I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST). The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces
Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!
P.S config has been pared down to basics below
version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ROUTER ! boot-start-marker boot-end-marker ! logging buffered 4096 enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0 ! no aaa new-model ! dot11 syslog ! dot11 ssid PRIVATE@123 vlan 100 authentication open authentication key-management wpa wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F ! dot11 ssid VISITOR@123 vlan 200 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 03374C0A08392040420C00 ! ip source-route ! no ip dhcp conflict logging ip dhcp excluded-address 172.16.1.1 172.16.1.10 ip dhcp excluded-address 192.168.0.1 192.168.0.10 ! ip dhcp pool GUEST utilization mark low 70 log network 172.16.1.0 255.255.255.0 dns-server 192.168.0.1 18.104.22.168 22.214.171.124 default-router 172.16.1.1 ! ip dhcp pool PRIVATE utilization mark low 70 log network 192.168.0.0 255.255.255.0 dns-server 192.168.0.1 126.96.36.199 188.8.131.52 default-router 192.168.0.1 ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! username cisco privilege 15 password 7 073F205F5D1E491713 ! policy-map type inspect PM-DENYGUEST class class-default drop ! zone security GUEST zone security PRIVATE zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE service-policy type inspect PM-DENYGUEST ! bridge irb ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet0 no ip address ! interface FastEthernet1 switchport access vlan 100 no ip address ! interface FastEthernet2 switchport access vlan 100 no ip address ! interface FastEthernet3 no ip address ! interface Dot11Radio0 no ip address encryption vlan 100 mode ciphers aes-ccm encryption vlan 200 mode ciphers aes-ccm broadcast-key vlan 100 change 30 broadcast-key vlan 200 change 30 ssid PRIVATE@123 ssid VISITOR@123 mbssid speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.100 encapsulation dot1Q 100 native zone-member security PRIVATE bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.200 encapsulation dot1Q 200 zone-member security GUEST bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 spanning-disabled bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding ! interface Vlan1 no ip address ! interface Vlan100 no ip address bridge-group 1 ! interface Vlan200 no ip address bridge-group 2 ! interface Dialer0 ip address negotiated ip access-group 101 out ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname email@example.com ppp chap password 7 10580A4F1C4005005B ! interface BVI1 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security PRIVATE ! interface BVI2 ip address 172.16.1.1 255.255.0.0 ip nat inside ip virtual-reassembly in zone-member security GUEST ! ip forward-protocol nd ip http server ip http access-class 2 ip http authentication local ip http secure-server ! ip nat inside source list 1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ! logging trap debugging logging 192.168.0.11 ! control-plane ! bridge 1 protocol ieee bridge 1 route ip bridge 2 protocol ieee bridge 2 route ip ! line con 0 exec-timeout 5 0 no modem enable transport output all line aux 0 exec-timeout 0 1 no exec transport output none line vty 0 4 exec-timeout 5 0 login local transport input telnet ssh transport output none ! end
To participate in this event, please use the button to ask your questions
In this session attendees will receive an introduction to Software Defined-WAN (SD-WAN) and the importance of control connections, and learn how to configure devices usi...
Community Live- May the SD-WAN Force Be With You
(Live event - Tuesday 19th January, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)
This event will have place on Tuesday 19th, January 2021 at 10:00hrs PDT
Register today for this Co...
Cisco DNA Center
What's new in Cisco DNA Center 2.1.2
Cisco DNA Center 2.1.2.x Features and Capabilities
Cisco DNA Center -Intent Based Networki...
A major international airport is looking to build a cutting-edge new terminal, designed to run 24/7 with no interruptions. With the airport always on round the clock, a critical component required to support this is the surveillance infrastructure, which ...