cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
878
Views
20
Helpful
10
Replies

Cannot get VLANs to work on an 800

jimwillsher
Level 1
Level 1

Hi all

 

We have a fairly simple network, but I now want to add a separate vlan 20 for guest traffic. Until now, we have not had any vlans configured.

 

We have wireless access points and they can attach an SSID to a VLAN. This is working correctly on another network with a different router, so I am confident that the access points (Ubiquiti Unifi) are working correctly.

 

Pasted below is my config. The ONLY sections I have added are the interface vlan20 section and DHCP section, these are new and everything else was already present and the rest of the network is working fine. I have put these in bold.

 

If I connect to the SSID on VLAN20 I can connect to the WIFI, but cannot ping anything either internally or externally.

 

I am probably missing something simple, but I don't know what.

 

Please can someone advise me on the most straightforward changes required. NB VLAN20 should have internet access, with public DNS, and have no access to the internal network 192.168.9.x.

 

Our main network, 192.168.9.x, has a Windows Server DHCP.

 

Many thanks.

 

 

 

Jim

 

 

 

! Last configuration change at 16:36:53 GMT Sun Feb 28 2021 by root
! NVRAM config last updated at 16:37:05 GMT Sun Feb 28 2021 by root
! NVRAM config last updated at 16:37:05 GMT Sun Feb 28 2021 by root
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
no service dhcp
!
hostname Fibre
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
memory-size iomem 10
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.101.201 192.168.101.254
!
ip dhcp pool Vlan20
 network 192.168.101.0 255.255.255.0
 default-router 192.168.101.1
 dns-server 8.8.4.4
!
!
!
ip domain name xxx.local
ip inspect log drop-pkt
ip inspect WAAS flush-timeout 10
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
ip cef
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn xxx
!
archive
 log config
  hidekeys
 path ftp://192.168.9.89/xxx/$h
!
username xxx privilege 15 secret 5 xxx
!
controller VDSL 0
!
track 10 ip sla 10 reachability
 delay down 180 up 10
!
track 20 ip sla 20 reachability
 delay down 180 up 10
!
ip ftp username xxx
ip ftp password 7 xxxx
ip ssh version 2
!
!
interface ATM0
 no ip address
 ip nbar protocol-discovery
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 description Our LAN
 ip address 192.168.11.1 255.255.255.0 secondary
 ip address 192.168.9.1 255.255.255.0
 ip access-group acl-INT-IN in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip nat enable
 ip inspect firewall in
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Vlan20
 description Guest Wifi Network VLAN 20
 ip address 192.168.101.1 255.255.255.0
 ip access-group acl-INTVLAN20-IN in
 ip nbar protocol-discovery
 ip nat inside
 ip nat enable
 ip inspect firewall in
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer0
 bandwidth inherit
 ip address negotiated
 ip access-group acl-EXT-IN in
 ip access-group acl-EXT-OUT out
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xx@zen
 ppp chap password 7 xx
 ppp ipcp dns request
 ppp ipcp wins request
 no cdp enable
 ip rtp header-compression iphc-format
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-top-talkers
 top 20
 sort-by bytes
!
ip dns server
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.8.0.0 255.255.255.0 192.168.9.89
!
ip access-list standard acl-NAT-Ranges
 remark Define NAT internal ranges
 permit 192.168.9.0 0.0.0.255
 permit 192.168.11.0 0.0.0.255
 permit 10.8.0.0 0.0.0.255
 permit 192.168.101.0 0.0.0.255
!
ip access-list extended acl-EXT-IN
 remark Inbound external interface
 remark The below set the rfc1918 private exclusions
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip any any fragments
 deny   tcp object-group og-L1-BlockedIPs any
 remark ===================================================
 remark Allow established sessions back in
 permit tcp any any established
 remark ===================================================
 remark Allow selected SSH traffic and log all blocked SSH traffic
 permit tcp object-group og-L2-Allow-SSH any eq 22
 deny   tcp any any eq 22 log
 remark ===================================================
 remark General DNS stuff
 permit udp any eq domain any
 remark ===================================================
 remark Standard acceptable icmp rules
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any source-quench
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 remark ===================================================
 remark Block everything else
 deny   ip any any log

ip access-list extended acl-EXT-OUT
 permit tcp any gt 60000 any eq www log
 permit udp any gt 60000 any eq 80 log
 deny   udp any any eq bootps log
 deny   udp any any eq bootpc log
 remark Allow all outbound IP
 permit ip any any

ip access-list extended acl-INT-IN
 deny   tcp any any eq smtp log DisallowedSMTP
 deny   udp any host 239.255.255.250 eq 1900
 permit tcp any gt 60000 any eq www log
 permit udp any gt 60000 any eq 80 log
 permit ip any any

ip access-list extended acl-INTVLAN20-IN
 deny   tcp any any eq smtp log DisallowedSMTP
 permit ip any any
!
ip sla 10
 icmp-echo 8.8.8.8 source-interface Vlan1
 threshold 3000
 frequency 10
ip sla schedule 10 life forever start-time now
ip sla 20
 icmp-echo 208.67.222.222 source-interface Vlan1
 threshold 3000
 frequency 10
ip sla schedule 20 life forever start-time now
ip access-list logging interval 10
logging host 192.168.9.89
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 199 permit tcp any any eq smtp
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 privilege level 15
 length 40
 width 160
 transport input ssh
 transport output all
!
no scheduler allocate
ntp master
ntp server 129.6.15.28
event manager applet ema-FIBRE-Down
 event tag PingDown1 track 10 state down
 event tag PingDown2 track 20 state down
 trigger
  correlate event PingDown1 and event PingDown2
 action 10 syslog msg "********** WARNING! Fibre Line Down! **********"
 action 20 reload
event manager applet ema-FIBRE-Up
 event tag PingUp1 track 10 state up
 event tag PingUp2 track 20 state up
 trigger
  correlate event PingUp1 or event PingUp2
 action 10 syslog msg "********** Fibre Line UP **********"
!
end

 

Fibre#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
ATM0                       unassigned      YES NVRAM  initializing          down
Dialer0                    82.71.3.59      YES IPCP   up                    up
Ethernet0                  unassigned      YES NVRAM  up                    up
Ethernet0.101              unassigned      YES unset  up                    up
FastEthernet0              unassigned      YES unset  up                    down
FastEthernet1              unassigned      YES unset  up                    down
FastEthernet2              unassigned      YES unset  up                    down
FastEthernet3              unassigned      YES unset  up                    up
NVI0                       192.168.9.1     YES unset  up                    up
Virtual-Access1            unassigned      YES unset  up                    up
Virtual-Access2            unassigned      YES unset  up                    up
Vlan1                      192.168.9.1     YES NVRAM  up                    up
Vlan20                     192.168.101.1   YES NVRAM  down                  down
Fibre#sh vlans

Virtual LAN ID:  1 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   Ethernet0

 This is configured as native Vlan for the following interface(s) :
Ethernet0    Native-vlan Tx-type: Untagged

   Protocols Configured:   Address:              Received:        Transmitted:

Ethernet0 (1)

   0 packets, 0 bytes input
   0 packets, 0 bytes output

Virtual LAN ID:  101 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   Ethernet0.101

   Protocols Configured:   Address:              Received:        Transmitted:

Ethernet0.101 (101)
        Other                                           0              906647

   1161485 packets, 1104657539 bytes input
   906647 packets, 447929891 bytes output

ButchersFibre#

 

 

 

 

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

You need to create vlan 20. See the link on how to do it.  Also, once vlan 20 is created and a port added to it, the vlan interface should come up.

 

config t

vlan 20

exit

now add an interface to vlan 20 as below and connect a device to this port.

interface FastEthernet0
 no ip address
switchport mode access
switchport access vlan 20

 

https://www.cisco.com/c/en/us/td/docs/routers/access/800/software/configuration/guide/SCG800Guide/SCG800_Guide_BookMap_chapter_01110.html#task_1053051

 

HTH

Jon Marshall
Hall of Fame
Hall of Fame

 

Haven't used these routers but your vlan 20 interface is down which means you won't be able to reach anything outside of vlan 20. 

 

I think the issue is you have not added vlan to vlan database - 

 

Fibre(conf t)# vlan 20 

 

and then when you do a "sh ip int br" you should see the vlan 20 interface as up/up. 

 

Jon

Thank you, Reza and Jon.  I had indeed missed the seemingly pointless  step of

 

vlan 20

exit

 

I will give this another go. Thank you!

Hello,

 

in addition to creating the Vlan, there are a few things in your config that look odd. You disabled the 'service dhcp', which effectively disables the Cisco DHCP server, is that on purpose ?

Also, remove the 'ip nat enable' from both your Vlan interfaces, as this is necessary for domainless NAT only.

 

! Last configuration change at 16:36:53 GMT Sun Feb 28 2021 by root
! NVRAM config last updated at 16:37:05 GMT Sun Feb 28 2021 by root
! NVRAM config last updated at 16:37:05 GMT Sun Feb 28 2021 by root
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
--> no service dhcp
!
hostname Fibre
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp default local
!
aaa session-id common
memory-size iomem 10
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.101.201 192.168.101.254
!
ip dhcp pool Vlan20
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
dns-server 8.8.4.4
!
ip domain name xxx.local
ip inspect log drop-pkt
ip inspect WAAS flush-timeout 10
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
ip cef
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn xxx
!
archive
log config
hidekeys
path ftp://192.168.9.89/xxx/$h
!
username xxx privilege 15 secret 5 xxx
!
controller VDSL 0
!
track 10 ip sla 10 reachability
delay down 180 up 10
!
track 20 ip sla 20 reachability
delay down 180 up 10
!
ip ftp username xxx
ip ftp password 7 xxxx
ip ssh version 2
!
interface ATM0
no ip address
ip nbar protocol-discovery
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description Our LAN
ip address 192.168.11.1 255.255.255.0 secondary
ip address 192.168.9.1 255.255.255.0
ip access-group acl-INT-IN in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
--> no ip nat enable
ip inspect firewall in
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Vlan20
description Guest Wifi Network VLAN 20
ip address 192.168.101.1 255.255.255.0
ip access-group acl-INTVLAN20-IN in
ip nbar protocol-discovery
ip nat inside
--> no ip nat enable
ip inspect firewall in
ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
bandwidth inherit
ip address negotiated
ip access-group acl-EXT-IN in
ip access-group acl-EXT-OUT out
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap callin
ppp chap hostname xx@zen
ppp chap password 7 xx
ppp ipcp dns request
ppp ipcp wins request
no cdp enable
ip rtp header-compression iphc-format
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-top-talkers
top 20
sort-by bytes
!
ip dns server
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.8.0.0 255.255.255.0 192.168.9.89
!
ip access-list standard acl-NAT-Ranges
remark Define NAT internal ranges
permit 192.168.9.0 0.0.0.255
permit 192.168.11.0 0.0.0.255
permit 10.8.0.0 0.0.0.255
permit 192.168.101.0 0.0.0.255
!
ip access-list extended acl-EXT-IN
remark Inbound external interface
remark The below set the rfc1918 private exclusions
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip any any fragments
deny tcp object-group og-L1-BlockedIPs any
remark ===================================================
remark Allow established sessions back in
permit tcp any any established
remark ===================================================
remark Allow selected SSH traffic and log all blocked SSH traffic
permit tcp object-group og-L2-Allow-SSH any eq 22
deny tcp any any eq 22 log
remark ===================================================
remark General DNS stuff
permit udp any eq domain any
remark ===================================================
remark Standard acceptable icmp rules
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any source-quench
permit icmp any any packet-too-big
permit icmp any any time-exceeded
remark ===================================================
remark Block everything else
deny ip any any log
!
ip access-list extended acl-EXT-OUT
permit tcp any gt 60000 any eq www log
permit udp any gt 60000 any eq 80 log
deny udp any any eq bootps log
deny udp any any eq bootpc log
remark Allow all outbound IP
permit ip any any
!
ip access-list extended acl-INT-IN
deny tcp any any eq smtp log DisallowedSMTP
deny udp any host 239.255.255.250 eq 1900
permit tcp any gt 60000 any eq www log
permit udp any gt 60000 any eq 80 log
permit ip any any
!
ip access-list extended acl-INTVLAN20-IN
deny tcp any any eq smtp log DisallowedSMTP
permit ip any any
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Vlan1
threshold 3000
frequency 10
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface Vlan1
threshold 3000
frequency 10
ip sla schedule 20 life forever start-time now
ip access-list logging interval 10
logging host 192.168.9.89
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 199 permit tcp any any eq smtp
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
privilege level 15
length 40
width 160
transport input ssh
transport output all
!
no scheduler allocate
ntp master
ntp server 129.6.15.28
event manager applet ema-FIBRE-Down
event tag PingDown1 track 10 state down
event tag PingDown2 track 20 state down
trigger
correlate event PingDown1 and event PingDown2
action 10 syslog msg "********** WARNING! Fibre Line Down! **********"
action 20 reload
event manager applet ema-FIBRE-Up
event tag PingUp1 track 10 state up
event tag PingUp2 track 20 state up
trigger
correlate event PingUp1 or event PingUp2
action 10 syslog msg "********** Fibre Line UP **********"
!
end

Thank you, the no dhcp was a hangover from before the days of vlan20, where our Windows server handled DHCP. I had missed that. I've also removed the nat lines (thanks again).

 

Still no luck grabbing an IP address though

 

 

 

Building configuration...

Current configuration : 18624 bytes
!
! Last configuration change at 21:10:31 GMT Sun Feb 28 2021 by root
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Fibre
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
aaa session-id common
memory-size iomem 10
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.101.201 192.168.101.254
!
ip dhcp pool Vlan20
 import all
 network 192.168.101.0 255.255.255.0
 default-router 192.168.101.1
 dns-server 8.8.4.4
!
ip domain name SHF.local
ip inspect log drop-pkt
ip inspect WAAS flush-timeout 10
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
ip cef
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn xxx
!
archive
 log config
  hidekeys
 path ftp://192.168.9.89/xxx/$h
!
username root privilege 15 secret 5 xxxx
!

controller VDSL 0
!
track 10 ip sla 10 reachability
 delay down 180 up 10
!
track 20 ip sla 20 reachability
 delay down 180 up 10
!
ip ftp username CiscoRouter
ip ftp password 7 xxxx
ip ssh version 2
!
interface ATM0
 no ip address
 ip nbar protocol-discovery
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 switchport mode trunk
 no ip address
!
interface FastEthernet2
 switchport mode trunk
 no ip address
!
interface FastEthernet3
 switchport mode trunk
 no ip address
!
interface Vlan1
 description LAN
 ip address 192.168.11.1 255.255.255.0 secondary
 ip address 192.168.9.1 255.255.255.0
 ip access-group acl-INT-IN in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Vlan20
 description Guest Wifi Network VLAN 20
 ip address 192.168.101.1 255.255.255.0
 ip access-group acl-INTVLAN20-IN in
 ip nbar protocol-discovery
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer0
 bandwidth inherit
 ip address negotiated
 ip access-group acl-EXT-IN in
 ip access-group acl-EXT-OUT out
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xxx@zen
 ppp chap password 7 xxx
 ppp ipcp dns request
 ppp ipcp wins request
 no cdp enable
 ip rtp header-compression iphc-format
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-top-talkers
 top 20
 sort-by bytes
!
ip dns server
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.8.0.0 255.255.255.0 192.168.9.89
!
ip access-list standard acl-NAT-Ranges
 remark Define NAT internal ranges
 permit 192.168.9.0 0.0.0.255
 permit 192.168.11.0 0.0.0.255
 permit 10.8.0.0 0.0.0.255
 permit 192.168.101.0 0.0.0.255
!
ip access-list extended acl-EXT-IN
 remark Inbound external interface
 remark The below set the rfc1918 private exclusions
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip any any fragments
 deny   tcp object-group og-L1-BlockedIPs any
 remark ===================================================
 remark Allow established sessions back in
 permit tcp any any established
 remark ===================================================
 remark Allow selected SSH traffic and log all blocked SSH traffic
 permit tcp object-group og-L2-Allow-SSH any eq 22
 deny   tcp any any eq 22 log
 remark General DNS stuff
 permit udp any eq domain any
 remark ===================================================
 remark Standard acceptable icmp rules
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any source-quench
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 remark ===================================================
 remark Block everything else
 deny   ip any any log

ip access-list extended acl-EXT-OUT
 permit tcp any gt 60000 any eq www log
 permit udp any gt 60000 any eq 80 log
 deny   udp any any eq bootps log
 deny   udp any any eq bootpc log
 remark Allow all outbound IP
 permit ip any any

ip access-list extended acl-INT-IN
 deny   tcp any any eq smtp log DisallowedSMTP
 deny   udp any host 239.255.255.250 eq 1900
 permit tcp any gt 60000 any eq www log
 permit udp any gt 60000 any eq 80 log
 permit ip any any

ip access-list extended acl-INTVLAN20-IN
 deny   tcp any any eq smtp log DisallowedSMTP
 permit ip any any
!

ip sla 10
 icmp-echo 8.8.8.8 source-interface Vlan1
 threshold 3000
 frequency 10
ip sla schedule 10 life forever start-time now
ip sla 20
 icmp-echo 208.67.222.222 source-interface Vlan1
 threshold 3000
 frequency 10
ip sla schedule 20 life forever start-time now
ip access-list logging interval 10
logging host 192.168.9.89
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 199 permit tcp any any eq smtp
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 privilege level 15
 length 40
 width 160
 transport input ssh
 transport output all
!
no scheduler allocate
ntp master
ntp server 129.6.15.28
event manager applet ema-FIBRE-Down
 event tag PingDown1 track 10 state down
 event tag PingDown2 track 20 state down
 trigger
  correlate event PingDown1 and event PingDown2
 action 10 syslog msg "********** WARNING! Fibre Line Down! **********"
 action 20 reload
event manager applet ema-FIBRE-Up
 event tag PingUp1 track 10 state up
 event tag PingUp2 track 20 state up
 trigger
  correlate event PingUp1 or event PingUp2
 action 10 syslog msg "********** Fibre Line UP **********"
!
end

Fibre#

 

just walking through the config, please clarify.

 

Do you have a default DHCP Server for the VLAN1 network - is this VLAN able to get DHCP?  (from Windows DHCP Server)

If you like this Router required to serve as DHCP Server for the new VLAN - you need DHCP service enabled. (or you can use windows DHCP Server as you already have)

 

A router connected to switch - can you draw a small diagram for us to understand clearly.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

If the device that needs to get an IP from the DHCP server is connected directly to the router and to one of these ports, the port needs to be in access mode

interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 switchport mode trunk
 no ip address
!
interface FastEthernet2
 switchport mode trunk
 no ip address

Example:

interface fastethernet2

no switch mode trunk 

switch mode access

switch access vlan 20

 

now, the laptop should connect to this port.

For testing, if DHCP does not work, can you try a static IP?

HTH

 

Hello,

 

drop the 'import all' from the DHCP pool configuration:

 

ip dhcp pool Vlan20
--> no import all
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
dns-server 8.8.4.4

 

Also, what is the exact type/model of Ubiquiti AP you are using ? I think some default to trunking on their ports, some to access, and some don't even allow trunking.

I've made some good progress - thank you everyone. In terms of a diagram, it's straightforward.

 

Cisco 800 is our internet gateway, and it has a 48-port switch connected to it via Fastethernet3. Into that switch are our servers and desktops. It's a small business so a very small setup.

 

In terms of progress, I now have my VLAN20 working, which is great! However the main objective is to use this as a guest wifi network, so that visitors can access the internet but cannot access any of our servers. e.g. I want VLAN20 to be isolated.

I looked into VLAN access maps and they sound like what I need but I wasn't sure how to configure them. I have tried adding a deny rul to my ACL (acl-INT-IN) but it didn't seem to work, I may have done it wrongly.

 

This is my latest config,

 

Building configuration...

Current configuration : 18621 bytes
!
! NVRAM config last updated at 07:18:20 GMT Mon Mar 1 2021 by root
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Fibre
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 XXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
aaa session-id common
memory-size iomem 10
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.100
ip dhcp excluded-address 192.168.20.201 192.168.20.254
!
ip dhcp pool Vlan20
 import all
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 1.1.1.1 8.8.8.8 8.8.4.4
!
!
!
ip domain name SHF.local
ip inspect log drop-pkt
ip inspect WAAS flush-timeout 10
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
ip cef
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn xxx
!
!
archive
 log config
  hidekeys
 path ftp://192.168.9.89/Dunning/$h
!
username root privilege 15 secret 5 xxx
!
controller VDSL 0
!
ip ftp username CiscoRouter
ip ftp password 7 xxx
ip ssh version 2
!
!
interface ATM0
 no ip address
 ip nbar protocol-discovery
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.20
 encapsulation dot1Q 20
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 switchport mode trunk
 no ip address
!
interface FastEthernet2
 switchport mode trunk
 no ip address
!
interface FastEthernet3
 switchport mode trunk
 no ip address
!
interface Vlan1
 description LAN
 ip address 192.168.9.1 255.255.255.0
 ip access-group acl-INT-IN in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Vlan20
 description Guest Wifi Network VLAN 20
 ip address 192.168.20.1 255.255.255.0
 ip access-group acl-INTVLAN20-IN in
 ip nbar protocol-discovery
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer0
 bandwidth inherit
 ip address negotiated
 ip access-group acl-EXT-IN in
 ip access-group acl-EXT-OUT out
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xxx@zen
 ppp chap password 7 xxx
 ppp ipcp dns request
 ppp ipcp wins request
 no cdp enable
 ip rtp header-compression iphc-format
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-top-talkers
 top 20
 sort-by bytes
!
ip dns server
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.8.0.0 255.255.255.0 192.168.9.89
!
ip access-list standard acl-NAT-Ranges
 permit 192.168.9.0 0.0.0.255
 remark Define NAT internal ranges
 permit 192.168.11.0 0.0.0.255
 permit 10.8.0.0 0.0.0.255
 permit 192.168.20.0 0.0.0.255
!
ip access-list extended acl-EXT-IN
 remark Inbound external interface
 remark The below set the rfc1918 private exclusions
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip any any fragments
 deny   tcp object-group og-L1-BlockedIPs any
 remark ===================================================
 remark Allow established sessions back in
 permit tcp any any established
 remark ===================================================
 remark Allow selected SSH traffic and log all blocked SSH traffic
 permit tcp object-group og-L2-Allow-SSH any eq 22
 deny   tcp any any eq 22 log
 remark ===================================================
 remark General DNS stuff
 permit udp any eq domain any
 remark ===================================================
 remark Standard acceptable icmp rules
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any source-quench
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 remark ===================================================
 remark Block everything else
 deny   ip any any log

ip access-list extended acl-EXT-OUT
 permit tcp any gt 60000 any eq www log
 permit udp any gt 60000 any eq 80 log
 deny   udp any any eq bootps log
 deny   udp any any eq bootpc log
 remark Allow all outbound IP
 permit ip any any

ip access-list extended acl-INT-IN
 permit tcp object-group og-L1-Allow-SMTP any eq smtp log PermittedSMTP
 deny   tcp any any eq smtp log DisallowedSMTP
 deny   udp any host 239.255.255.250 eq 1900
 deny   ip 192.168.20.0 0.0.0.255 any
 permit tcp any gt 60000 any eq www log
 permit udp any gt 60000 any eq 80 log
 permit ip any any

ip access-list extended acl-INTVLAN20-IN
 deny   tcp any any eq smtp log DisallowedSMTP
 permit ip any any
!

logging host 192.168.9.89
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 199 permit tcp any any eq smtp
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 privilege level 15
 length 40
 width 160
 transport input ssh
 transport output all
!
no scheduler allocate
ntp master
ntp server 129.6.15.28
!
end

Hello,

 

add the line below to your access list, that should prevent Vlan 20 users to be able to access Vlan 1:

 

ip access-list extended acl-INTVLAN20-IN
deny tcp any any eq smtp log DisallowedSMTP
--> deny ip 192.168.20.0 0.0.0.255 192.168.9.0 0.0.0.255
permit ip any any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: