Solved: Re: No internet access through 2nd VLAN on WLAN interface

Stefan Wahl · ‎05-23-2011

Hi all,

I have a UC540 running on ios 15 with CME 8.1.

I set up an additional Data VLAN which only has to get direct access to the internet through the configured dailer0 interface, which is also used by the default data VLAN.

I also defined a DHCP-Scope and set the new VLAN as a trusted network in firewall settings.

But when I connect to the new VLAN I don´t get any DNS Server assigned by the dialer interface.

There is no DNS configured in both (!) DHCP scopes.

Do I have to set any other settings?

Best regards

Stefan

Here is a part of the config:

ip dhcp relay information trust-all
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.11.1 192.168.11.10
!
ip dhcp pool phone
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.1.1.1
!
ip dhcp pool data
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
!
ip dhcp pool PSP
   import all
   network 192.168.11.0 255.255.255.0
   default-router 192.168.11.1

interface Dot11Radio0/5/0
no ip address
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 2 mode ciphers tkip
!
ssid cisco-data
!
ssid cisco-psp
!
ssid cisco-voice
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
service-policy output Voice
!
interface Dot11Radio0/5/0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0/5/0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0/5/0.100
encapsulation dot1Q 100
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 spanning-disabled
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
no ip address
bridge-group 2
bridge-group 2 spanning-disabled
!
interface Vlan100
no ip address
bridge-group 100
bridge-group 100 spanning-disabled
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 106 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXXX@XXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXXX

ppp pap sent-username YYYYYYYYYYYYYYYYYYYY password 7 ZZZZZZZZZZZZZZZ
ppp ipcp dns request
!
interface BVI1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface BVI2
description $FW_INSIDE$
ip address 192.168.11.1 255.255.255.0
ip access-group 105 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface BVI100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 104 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
ip route 192.168.11.0 255.255.255.0 Dialer0

Ryan-Kramer · ‎05-23-2011

You need to add the 192.168.11.0 network to your access-list 1.

access-list 1 permit 192.168.11.0 0.0.0.255

View solution in original post

Ryan-Kramer · ‎05-23-2011

Can you post your full configuration, I need to see your configured ACL's.

Thanks.

Stefan Wahl · ‎05-23-2011

Hi,

here is the ACL config:

logging esm config
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_8##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny   ip 192.168.11.0 0.0.0.255 any
access-list 101 deny   ip 10.1.1.0 0.0.0.255 any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_6##
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 10.1.10.0 0.0.0.3 any
access-list 102 deny   ip 192.168.11.0 0.0.0.255 any
access-list 102 deny   ip 10.1.1.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_8##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny   ip 10.1.10.0 0.0.0.3 any
access-list 103 deny   ip 192.168.11.0 0.0.0.255 any
access-list 103 deny   ip 192.168.10.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_6##
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration##NO_ACES_16##
access-list 105 remark SDM_ACL Category=1
access-list 105 deny   ip 10.1.10.0 0.0.0.3 any
access-list 105 deny   ip 192.168.11.0 0.0.0.255 any
access-list 105 deny   ip 10.1.1.0 0.0.0.255 any
access-list 105 deny   ip 192.168.10.0 0.0.0.255 any
access-list 105 permit udp host 217.0.43.17 eq domain any
access-list 105 permit udp host 217.0.43.49 eq domain any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
dialer-list 1 protocol ip permit
!

Darren DeCroock · ‎05-23-2011

Stefan,

I would first see if DNS is your only issue, by trying to ping an IP address like 4.2.2.2. If that is working, then you should only need to add your DNS servers to the DHCP pools.

Example: (You can use your own DNS server addresses.)

ip dhcp pool data
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1

dns-server 4.2.2.2 8.8.8.8

ip dhcp pool PSP
   import all
   network 192.168.11.0 255.255.255.0
   default-router 192.168.11.1

dns-server 4.2.2.2 8.8.8.8

The DNS servers can be added under CCA by editing the DHCP pools.

Thank you,

Darren

Stefan Wahl · ‎05-23-2011

Hi Darren,

VLAN Data is working without DNS Servers entered in DHCP Scope.

VLAN PSP doesn´t work even if I enter the DNS-Servers from my provider.

Pinging between both VLANS works.

Thanks

Stefan

Ryan-Kramer · ‎05-23-2011

You need to add the 192.168.11.0 network to your access-list 1.

access-list 1 permit 192.168.11.0 0.0.0.255

Stefan Wahl · ‎05-24-2011

Thank you Ryan,

that was the solution.

Can you tell me what ACL 1 is used for?

Thank you very much for your fast support.

Stefan

Stefan Wahl · ‎05-24-2011

Thank you also for your support, Darren.

The mistake was a missing entry in ACL 1.

Bye Stefan