Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
0
Helpful
5
Replies

Can't ping from wireless devices -IR829

nadeesh.sam
Level 1
Level 1

‎07-19-2022 01:18 AM

Hi everyone!

I have an IR829 that has two VLANs setup for wireless and wired clients. I can't access any wired vlans devices from the wireless vlan. Please help me diagnose the problem Thank you!

Tests

  • From the router

 I can ping all the devices from the router with different sources.Screenshot 2022-07-19 181340.png

  • From a wireless device [Successfully gets the 172.16.3.4 ip from DHCP]

I can ping both vlan gateways but can't ping the two devices on the VLAN10- WIRED (Weird I know haha ) 

Screenshot 2022-07-19 180913.png

Labels:
Preview file
5 KB
Preview file
3 KB
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎07-19-2022 03:31 AM

Hello,

the policy routing prevents traffic between both Vlans. What is the purpose of the policy routing ? In order to get connectivity, first of all make the changes marked in bold. Once you have connectivity, we need to look at the PBR:

Current configuration : 9297 bytes
!
! No configuration change since last restart
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ir829
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$FdvL$4G/AODmmwE1/Z18RW9b890
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
ignition off-timer 900
!
ignition undervoltage threshold 11 000
!
no ignition enable
!
ip dhcp excluded-address 172.16.3.2
!
ip dhcp pool WIRELESS
network 172.16.3.0 255.255.255.0
default-router 172.16.3.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool WIRED
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool CC-Comp
host 172.16.2.50 255.255.255.0
client-identifier ff66.7b93.2a00.0200.00ab.11d6.4942.a591.f597.e8
!
ip domain name vh.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
username admin privilege 15 secret 5 $1$b61O$17XyZ4ikIK7qYzKF16c0H/
!
redundancy
!
controller Cellular 0
lte sim fast-switchover enable
!
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE
!
interface GigabitEthernet0
mac-address 00f9.74a9.395e
ip dhcp client hostname CC-ROUTER
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet1
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet2
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet3
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet4
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface Wlan-GigabitEthernet0
description Internal AP
switchport mode trunk
no ip address
!
interface GigabitEthernet5
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0
ip address negotiated
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
ipv6 address autoconfig
!
interface Cellular1
no ip address
encapsulation slip
!
interface wlan-ap0
ip address 1.1.1.1 255.255.255.255
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description WIRED
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
--> no ip policy route-map NAT_WIRED
!
interface Vlan20
description WIRELESS
ip address 172.16.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
--> no ip policy route-map NAT_WIRELESS
!
interface Async0
no ip address
encapsulation scada
shutdown
!
interface Async1
no ip address
encapsulation scada
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT_WIRED interface Cellular0 overload
ip nat inside source route-map NAT_WIRELESS interface GigabitEthernet0 overload
ip ssh version 2
!
ip access-list extended LIST_WIRED
deny ip 172.16.3.0 0.0.0.255 any
deny ip 172.16.2.0 0.0.0.255 172.16.11.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 any
ip access-list extended LIST_WIRELESS
deny ip 172.16.2.0 0.0.0.255 any
deny ip 172.16.3.0 0.0.0.255 172.16.11.0 0.0.0.255
permit ip 172.16.3.0 0.0.0.255 any
!
ip sla 1
icmp-echo 172.16.11.1
timeout 10000
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
route-map NAT_WIRELESS permit 10
match ip address LIST_WIRELESS
set ip next-hop dynamic dhcp
set interface GigabitEthernet0
!
route-map NAT_WIRED permit 10
match ip address LIST_WIRED
match interface Cellular0
!
control-plane
!
line con 0
exec-timeout 0 0
stopbits 1
line 1 2
stopbits 1
line 3
script dialer lte
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 4
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 8
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
transport input ssh
!
no scheduler max-task-time
ntp server time.google.com
ntp server pool.ntp.org
no iox hdm-enable
iox client enable interface GigabitEthernet5
no iox recovery-enable
!
end

Current configuration : 2656 bytes
!
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ir829-ap
!
logging rate-limit console 9
enable secret 5 $1$OSYE$3C3yLk/lHhRdyO3zOsiLl0
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
no ip source-route
no ip cef
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name vlan20 vlan 20
!
dot11 ssid ABCD-Wifi
vlan 20
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 04550E090C2E581F5B4A
!
no ipv6 cef
!
username admin privilege 15 secret 5 $1$D/Cr$RyL7oPLbeFwgMH6iYEkKF.
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
ssid ABCD-Wifi
!
antenna gain 0
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
peakdetect
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface BVI1
mac-address f01d.2d55.85ce
ip address 172.16.3.2 255.255.255.0
no ip route-cache
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
--> ip route 0.0.0.0 0.0.0.0 172.16.3.1
!
bridge 1 route ip
bridge 20 route ip
!
line con 0
privilege level 15
no activation-character
line vty 0 4
transport input all
!
cns dhcp
end

0 Helpful

nadeesh.sam
Level 1
Level 1
In response to Georg Pauwen

‎07-20-2022 12:03 AM

Hi Georg,

Thanks for pointing me in the right direction. It started working once I made your changes.

I'm hoping to use PBRs to give internet access to the vlans from different interfaces. Vlan10 shoud go to the internet from the Cellular0 interface and Vlan20 should go to the internet through GigabitEthernet 0 interface.

Would you be able to help me set up this as well? 

0 Helpful

Georg Pauwen
VIP
VIP
In response to nadeesh.sam

‎07-20-2022 12:49 AM

Hello,

with the changes marked in bold, the PBR should work:

Current configuration : 9297 bytes
!
! No configuration change since last restart
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ir829
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$FdvL$4G/AODmmwE1/Z18RW9b890
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
ignition off-timer 900
!
ignition undervoltage threshold 11 000
!
no ignition enable
!
ip dhcp excluded-address 172.16.3.2
!
ip dhcp pool WIRELESS
network 172.16.3.0 255.255.255.0
default-router 172.16.3.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool WIRED
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool CC-Comp
host 172.16.2.50 255.255.255.0
client-identifier ff66.7b93.2a00.0200.00ab.11d6.4942.a591.f597.e8
!
ip domain name vh.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
username admin privilege 15 secret 5 $1$b61O$17XyZ4ikIK7qYzKF16c0H/
!
redundancy
!
controller Cellular 0
lte sim fast-switchover enable
!
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE
!
interface GigabitEthernet0
mac-address 00f9.74a9.395e
ip dhcp client hostname CC-ROUTER
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet1
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet2
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet3
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet4
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface Wlan-GigabitEthernet0
description Internal AP
switchport mode trunk
no ip address
!
interface GigabitEthernet5
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0
ip address negotiated
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
ipv6 address autoconfig
!
interface Cellular1
no ip address
encapsulation slip
!
interface wlan-ap0
ip address 1.1.1.1 255.255.255.255
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description WIRED
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
--> ip policy route-map NAT_WIRED
!
interface Vlan20
description WIRELESS
ip address 172.16.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
--> ip policy route-map NAT_WIRELESS
!
interface Async0
no ip address
encapsulation scada
shutdown
!
interface Async1
no ip address
encapsulation scada
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT_WIRED interface Cellular0 overload
ip nat inside source route-map NAT_WIRELESS interface GigabitEthernet0 overload
ip ssh version 2
!
--> ip access-list extended LIST_WIRED
--> permit ip 172.16.2.0 0.0.0.255 any
--> ip access-list extended LIST_WIRELESS
--> permit ip 172.16.3.0 0.0.0.255 any
!
ip sla 1
icmp-echo 172.16.11.1
timeout 10000
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
route-map NAT_WIRELESS permit 10
match ip address LIST_WIRELESS
set ip next-hop dynamic dhcp
set interface GigabitEthernet0
!
--> route-map NAT_WIRELESS permit 20
!
route-map NAT_WIRED permit 10
match ip address LIST_WIRED
match interface Cellular0
!
--> route-map NAT_WIRED permit 20
!
control-plane
!
line con 0
exec-timeout 0 0
stopbits 1
line 1 2
stopbits 1
line 3
script dialer lte
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 4
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 8
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
transport input ssh
!
no scheduler max-task-time
ntp server time.google.com
ntp server pool.ntp.org
no iox hdm-enable
iox client enable interface GigabitEthernet5
no iox recovery-enable
!
end

0 Helpful

nadeesh.sam
Level 1
Level 1
In response to Georg Pauwen

‎07-20-2022 01:43 AM - edited ‎07-20-2022 02:00 AM

Hi Georg,

I made the change and it seems to retain all the inter VLAN connectivity. I have internet on VLAN20 but VALN10 doesn't have internet now. Here's the test I did to verify.

Screenshot 2022-07-20 183503.png 

Show ip route gives me this,

Screenshot 2022-07-20 184014.png

Could you identify any problem? Current configuration is below,

!
ip dhcp excluded-address 172.16.3.2
ip dhcp excluded-address 172.16.2.2
!
ip dhcp pool WIRELESS
network 172.16.3.0 255.255.255.0
default-router 172.16.3.1
dns-server 172.16.3.1
!
ip dhcp pool WIRED
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
dns-server 172.16.2.1
!
ip dhcp pool CC-Comp
host 172.16.2.50 255.255.255.0
client-identifier ff66.7b93.2a00.0200.00ab.11d6.4942.a591.f597.e8
!
!
!
ip domain name XXXXXX
ip host cabin.hm.local 172.16.2.50
ip host cabin.hm 172.16.2.50
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip multicast-routing
ip cef
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
license udi pid IR829GW-LTE-LA-ZK9 sn FGL2602L191
!
!
username admin privilege 15 secret 5 $1$b61O$17XyZ4ikIK7qYzKF16c0H/
!
redundancy

!
!
!
!
controller Cellular 0
lte sim data-profile 1 attach-profile 1 slot 0
lte sim fast-switchover enable
no lte gps enable
lte modem link-recovery disable
!
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
tunnel source GigabitEthernet0
tunnel destination dynamic
tunnel protection ipsec profile IPSEC_PROFILE

!
interface GigabitEthernet0
mac-address 00f9.74a9.395e
ip dhcp client hostname CC-ROUTER
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet1
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet2
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet3
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet4
switchport access vlan 10
switchport mode access
no ip address
no mop enabled
!
interface Wlan-GigabitEthernet0
description Internal AP
switchport mode trunk
no ip address
!
interface GigabitEthernet5
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 60
dialer in-band
dialer idle-timeout 300
dialer string lte
dialer-group 1
ipv6 address autoconfig
async mode interactive
routing dynamic
!
interface Cellular1
no ip address
encapsulation slip
!
interface wlan-ap0
ip address 1.1.1.1 255.255.255.255
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description WIRED
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map NAT_WIRED
!
interface Vlan20
description WIRELESS
ip address 172.16.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map NAT_WIRELESS
!
interface Async0
no ip address
encapsulation scada
shutdown
!
interface Async1
no ip address
encapsulation scada
shutdown
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source route-map NAT_WIRED interface Cellular0 overload
ip nat inside source route-map NAT_WIRELESS interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp
ip ssh version 2
!
ip access-list extended LIST_WIRED
permit ip 172.16.2.0 0.0.0.255 any
ip access-list extended LIST_WIRELESS
permit ip 172.16.3.0 0.0.0.255 any
!
ip sla 1
icmp-echo 172.16.11.1
timeout 10000
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
route-map NAT_WIRELESS permit 10
match ip address LIST_WIRELESS
match interface GigabitEthernet0
!
route-map NAT_WIRELESS permit 20
!
route-map NAT_WIRED permit 10
match ip address LIST_WIRED
match interface Cellular0
!
route-map NAT_WIRED permit 20
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
stopbits 1
line 1 2
stopbits 1
line 3
script dialer lte
modem InOut
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 150000000
txspeed 50000000
line 4
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line 8
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 150000000
txspeed 50000000
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
transport input ssh
!
no scheduler max-task-time
ntp server time.google.com
ntp server pool.ntp.org
no iox hdm-enable
iox client enable interface GigabitEthernet5
no iox recovery-enable
!
!
!
!
!
!
!
end

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to nadeesh.sam

‎07-20-2022 02:49 AM

Hello,

I think you have to add the line marked in bold:

route-map NAT_WIRED permit 10
match ip address LIST_WIRED
match interface Cellular0
--> set interface Cellular0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card