Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
3
Replies

Trouble configuring VLAN for guest wireless

J W
Level 1
Level 1

‎03-29-2011 09:32 AM - edited ‎03-06-2019 04:20 PM

Hello. I am wondering if someone can point me in the right direction here. I am attempting to configure a VLAN for a guest wireless network at a clients site.

The AP will be a procurve 420 that has a guest SSID and a VLAN set up on it (Vlan240) it is set to tag the packets with the VLAN info.

I have this device plugged into a Cisco 1711 router, into FastEthernet 2, on the built in switch port. My goal here is to have it set up so when someone connects to the Guest SSID, they are tagged with VLAN240, and they then obtain an IP address from the DHCP servicerunning on the 1711. If they jump on with the secured side, then they obtain an IP from the DHCP server in the DC. I have an ACL written to deny traffic from the 192.168.240.0 network to anything on the 10.0.0.0 network (Secured)

The trouble I am having is that when a user jumps on the guest wireless, they obtain an IP from the secured side (10.0.0.0). I am not sure if it is even seeing the VLAN info.The config may be a bit messy now as a result of my trying to troubleshoot the issue. I have tried moving the IP address (192.168.240.1) to the VLAN interface, instead of F0.240, but that does not help either. What am I missing?

Below is my config info (I have ensured that VLAN240 is in the VLAN database on the 1711

Any help would be appreciated.

security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000 warnings
enable secret XXXXX
!
username XXX password 7 XXXX
clock timezone EST -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.240.1 192.168.240.2
!
ip dhcp pool Pool1
   network 192.168.240.0 255.255.255.224
   default-router 192.168.240.1
   dns-server 10.0.1.2 10.0.1.3
!
ip dhcp pool pool1
   domain-name XXXX.local
!
!
ip tcp selective-ack
ip tcp path-mtu-discovery
no ip domain lookup
ip domain name XXXX.local
no ip bootp server
ip cef
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 icmp
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ftp-server enable
no ftp-server write-enable
ftp-server topdir flash:
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXX address XXXXX
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_10 1 ipsec-isakmp
 description Tunnel to SAM Datacenter
 set peer XXXX
 set security-association lifetime seconds 28800
 set transform-set SDM_TRANSFORMSET_1
 match address GRE2DATACENTER
!
!
!
interface Tunnel0
 description VPN to SAM Datacenter Fiber
 bandwidth 3000
 ip address 10.254.253.82 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1338
 ip hello-interval eigrp 10000 20
 ip hold-time eigrp 10000 60
 ip route-cache flow
 ip tcp adjust-mss 1200
 cdp enable
 tunnel source FastEthernet0
 tunnel destination XXXXX
!
interface Null0
 no ip unreachables
!
interface Loopback100
 ip address 10.254.1.82 255.255.255.255
 no ip redirects
 no ip proxy-arp
 ip route-cache flow
!
interface FastEthernet0
 description Connected to Internet
 ip address <External IP> 255.255.255.248
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_10
 crypto ipsec df-bit clear
!
interface FastEthernet0.240
 encapsulation dot1Q 240
 ip address 192.168.240.1 255.255.255.0
 ip access-group 130 in
 ip helper-address 192.168.240.1
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 switchport mode trunk
 no ip address
 vlan-id dot1q 240
  exit-vlan-config
 !
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
interface Vlan1
 description Connected to SAM LAN
 ip address 10.1.40.1 255.255.254.0
 ip helper-address 10.0.2.11
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Vlan240
 no ip address
 ip helper-address 192.168.240.1
 no ip redirects
 no ip proxy-arp
 vlan-id dot1q 240
  exit-vlan-config
 !
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
router eigrp 10000
 passive-interface FastEthernet0
 passive-interface Vlan1
 network 10.0.0.0
 network 192.168.240.0
 no auto-summary
 eigrp stub connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.253.81
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 150 interface FastEthernet0 overload
!
!
!
ip access-list extended GRE2DATACENTER
  permit gre host <LOCAL WAN ADDRESS> host <Dest. Tunnel WAN Address>
access-list 1 remark Auto generated by SDM Management A0.1.30.1 eq telnet
access-list 101 deny   tcp any host 10.1.30.1 eq 22
access-list 101 deny   tcp any host 10.1.30.1 eq www
access-list 101 deny   tcp any host 10.1.30.1 eq cmd
access-list 101 deny   udp any host 10.1.30.1 eq snmp
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 125 permit esp any any
access-list 130 remark Deny access to the 10 network for guest wireless.
access-list 130 deny   ip any 10.0.0.0 0.255.255.255
!
!
control-plane
!
!
line con 0
 login local
 transport output telnet
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 no exec
 transport input all
 transport output none
line vty 0 4
 login local
 transport input ssh
line vty 5 15
 login local
 transport input ssh
!
end

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎03-29-2011 11:12 AM

I can see 2 config issues:-

interface FastEthernet0.240
ip helper-address 192.168.240.1

Not required, as the DHCP server is local - this is only required when the DHCP is elsewhere on another IP subnet.


access-list 130 remark Deny access to the 10 network for guest wireless.
access-list 130 deny   ip any 10.0.0.0 0.255.255.255

By default ANY access list has a deny any any at the end - this is default and you do not see it.  So your ACL will block all traffic.

The fact that the clients are receving an 10.x.x.x IP address indicates 2 issues:-

1) The AP is not tagging the layer 2 traffic with the correct VLAN ID.

2) The switch port the router is connected to is not a trunk.

HTH>

0 Helpful

J W
Level 1
Level 1
In response to andrew.prince

‎04-01-2011 11:49 AM

Thank you for the suggestions! I realized that ip-helper address was not necessary and have since removed it. As for the acl, my goal was to block access from the guest network (192.168.240.0) to the secure network (10.0.0.0). Wouldn't the access list as configured just block traffic as described, or am I off on that one?

I will try changing the encapsulation command and see if that helps too! Thank you for the suggestions.

Sent from Cisco Technical Support iPhone App

0 Helpful

t_mcwilliams
Level 1
Level 1

‎03-29-2011 11:18 AM

It seems everything coming in from FastEthernet2 is untagged. Not sure if this will help much but try removing the "vlan-id dot1q 240" from the interface and add "switchport trunk encapsulation dot1q".

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card