Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
0
Helpful
1
Replies

Cisco 877W Dual SSID/VLAN Security Issue

rajan.pradhan
Level 1
Level 1

‎10-31-2014 09:26 PM - edited ‎03-07-2019 09:20 PM

Hi All

 

I have an issue with my 877W that is as fascinating as it is frustrating. I have two SSIDs/VLANs, one for trusted LAN users (PRIVATE), and one for guests (GUEST).  The PRIVATE network is secured from the GUEST nework by zone based firewall. Everything works fine, guest devices cannot access private devices, except for one thing - the BVI interface on the PRIVATE network is always accessible to guest devices, and all services open to attack eg telnet/ssh/http/dns etc. I've tried everything to secure this interface from the guest network, including putting deny any any on physical, BVI and VLAN interfaces

Am I missing something obvious, or some fundamental architecture of the 877 that would stop this interface being secured? Any help aprreciated!

P.S config has been pared down to basics below

 

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 $1$BdpF$r/mAhQGYs8LBlqEpANmke0
!
no aaa new-model
!
dot11 syslog
!
dot11 ssid PRIVATE@123
 vlan 100
 authentication open
 authentication key-management wpa
 wpa-psk ascii 7 046B0A535A15441D2D0C11141A5A5F
!
dot11 ssid VISITOR@123
 vlan 200
 authentication open
 authentication key-management wpa
 mbssid guest-mode
 wpa-psk ascii 7 03374C0A08392040420C00
!
ip source-route
!
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!        
ip dhcp pool GUEST
 utilization mark low 70 log
 network 172.16.1.0 255.255.255.0
 dns-server 192.168.0.1 61.9.242.33 61.9.226.33
 default-router 172.16.1.1
!
ip dhcp pool PRIVATE
 utilization mark low 70 log
 network 192.168.0.0 255.255.255.0
 dns-server 192.168.0.1 61.9.242.33 61.9.226.33
 default-router 192.168.0.1
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
username cisco privilege 15 password 7 073F205F5D1E491713
!        
policy-map type inspect PM-DENYGUEST
 class class-default
  drop
!
zone security GUEST
zone security PRIVATE
zone-pair security GUEST-TO-PRIVATE source GUEST destination PRIVATE
 service-policy type inspect PM-DENYGUEST
!
bridge irb
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!        
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 100
 no ip address
!
interface FastEthernet2
 switchport access vlan 100
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Dot11Radio0
 no ip address
 encryption vlan 100 mode ciphers aes-ccm
 encryption vlan 200 mode ciphers aes-ccm
 broadcast-key vlan 100 change 30
 broadcast-key vlan 200 change 30
 ssid PRIVATE@123
 ssid VISITOR@123
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.100
 encapsulation dot1Q 100 native
 zone-member security PRIVATE
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.200
 encapsulation dot1Q 200
 zone-member security GUEST
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Vlan1
 no ip address
!
interface Vlan100
 no ip address
 bridge-group 1
!
interface Vlan200
 no ip address
 bridge-group 2
!
interface Dialer0
 ip address negotiated
 ip access-group 101 out
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname podfive@bigpond.com
 ppp chap password 7 10580A4F1C4005005B
!
interface BVI1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security PRIVATE
!
interface BVI2
 ip address 172.16.1.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security GUEST
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
logging 192.168.0.11
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
line con 0
 exec-timeout 5 0
 no modem enable
 transport output all
line aux 0
 exec-timeout 0 1
 no exec
 transport output none
line vty 0 4
 exec-timeout 5 0
 login local
 transport input telnet ssh
 transport output none
!
end

Labels:
0 Helpful
1 Reply 1

rajan.pradhan
Level 1
Level 1

‎10-31-2014 09:51 PM

Ignore that. self zone got me. Argh! phew!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card