Solved: network topology + basic questions to answer - Page 2

andbor600 · ‎02-23-2013

good day guys,

I need your hints to create a correct network topology.

what I have ? three cisco devices:

1. router 877W (with POTS internet access)

2. switch SG-500

3. Access Point Aironet 2602i

what I expect:

a) to have 4 VLANs on my switch (home, monitor, dmz, guests)

b) to have two ssids defined on my AP2602 with different ip address networks (home and guests)

the issues:

1. AP 2602i is powered from SG-500 (over PoE) so it must be connected directly to SG-500

2. SG-500 has got no DHCP server, so all DHCP servers are defined within 877W router. otherwords all devices connected to switch should ask 877W router for IP addresses

3. I am going to shut down all wireless functionality in my 877W router.

4. 4 VLANs should communicate with themselves within SG-500 switch (cause there is a 1000Mb port functionality) without router (only 100Mb port functionality)

I spent several evenings trying to find correct solution for my network, but the longer I go the worse feelings I get.

so guys, could you start with the basic stuff:

how would you create a topology ?

how many VLANS do I need ? (4 VLANS + 1 for router ?)

how to connect a router with a switch (a special dedicated VLAN ?), if so acccess/trunk ports on both ?

many thanks

andbor600 · ‎02-27-2013

just sorted it out.

I was lack of native vlan 1.

as soon as I added it everything went back to normal. no idea how it was working without native vlan before ...

Jawad, can you please tell me how I can get an access to internet from hosts connected to my AP. at present none of hosts can reach internet (my router 877W provides the connection)

I guess the kind of route IP is missing, but do not know how to configure it ...

jawad-mukhtar · ‎02-27-2013

Post your running config of router .

Jawad

andbor600 · ‎02-27-2013

before you go thru it:

I have defined 2 vlans on my AP (vlan 11 HOME (10.10.11.0) and vlan 14 GUESTS (192.168.1.0) - see router config)

vlans work OK (correct IPs are assigned to the hosts from AP, etc)

the only problem I have got - I have no access to internet (served by my 877W router). do not take care of the wireless services defined on my router - these interfaces are shut down.

I have connection with my AP via console port. using terminal I can ping any internet address I imagine. I can use domain names insted of their external addresses - both work fine

the same with terminal session of my switch - again I can ping any internet server.

the problem is no AP host can do it - I cannot even ping internet address, not to mention browsing web pages.

version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname C877W
!
boot-start-marker
boot system flash:/c870-advipservicesk9-mz.124-24.T7.bin
boot-end-marker
!
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 151200
enable secret 5 sss
!
no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 4:00
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-999

enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-999
revocation-check none
rsakeypair TP-self-signed-999
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-000
certificate self-signed 01
999 999 999
   quit
dot11 mbssid
dot11 syslog
dot11 vlan-name GLAN4 vlan 4
dot11 vlan-name LOCAL vlan 1
dot11 vlan-name WLAN3 vlan 3
!
dot11 ssid isa
vlan 4
authentication open
authentication key-management wpa
wpa-psk ascii 7 abc
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.31 192.168.1.254
!
ip dhcp pool WLAN4
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 62.233.233.233 87.204.204.204
   netbios-name-server 10.10.10.2
   domain-name ml-ab.pl
   lease infinite
!
ip dhcp pool HOME
   import all
   network 10.10.11.0 255.255.255.0
   default-router 10.10.11.1
   dns-server 62.233.233.233
   lease infinite
!
ip dhcp pool 10
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.2
!
ip dhcp pool MONITORING
   import all
   network 10.10.12.0 255.255.255.0
   dns-server 62.233.233.233
   default-router 10.10.12.1
   lease infinite
!
ip dhcp pool default
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 62.233.233.233
   lease infinite
!
ip dhcp pool zabel
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 62.233.233.233
   default-router 192.168.2.1
   lease infinite
!
ip dhcp pool DMZ
   import all
   network 10.10.13.0 255.255.255.0
   default-router 10.10.13.1
   dns-server 62.233.233.233
   lease infinite
!
!
ip cef
no ip bootp server
ip name-server 62.233.233.233
ip name-server 87.204.204.204
no ip port-map x11 port tcp from 6000 to 6606 description X Window System
ip ips config location flash:/ips5/ retries 5 timeout 10
ip ips notify SDEE
no ip ips notify log
!
ip ips signature-category
category all
   retired true
category ios_ips basic
   retired false
!
ip inspect audit-trail
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

!
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
9999 9999 9999
quit
!
!
!
archive
log config
hidekeys
!
!
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect imap match-any imap-mail
match login clear-text
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any printer-9100
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-any print-9100
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-permit-icmpreply
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
inspect
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.2 point-to-point
description $FW_OUTSIDE$$ES_WAN$
ip flow ingress
zone-member security out-zone
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
description LAN1
switchport mode trunk
!
interface FastEthernet1
description WLAN2
switchport mode trunk
!
interface FastEthernet2
description default
!
interface FastEthernet3
description GLAN4
switchport mode trunk
!
interface Dot11Radio0
no ip address
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
encryption mode ciphers tkip
!
encryption vlan 4 mode ciphers tkip
!
broadcast-key vlan 4 change 30
!
!
ssid zabel
!
no mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.4
encapsulation dot1Q 4
zone-member security in-zone
no cdp enable
bridge-group 4
bridge-group 4 subscriber-loop-control
bridge-group 4 spanning-disabled
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
!
interface Vlan1
description default$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan4
no ip address
traffic-shape rate 64000 8000 8000 1000
bridge-group 4
!
interface Vlan11
description HOME
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan14
description GUESTS
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname aaa@www.wwwl
ppp chap password 7 999
!
interface BVI4
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-cache timeout active 1
ip flow-export version 5
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source list 3 interface Dialer1 overload
ip nat inside source list 4 interface Dialer1 overload
ip nat inside source list 5 interface Dialer1 overload
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended any
remark SDM_ACL Category=128
permit ip any any
ip access-list extended printer
remark SDM_ACL Category=128
permit ip any any
!
logging trap debugging
logging 10.10.11.1
access-list 1 remark inside to Internet
access-list 1 remark SDM_ACL Category=2
access-list 1 remark LAN1
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark WLAN2
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.11.0 0.0.0.255
access-list 3 remark DLAN3
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.10.12.0 0.0.0.255
access-list 4 remark WLAN4
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.168.2.0 0.0.0.255
access-list 10 remark CCP_ACL Category=1
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 10.10.11.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.12.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 102 deny   tcp any host 10.10.10.1 eq telnet
access-list 102 deny   tcp any host 10.10.10.1 eq 22
access-list 102 deny   tcp any host 10.10.10.1 eq www
access-list 102 deny   tcp any host 10.10.10.1 eq 443
access-list 102 deny   tcp any host 10.10.10.1 eq cmd
access-list 102 deny   udp any host 10.10.10.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 10.10.11.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 109 remark Auto generated by SDM Management Access feature
access-list 109 remark CCP_ACL Category=1
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq telnet
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq 22
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq www
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq 443
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq cmd
access-list 109 deny   tcp any host 10.10.11.1 eq telnet
access-list 109 deny   tcp any host 10.10.11.1 eq 22
access-list 109 deny   tcp any host 10.10.11.1 eq www
access-list 109 deny   tcp any host 10.10.11.1 eq 443
access-list 109 deny   tcp any host 10.10.11.1 eq cmd
access-list 109 deny   udp any host 10.10.11.1 eq snmp
access-list 109 permit ip any any
no cdp run

!
!
!
!
!
control-plane
!
bridge 4 protocol ieee
bridge 4 route ip
banner exec ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------

nice, huh ?

-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
speed 115200
line aux 0
transport output telnet
line vty 0 4
access-class 105 in
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 150.254.183.15 prefer source Dialer1
ntp server 193.110.137.171 source Dialer1
ntp server 212.244.36.227 source Dialer1
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.4.1012-k9.pkg sequence 1
end

jawad-mukhtar · ‎02-27-2013

.

no ip nat inside source list 1 interface Dialer1 overload
no ip nat inside source list 2 interface Dialer1 overload
no ip nat inside source list 3 interface Dialer1 overload
no ip nat inside source list 4 interface Dialer1 overload
no ip nat inside source list 5 interface Dialer1 overload

ip nat inside source list NAT interface Dialer1 overload

!

IP ACCESS-LIST EXTENDED NAT

permit ip 10.10.11.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

10.10.11.1#sthash.DFy8W4Us.dpuf.

Jawad

jawad-mukhtar · ‎02-27-2013

After this check are you getting hits on this access-list name NAT.

by using show ip access-list NAT

**Rate Helpful Posts**

Jawad

andbor600 · ‎02-27-2013

I changed NAT access-list, but no hits. no difference.

the one thing makes me thinking. both using terminals on both devices (switch & AP) I can ping any external address. I cannot do the same on hosts connected to AP. really drives me mad

jawad-mukhtar · ‎02-27-2013

Kindly Let me know

What Your IP address and Gateway Of Client.

Check DNS is corrent

As assigned by dhcp.

Waiting

Jawad

andbor600 · ‎02-27-2013

>>>What Your IP address and Gateway Of Client.

ANS - which IP address do you mean ? external ? IP of host connected to AP ?

ANS - Gateway of Client: it is respectively 192.168.1.1 (VLAN 14) and 10.10.11.1 (VLAN 11)

>>>Check DNS is corrent

>>>As assigned by dhcp.

ANS - yes. it is correct. hosts connected to AP get DNS: 62.233.233.233

jawad-mukhtar · ‎02-27-2013

Have your configured default route on route.

ip route 0.0.0.0 0.0.0.0 interface Dialer 1

Jawad

andbor600 · ‎02-28-2013

of course. see my pasted config

ip route 0.0.0.0 0.0.0.0 Dialer1

jawad-mukhtar · ‎02-28-2013

Have u disable IP routing in SG500 its doing Routing. You need Your Router to Do Routing For you.

IN Switch

no ip routing

Jawad

andbor600 · ‎02-28-2013

in my switch config I have got:

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 10.10.11.0 255.255.255.0 10.10.11.1

ip route 10.10.12.0 255.255.255.0 10.10.12.1

ip route 10.10.13.0 255.255.255.0 10.10.13.1

ip route 192.168.1.0 255.255.255.0 192.168.1.1

there is NO line like:

"no ip routing"

I will change it on my switch. in 6 hours I will get back to you.

jawad-mukhtar · ‎02-28-2013

Got it.

Remove all Routes from Your Switch. These Routes are not required.

Jawad

andbor600 · ‎02-28-2013

hi Jawad,

I removed all route lines from my config - no positive result.

could you please paste an example config of router and switch to have it working ?

and maybe any debug command I can go deeper into details ?

andbor600 · ‎02-28-2013

Jawad,

some more observations.

at present my switch is connected to my router via GE48 port

please find below its configuration:

interface gigabitethernet1/48

switchport trunk allowed vlan add 11-14

for that moment lets forget about AP issues.

now, if my host is connected to PORT 43 (VLAN 1, native)

I have got internet access

if my host is connected to PORT 10 (VLAN 11)

config:

interface gigabitethernet1/10
switchport trunk native vlan 11

I have got NO internet access