Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
0
Helpful
2
Replies

Trouble configuring Subinterface/VLAN on 1711

J W
Level 1
Level 1

‎03-06-2011 03:16 PM - edited ‎03-06-2019 03:55 PM

Hello. I am having some trouble configuring a sub-interface for a VLAN on a Cisco 1711 Router. This device has one L3 FastEthernet port, and a built in 5 port L2 switch.

What I am ultimately trying to accomplish is to set up a guest wireless network for the site. Here is what I have in place (I hope this is all the relevant data):


!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000 warnings
enable secret XXXXXXX
!
username XXXX password XXXXX
clock timezone EST -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.240.1 192.168.240.2
!
ip dhcp pool Pool1
   network 192.168.240.0 255.255.255.224
   default-router 192.168.240.1 
   dns-server 10.0.1.2 10.0.1.3 
!
ip dhcp pool pool1
   domain-name XXXX.local
!
!
ip tcp selective-ack
ip tcp path-mtu-discovery
no ip domain lookup
ip domain name XXXX.local
no ip bootp server
ip cef
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 icmp
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ftp-server enable
no ftp-server write-enable
ftp-server topdir flash:
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXX address <IP OF DC>
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_10 1 ipsec-isakmp 
 description Tunnel
 set peer <IP OF DC>
 set security-association lifetime seconds 28800
 set transform-set SDM_TRANSFORMSET_1 
 match address GRE2DATACENTER
!
!
!
interface Tunnel0
 description VPN to SAM Datacenter Fiber
 bandwidth 3000
 ip address 10.254.253.82 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1338
 ip hello-interval eigrp 10000 20
 ip hold-time eigrp 10000 60
 ip route-cache flow
 ip tcp adjust-mss 1200
 cdp enable
 tunnel source FastEthernet0
 tunnel destination <IP OF DC>
!
interface Null0
 no ip unreachables
!
interface Loopback100
 ip address 10.254.1.82 255.255.255.255
 no ip redirects
 no ip proxy-arp
 ip route-cache flow
!
interface FastEthernet0
 description Connected to Internet
 ip address <Routers Public IP> <ISP Subnet>
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_10
 crypto ipsec df-bit clear
!
interface FastEthernet0.240
 encapsulation dot1Q 240
 ip address 192.168.240.1 255.255.255.224
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet2
 switchport mode trunk
 no ip address
 no cdp enable
!
interface Vlan1
 description Connected to SAM LAN
 ip address 10.1.40.1 255.255.254.0
 ip helper-address 10.0.2.11
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Vlan240
 no ip address
 ip helper-address 192.168.240.1
 no ip redirects
 no ip proxy-arp
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
router eigrp 10000
 passive-interface FastEthernet0
 passive-interface Vlan1
 network 10.0.0.0
 no auto-summary
 eigrp stub connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.253.81
ip route 4.2.2.2 255.255.255.255 <IP OF ISP>
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 150 interface FastEthernet0 overload
!
!
!
ip access-list extended GRE2DATACENTER
 permit gre host <Routers public IP> host <IP OF DC>
access-list 1 remark Auto generated by SDM Management A0.1.30.1 eq telnet
access-list 101 deny   tcp any host 10.1.30.1 eq 22
access-list 101 deny   tcp any host 10.1.30.1 eq www
access-list 101 deny   tcp any host 10.1.30.1 eq cmd
access-list 101 deny   udp any host 10.1.30.1 eq snmp
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 125 permit esp any any
!
!
control-plane
!
!
line con 0
 login local
 transport output telnet
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 no exec
 transport input all
 transport output none
line vty 0 4
 login local
 transport input ssh
line vty 5 15
 login local
 transport input ssh
!
end

As you can see, I created a sub interface (F0.240), and assigned it an IP. Now, this environment is a little complex, as the internet data goes over the wan via a GRE tunnel to the sites Datacenter.

The plan is to have the 1711 dish out the IP addresses for VLAN2 (hence the DHCP config). DHCP for the secure LAN is being handled in the DC on the other end of the tunnel. The AP will be plugged into the trunk port in F2 (It is a trunk because the AP will be serving both the secure and guest wireless.

In order to test the routing of my config, I added the static route to 4.2.2.2 to go directly out to the internet. Trouble is, when I try to do an extended ping, using the source address of 192.168.240.1, I never get a reply. When I do the extended ping with 10.1.40.1, or the routers public IP, I get a reply.

I looked at the routing table, and the static route is in there ok (As I could tell because I was getting a reply on the other interfaces).

I did a sho ip int and F0.240 is up, up (I can post the output of the command if necessary).

What am I missing here that is not allowing this to work? Am I going about this completely wrong?

As always, any help would be appreciated

Labels:
0 Helpful
2 Replies 2

glen.grant
VIP Alumni
VIP Alumni

‎03-06-2011 04:26 PM

         Does the network on the other end   have a route pointing back to the 192.168. network ?   It probably knows about your 10.X network but not your 192.168.   net if you are using statics to point out to the isp .

0 Helpful

J W
Level 1
Level 1
In response to glen.grant

‎03-06-2011 04:41 PM

When I am doing the extended ping, I am giving the ping a source of 192.168.240.1, and the destination of 4.2.2.2. It is getting sent directly out the F0 interface to the ISP's IP address (Unless I am misunderstanding the process, which is possible ).

At this point, there is no router on the other end that I can access in order to ensure it has a route back.

One thing I was looking was that NAT does not appear to be completely set up for this router (This is a reletively new client for me). I can configure it for my test, but I'd be curious as to why my extended pings with a source of 10.1.40.1 (the IP of VLAN1) get out to 4.2.2.2 without issue....

I did add the 192.168.240.0 network to eigrp, but this did not help matters either.

Thanks again for any help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card