMT Sun Feb 28 2021 by root
! NVRAM config last updated at 16:37:05 GMT Sun Feb 28 2021 by root
! NVRAM config last updated at 16:37:05 GMT Sun Feb 28 2021 by root
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
--> no service dhcp
!
hostname Fibre
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp default local
!
aaa session-id common
memory-size iomem 10
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.101.201 192.168.101.254
!
ip dhcp pool Vlan20
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
dns-server 8.8.4.4
!
ip domain name xxx.local
ip inspect log drop-pkt
ip inspect WAAS flush-timeout 10
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
ip cef
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn xxx
!
archive
log config
hidekeys
path ftp://192.168.9.89/xxx/$h
!
username xxx privilege 15 secret 5 xxx
!
controller VDSL 0
!
track 10 ip sla 10 reachability
delay down 180 up 10
!
track 20 ip sla 20 reachability
delay down 180 up 10
!
ip ftp username xxx
ip ftp password 7 xxxx
ip ssh version 2
!
interface ATM0
no ip address
ip nbar protocol-discovery
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description Our LAN
ip address 192.168.11.1 255.255.255.0 secondary
ip address 192.168.9.1 255.255.255.0
ip access-group acl-INT-IN in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
--> no ip nat enable
ip inspect firewall in
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Vlan20
description Guest Wifi Network VLAN 20
ip address 192.168.101.1 255.255.255.0
ip access-group acl-INTVLAN20-IN in
ip nbar protocol-discovery
ip nat inside
--> no ip nat enable
ip inspect firewall in
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
bandwidth inherit
ip address negotiated
ip access-group acl-EXT-IN in
ip access-group acl-EXT-OUT out
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap callin
ppp chap hostname xx@zen
ppp chap password 7 xx
ppp ipcp dns request
ppp ipcp wins request
no cdp enable
ip rtp header-compression iphc-format
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-top-talkers
top 20
sort-by bytes
!
ip dns server
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.8.0.0 255.255.255.0 192.168.9.89
!
ip access-list standard acl-NAT-Ranges
remark Define NAT internal ranges
permit 192.168.9.0 0.0.0.255
permit 192.168.11.0 0.0.0.255
permit 10.8.0.0 0.0.0.255
permit 192.168.101.0 0.0.0.255
!
ip access-list extended acl-EXT-IN
remark Inbound external interface
remark The below set the rfc1918 private exclusions
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip any any fragments
deny tcp object-group og-L1-BlockedIPs any
remark ===================================================
remark Allow established sessions back in
permit tcp any any established
remark ===================================================
remark Allow selected SSH traffic and log all blocked SSH traffic
permit tcp object-group og-L2-Allow-SSH any eq 22
deny tcp any any eq 22 log
remark ===================================================
remark General DNS stuff
permit udp any eq domain any
remark ===================================================
remark Standard acceptable icmp rules
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any source-quench
permit icmp any any packet-too-big
permit icmp any any time-exceeded
remark ===================================================
remark Block everything else
deny ip any any log
!
ip access-list extended acl-EXT-OUT
permit tcp any gt 60000 any eq www log
permit udp any gt 60000 any eq 80 log
deny udp any any eq bootps log
deny udp any any eq bootpc log
remark Allow all outbound IP
permit ip any any
!
ip access-list extended acl-INT-IN
deny tcp any any eq smtp log DisallowedSMTP
deny udp any host 239.255.255.250 eq 1900
permit tcp any gt 60000 any eq www log
permit udp any gt 60000 any eq 80 log
permit ip any any
!
ip access-list extended acl-INTVLAN20-IN
deny tcp any any eq smtp log DisallowedSMTP
permit ip any any
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Vlan1
threshold 3000
frequency 10
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface Vlan1
threshold 3000
frequency 10
ip sla schedule 20 life forever start-time now
ip access-list logging interval 10
logging host 192.168.9.89
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 199 permit tcp any any eq smtp
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
privilege level 15
length 40
width 160
transport input ssh
transport output all
!
no scheduler allocate
ntp master
ntp server 129.6.15.28
event manager applet ema-FIBRE-Down
event tag PingDown1 track 10 state down
event tag PingDown2 track 20 state down
trigger
correlate event PingDown1 and event PingDown2
action 10 syslog msg "********** WARNING! Fibre Line Down! **********"
action 20 reload
event manager applet ema-FIBRE-Up
event tag PingUp1 track 10 state up
event tag PingUp2 track 20 state up
trigger
correlate event PingUp1 or event PingUp2
action 10 syslog msg "********** Fibre Line UP **********"
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2021 02:39 PM
Thank you, the no dhcp was a hangover from before the days of vlan20, where our Windows server handled DHCP. I had missed that. I've also removed the nat lines (thanks again).
Still no luck grabbing an IP address though
Building configuration... Current configuration : 18624 bytes ! ! Last configuration change at 21:10:31 GMT Sun Feb 28 2021 by root version 15.3 no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption service internal ! hostname Fibre ! boot-start-marker boot-end-marker ! aqm-register-fnf ! logging buffered 16386 logging rate-limit 100 except warnings no logging console no logging monitor enable secret 5 xxx ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local ! aaa session-id common memory-size iomem 10 clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! ip dhcp excluded-address 192.168.101.1 192.168.101.100 ip dhcp excluded-address 192.168.101.201 192.168.101.254 ! ip dhcp pool Vlan20 import all network 192.168.101.0 255.255.255.0 default-router 192.168.101.1 dns-server 8.8.4.4 ! ip domain name SHF.local ip inspect log drop-pkt ip inspect WAAS flush-timeout 10 ip inspect name firewall tcp timeout 3600 ip inspect name firewall udp timeout 3600 ip cef login block-for 180 attempts 3 within 180 login on-failure log login on-success log no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 ! ! ! ! multilink bundle-name authenticated ! license udi pid C887VA-K9 sn xxx ! archive log config hidekeys path ftp://192.168.9.89/xxx/$h ! username root privilege 15 secret 5 xxxx ! controller VDSL 0 ! track 10 ip sla 10 reachability delay down 180 up 10 ! track 20 ip sla 20 reachability delay down 180 up 10 ! ip ftp username CiscoRouter ip ftp password 7 xxxx ip ssh version 2 ! interface ATM0 no ip address ip nbar protocol-discovery no atm ilmi-keepalive ! interface Ethernet0 no ip address ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0 switchport mode trunk no ip address ! interface FastEthernet1 switchport mode trunk no ip address ! interface FastEthernet2 switchport mode trunk no ip address ! interface FastEthernet3 switchport mode trunk no ip address ! interface Vlan1 description LAN ip address 192.168.11.1 255.255.255.0 secondary ip address 192.168.9.1 255.255.255.0 ip access-group acl-INT-IN in ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip inspect firewall in ip virtual-reassembly in ip tcp adjust-mss 1452 hold-queue 100 in hold-queue 100 out ! interface Vlan20 description Guest Wifi Network VLAN 20 ip address 192.168.101.1 255.255.255.0 ip access-group acl-INTVLAN20-IN in ip nbar protocol-discovery ip nat inside ip inspect firewall in ip virtual-reassembly in ip tcp adjust-mss 1452 hold-queue 100 in hold-queue 100 out ! interface Dialer0 bandwidth inherit ip address negotiated ip access-group acl-EXT-IN in ip access-group acl-EXT-OUT out ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp header-compression iphc-format ip tcp adjust-mss 1452 dialer pool 1 ppp authentication chap callin ppp chap hostname xxx@zen ppp chap password 7 xxx ppp ipcp dns request ppp ipcp wins request no cdp enable ip rtp header-compression iphc-format ! ip forward-protocol nd no ip http server no ip http secure-server ! ip flow-top-talkers top 20 sort-by bytes ! ip dns server ip nat inside source list acl-NAT-Ranges interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.8.0.0 255.255.255.0 192.168.9.89 ! ip access-list standard acl-NAT-Ranges remark Define NAT internal ranges permit 192.168.9.0 0.0.0.255 permit 192.168.11.0 0.0.0.255 permit 10.8.0.0 0.0.0.255 permit 192.168.101.0 0.0.0.255 ! ip access-list extended acl-EXT-IN remark Inbound external interface remark The below set the rfc1918 private exclusions deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip any any fragments deny tcp object-group og-L1-BlockedIPs any remark =================================================== remark Allow established sessions back in permit tcp any any established remark =================================================== remark Allow selected SSH traffic and log all blocked SSH traffic permit tcp object-group og-L2-Allow-SSH any eq 22 deny tcp any any eq 22 log remark General DNS stuff permit udp any eq domain any remark =================================================== remark Standard acceptable icmp rules permit icmp any any echo permit icmp any any echo-reply permit icmp any any source-quench permit icmp any any packet-too-big permit icmp any any time-exceeded remark =================================================== remark Block everything else deny ip any any log ip access-list extended acl-EXT-OUT permit tcp any gt 60000 any eq www log permit udp any gt 60000 any eq 80 log deny udp any any eq bootps log deny udp any any eq bootpc log remark Allow all outbound IP permit ip any any ip access-list extended acl-INT-IN deny tcp any any eq smtp log DisallowedSMTP deny udp any host 239.255.255.250 eq 1900 permit tcp any gt 60000 any eq www log permit udp any gt 60000 any eq 80 log permit ip any any ip access-list extended acl-INTVLAN20-IN deny tcp any any eq smtp log DisallowedSMTP permit ip any any ! ip sla 10 icmp-echo 8.8.8.8 source-interface Vlan1 threshold 3000 frequency 10 ip sla schedule 10 life forever start-time now ip sla 20 icmp-echo 208.67.222.222 source-interface Vlan1 threshold 3000 frequency 10 ip sla schedule 20 life forever start-time now ip access-list logging interval 10 logging host 192.168.9.89 dialer-list 1 protocol ip permit ! snmp-server community public RO access-list 199 permit tcp any any eq smtp ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 4 privilege level 15 length 40 width 160 transport input ssh transport output all ! no scheduler allocate ntp master ntp server 129.6.15.28 event manager applet ema-FIBRE-Down event tag PingDown1 track 10 state down event tag PingDown2 track 20 state down trigger correlate event PingDown1 and event PingDown2 action 10 syslog msg "********** WARNING! Fibre Line Down! **********" action 20 reload event manager applet ema-FIBRE-Up event tag PingUp1 track 10 state up event tag PingUp2 track 20 state up trigger correlate event PingUp1 or event PingUp2 action 10 syslog msg "********** Fibre Line UP **********" ! end Fibre#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2021 07:09 PM
just walking through the config, please clarify.
Do you have a default DHCP Server for the VLAN1 network - is this VLAN able to get DHCP? (from Windows DHCP Server)
If you like this Router required to serve as DHCP Server for the new VLAN - you need DHCP service enabled. (or you can use windows DHCP Server as you already have)
A router connected to switch - can you draw a small diagram for us to understand clearly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2021 07:47 PM
Hi,
If the device that needs to get an IP from the DHCP server is connected directly to the router and to one of these ports, the port needs to be in access mode
interface FastEthernet0 switchport mode trunk no ip address ! interface FastEthernet1 switchport mode trunk no ip address ! interface FastEthernet2 switchport mode trunk no ip address
Example:
interface fastethernet2
no switch mode trunk
switch mode access
switch access vlan 20
now, the laptop should connect to this port.
For testing, if DHCP does not work, can you try a static IP?
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2021 12:11 AM
Hello,
drop the 'import all' from the DHCP pool configuration:
ip dhcp pool Vlan20
--> no import all
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
dns-server 8.8.4.4
Also, what is the exact type/model of Ubiquiti AP you are using ? I think some default to trunking on their ports, some to access, and some don't even allow trunking.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2021 12:41 AM
I've made some good progress - thank you everyone. In terms of a diagram, it's straightforward.
Cisco 800 is our internet gateway, and it has a 48-port switch connected to it via Fastethernet3. Into that switch are our servers and desktops. It's a small business so a very small setup.
In terms of progress, I now have my VLAN20 working, which is great! However the main objective is to use this as a guest wifi network, so that visitors can access the internet but cannot access any of our servers. e.g. I want VLAN20 to be isolated.
I looked into VLAN access maps and they sound like what I need but I wasn't sure how to configure them. I have tried adding a deny rul to my ACL (acl-INT-IN) but it didn't seem to work, I may have done it wrongly.
This is my latest config,
Building configuration... Current configuration : 18621 bytes ! ! NVRAM config last updated at 07:18:20 GMT Mon Mar 1 2021 by root version 15.3 no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption service internal ! hostname Fibre ! boot-start-marker boot-end-marker ! aqm-register-fnf ! logging buffered 16386 logging rate-limit 100 except warnings no logging console no logging monitor enable secret 5 XXX ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local ! aaa session-id common memory-size iomem 10 clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.100 ip dhcp excluded-address 192.168.20.201 192.168.20.254 ! ip dhcp pool Vlan20 import all network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 1.1.1.1 8.8.8.8 8.8.4.4 ! ! ! ip domain name SHF.local ip inspect log drop-pkt ip inspect WAAS flush-timeout 10 ip inspect name firewall tcp timeout 3600 ip inspect name firewall udp timeout 3600 ip cef login block-for 180 attempts 3 within 180 login on-failure log login on-success log no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 ! multilink bundle-name authenticated ! license udi pid C887VA-K9 sn xxx ! ! archive log config hidekeys path ftp://192.168.9.89/Dunning/$h ! username root privilege 15 secret 5 xxx ! controller VDSL 0 ! ip ftp username CiscoRouter ip ftp password 7 xxx ip ssh version 2 ! ! interface ATM0 no ip address ip nbar protocol-discovery no atm ilmi-keepalive ! interface Ethernet0 no ip address ! interface Ethernet0.20 encapsulation dot1Q 20 ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0 switchport mode trunk no ip address ! interface FastEthernet1 switchport mode trunk no ip address ! interface FastEthernet2 switchport mode trunk no ip address ! interface FastEthernet3 switchport mode trunk no ip address ! interface Vlan1 description LAN ip address 192.168.9.1 255.255.255.0 ip access-group acl-INT-IN in ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip inspect firewall in ip virtual-reassembly in ip tcp adjust-mss 1452 hold-queue 100 in hold-queue 100 out ! interface Vlan20 description Guest Wifi Network VLAN 20 ip address 192.168.20.1 255.255.255.0 ip access-group acl-INTVLAN20-IN in ip nbar protocol-discovery ip nat inside ip inspect firewall in ip virtual-reassembly in ip tcp adjust-mss 1452 hold-queue 100 in hold-queue 100 out ! interface Dialer0 bandwidth inherit ip address negotiated ip access-group acl-EXT-IN in ip access-group acl-EXT-OUT out ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp header-compression iphc-format ip tcp adjust-mss 1452 dialer pool 1 ppp authentication chap callin ppp chap hostname xxx@zen ppp chap password 7 xxx ppp ipcp dns request ppp ipcp wins request no cdp enable ip rtp header-compression iphc-format ! ip forward-protocol nd no ip http server no ip http secure-server ! ip flow-top-talkers top 20 sort-by bytes ! ip dns server ip nat inside source list acl-NAT-Ranges interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.8.0.0 255.255.255.0 192.168.9.89 ! ip access-list standard acl-NAT-Ranges permit 192.168.9.0 0.0.0.255 remark Define NAT internal ranges permit 192.168.11.0 0.0.0.255 permit 10.8.0.0 0.0.0.255 permit 192.168.20.0 0.0.0.255 ! ip access-list extended acl-EXT-IN remark Inbound external interface remark The below set the rfc1918 private exclusions deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip any any fragments deny tcp object-group og-L1-BlockedIPs any remark =================================================== remark Allow established sessions back in permit tcp any any established remark =================================================== remark Allow selected SSH traffic and log all blocked SSH traffic permit tcp object-group og-L2-Allow-SSH any eq 22 deny tcp any any eq 22 log remark =================================================== remark General DNS stuff permit udp any eq domain any remark =================================================== remark Standard acceptable icmp rules permit icmp any any echo permit icmp any any echo-reply permit icmp any any source-quench permit icmp any any packet-too-big permit icmp any any time-exceeded remark =================================================== remark Block everything else deny ip any any log ip access-list extended acl-EXT-OUT permit tcp any gt 60000 any eq www log permit udp any gt 60000 any eq 80 log deny udp any any eq bootps log deny udp any any eq bootpc log remark Allow all outbound IP permit ip any any ip access-list extended acl-INT-IN permit tcp object-group og-L1-Allow-SMTP any eq smtp log PermittedSMTP deny tcp any any eq smtp log DisallowedSMTP deny udp any host 239.255.255.250 eq 1900 deny ip 192.168.20.0 0.0.0.255 any permit tcp any gt 60000 any eq www log permit udp any gt 60000 any eq 80 log permit ip any any ip access-list extended acl-INTVLAN20-IN deny tcp any any eq smtp log DisallowedSMTP permit ip any any ! logging host 192.168.9.89 dialer-list 1 protocol ip permit ! snmp-server community public RO access-list 199 permit tcp any any eq smtp ! control-plane ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 4 privilege level 15 length 40 width 160 transport input ssh transport output all ! no scheduler allocate ntp master ntp server 129.6.15.28 ! end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2021 01:47 AM
Hello,
add the line below to your access list, that should prevent Vlan 20 users to be able to access Vlan 1:
ip access-list extended acl-INTVLAN20-IN
deny tcp any any eq smtp log DisallowedSMTP
--> deny ip 192.168.20.0 0.0.0.255 192.168.9.0 0.0.0.255
permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
