Avatar of SectorX4
SectorX4
Flag for Australia asked on

Cisco 1100G multiple VLAN's

I have recently been asked my management of the company I work for to setup customer internet access in our showroom, since I do not have any free hardware I was hoping to be able to use a Cisco 1100G we have deployed with a second SSID.

I have run into problems setting up VLAN's as the Cisco 870 router already has a VLAN on our work subnet (172.16.1.0) and since employees still need to use it and access resources on that network I can't see how I can do that without a gateway in between the AP and my other servers.

My plan (sans the VLANs)

Customer laptop -> Cisco 1100G (SSID: customer-ap) -> Cisco Catalyst 2950 -> Cisco 870
Employees -> Cisco 1100G (SSID: glg-ap) -> Cisco Catalyst 2950 -> Work servers / Cisco 870

I'll admit I haven't had a lot of experience with the VLAN's so I might be looking at things the wrong way but I have endeavored to research the subject on Cisco's site and done a fair bit of googling.

I'm currently considering either a separate physical AP or re purposing the 1100G as it doesn't see a large amount of use at the moment but I would rather do the above if possible.

Any suggestions as to how I could segment the traffic from each SSID would be appreciated as that's my ultimate goal.
Wireless HardwareNetworkingRouters

Avatar of undefined
Last Comment
nasetech

8/22/2022 - Mon
that1guy15

Yep you are on the right track.

The Cisco 1100G will connect to the 2950 via trunk port and then to the 870.

Setup a second SSID on the 1100G with a different IP subnet. Then configure a different encryption key for customer use (something simple so they do not have much issue getting connected or even no encryption, but I do not recommend it).

Also make sure to deny traffic from the customer VLAN to the corporate VLAN on the 870 to insure they do not have access to corporate resources.

Customers will only be able to connect to the customer SSID and not have access to the corporate network
SectorX4

ASKER
@that1guy15

In regards to the trunk port (I just did some reading on the function) it seems it will solve my problems of having a port as a member of multiple VLAN's.

The problem I have had with that approach you are describing is that this put our employees using that AP onto a different subnet as well meaning that without an intermediate gateway they won't be able to access company resources.

I can implement ACL's on the Catalyst to prevent traffic between VLAN's but I thought by definition traffic from VLAN1 -> VLAN3 wouldn't work without some sort of VLAN bridging anyway?
that1guy15

"The problem I have had with that approach you are describing is that this put our employees using that AP onto a different subnet as well meaning that without an intermediate gateway they won't be able to access company resources."

The main objective is to separate your corporate traffic from the customer traffic. Using the configuration I gave above customers will only be able to connect to  the customer VLAN, Traffic from that VLAN wlil not be able to access any other network until it reaches the 870. From the 870 you can control which VLANs that traffic accesses.

Make sense?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
SectorX4

ASKER
That all makes sense but as I said the problem was that since the AP can only have one IP address so it cannot have different IP address per VLAN or IP aliases (As far as the GUI is concerned anyway).

To be honest I haven't looked at the IOS side of the 1100G as everything seemed to work through the GUI for what I had wanted until that point.

Onto my progress:

I was able to create VLAN's no problem but had a lot of trouble getting lost in various tutorials I found while googling on VLAN, VTP and other VLAN tagging protocols.

Should I be using VTP to propagate the VLAN's or just statistically assign them seeing as there are only 3 total devices, what encapsulation should I be using and whats the best way to test a configuration?

The layout im looking at so far is:

Customer -> customers (VLAN 3) -> Catalyst 2950 (VLAN 3 on Fastethernet 0/23) -> Cisco 870 (VLAN 3 on Fastethernet 1)
Employee -> glgap (VLAN1) -> Catalyst 2950 (VLAN 1 of fastethernet 0/23) -> Rest of network

Thanks for the hlep so far, this is kind of my crash course in VLAN's that I had been planning to get into eventually but not on such short notice.
that1guy15

"the problem was that since the AP can only have one IP address so it cannot have different IP address per VLAN or IP aliases (As far as the GUI is concerned anyway)."

Since the AP is a layer 2 device the IP address is only for administrative purposes not controlling traffic flow. So 1 ip is fine. So you will have your corporate VLAN with an ip on your corp network and then you will have your customer VLAN with no IP on your customer network.

"Should I be using VTP to propagate the VLAN's or just statistically assign them seeing as there are only 3 total devices, what encapsulation should I be using and whats the best way to test a configuration?"

Nah since you only have a few devices I would not bother with VTP. Just create them statically. You will want to use IEEE 801.q (dot1) encapsulation since this is the only protocol the 2950 supports.

To test connect to the customer network through wireless and verify you can access resources in that network and that you can not access anything in the corp network. Do the same for the corp network for testing.

"Customer -> customers (VLAN 3) -> Catalyst 2950 (VLAN 3 on Fastethernet 0/23) -> Cisco 870 (VLAN 3 on Fastethernet 1)
Employee -> glgap (VLAN1) -> Catalyst 2950 (VLAN 1 of fastethernet 0/23) -> Rest of network"

This setup will work but a better suggestion would be to set up the port(s) between the AP and the 2950 as trunk ports. This will allow all VLANs on the AP to use one port to access the 2950. You can also have multiple trunk ports running to the 2950 and load balance them. Either way though in your setup it will be fine.
SectorX4

ASKER
Alright that clears up a lot of my questions but I still have a couple more regarding the exact setup.

In regards to the trunk port(s) since my AP is connecting directly to the 2950 so I need to enable trunk ports on both ends or only on the receiving end (2950)?

Do you know the commands I should be running for IOS based devices to setup a VLAN, I have a lot of different tutorials and there are different ways of adding them (vlan database and interface config).

Lastly will it be necessary to have an IP address for the VLAN on the 870 or won't it need one being layer 2?

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
that1guy15

"In regards to the trunk port(s) since my AP is connecting directly to the 2950 so I need to enable trunk ports on both ends or only on the receiving end (2950)?"

Both ends

"Do you know the commands I should be running for IOS based devices to setup a VLAN, I have a lot of different tutorials and there are different ways of adding them (vlan database and interface config)."

VLAN database is the old way of configuring VLANs. With the 2950 you will want to use:

config t
vlan 20
name customer

to create a trunk port use:

int f0/0
switchport mode trunk


"Lastly will it be necessary to have an IP address for the VLAN on the 870 or won't it need one being layer 2?"

yes give it an IP addrss of the subnet it is in. This will be the default gateway for all devices on the VLAN
SectorX4

ASKER
Just an update to reflect the fact management have decided a seperate AP is a more time effective solution to this problem.

I have since configured the new AP (Linksys WAP 2000) with VLAN's but the traffic keeps leaking and getting a DHCP lease from our PDC and not the Cisco router.

The DHCP scope im using from the Cisco 870 is as follows:


Pool customer :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0
 Total addresses                : 254
 Leased addresses               : 0
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 192.168.0.1          192.168.0.1      - 192.168.0.254     0

I have checked all my setings but can't figure out why traffic is leaving VLAN3 (and ignoring the DHCP scope) while routing back through another one of the Fast Ethernet interfaces to get a DHCP lease. FYI I have confirmed that the port isn't trunking and is set in access mode.
that1guy15

So the Linksys AP is used to connect both SSIDs like you were going to setup with the 1100G?

Also Im guessing the Linksys AP is connecting to the 2950?

If both VLANs exist on the Linksys AP and the AP connects to the 2950 with a single port then you will still need to use trunk ports to pass the respective VLANs to their proper network. The 2950 will still have a single trunk port to the 870.
Your help has saved me hundreds of hours of internet surfing.
fblack61
SectorX4

ASKER
No the Linksys WAP2000 is to be dedicated to customer traffic and the existing Cisco 1100G will be used exclusively by employees.

Im connecting the Linksys WAP2000 directly to the Cisco 870 (At least until I get a good grasp of VLAN's) to simplify the process.
that1guy15

If you are connecting the new AP directly to the 870 you will still need to create a separate VLAN to segregate the traffic.

From the command line of the 870:

Router(config)#vlan 2
Router(config)#description Customer wireless vlan         <----adds the second VLAN
Router(config)#exit

Router(config)# interface FastEthernet 2
Router(config-if)# switchport access vlan 2  <------assigns port fe2 to VLAN 2 (use whichever port you want)
Router(config-if)#exit

Router(config)#wr mem     <---saves the config


You can then plug the new AP into this port and you should be fine


      


that1guy15

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SectorX4

ASKER
I have made some progress since last update, the VLAN seems to be working as while connected exclusively to the AP I cannot ping any hosts on 172.16.1.X and I will be testing this by removing the VLAN later on.

I have enabled NAT for VLAN 3 but im not able to get outside the network, I have checked the NAT configuration in SDM and the "automatic" NAT rule which provides internet access at the moment only seems to include our 10.0.0.0 range.

On another note DHCP suddenly started working on the VLAN today (It steadfast refused to work yesterday) so wireless clients can get leases now.

Lastly I can still ping the interfaces on the other VLAN's (10.0.0.1 and 172.16.1.250) but I assume thats because I have trunking enabled on the Cisco VLAN.
that1guy15

"I have enabled NAT for VLAN 3 but im not able to get outside the network, I have checked the NAT configuration in SDM and the "automatic" NAT rule which provides internet access at the moment only seems to include our 10.0.0.0 range."

Im not too familiar with the cisco SDM (much more comfortable with the CLI) so i can not give details. The NAT rule that you already have set up you should just be able to change the network being translated (10.0.0.0) to all networks which is 0.0.0.0 0.0.0.0. sometimes it is listed out as 0.0.0.0/0. This should get your NAT going for any inside network trying to get out.
SectorX4

ASKER
So the source network doesn't need to match my VLAN (192.168.0.1), it looked as though I might of needed to create a separate NAT rule for that VLAN.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
that1guy15

That is what the 0.0.0.0/0 statement says. All 0's means match any IP address or network. If you wanted to create a separate NAT statement that would be fine too.
SectorX4

ASKER
I thought the 0.0.0.0 network you were referring to was the destination network and not the source?(Unless I have the NAT theory backwards)
that1guy15

No your destinations network (address being translated too) is going to be one of your public IP address. The source network can be any range of IP address.

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SectorX4

ASKER
I think there must be something awray in either my Firewall or NAT configuration as I'm still not having any luck.

I can connect to the AP, get a DHCP lease, ping the AP and router but not able to get outside to the internet, this is what my relevant Cisco config looks like.

VLAN 2:

!
interface Vlan2
 ip address 172.16.1.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!

NAT:

ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 150.101.226.42 25 extendable
ip nat inside source static tcp 10.0.0.2 80 150.101.226.42 80 extendable
ip nat inside source static tcp 10.0.0.2 110 150.101.226.42 110 extendable
ip nat inside source static tcp 10.0.0.2 443 150.101.226.42 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 150.101.226.42 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 150.101.226.42 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 150.101.226.42 5900 extendable
!

that1guy15

Will you post the config for source list 120 from this NAT statement?

ip nat inside source list 120 interface Dialer0 overload
SectorX4

ASKER
Here's the access-list:

access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address eq non500-isakmp
access-list 102 permit udp any host External IP address eq isakmp
access-list 102 permit esp any host External IP address
access-list 102 permit ahp any host External IP address
access-list 102 permit gre any host External IP address
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address
access-list 102 permit tcp any host External IP address eq telnet
access-list 102 deny   tcp any host External IP address eq 22
access-list 102 deny   tcp any host External IP address eq cmd
access-list 102 deny   udp any host External IP address eq snmp
access-list 102 permit tcp any host External IP address eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address eq 3389
access-list 102 permit tcp any host External IP address eq 4125
access-list 102 permit tcp any host External IP address eq pop3
access-list 102 permit tcp any host External IP address eq www
access-list 102 permit tcp any host External IP address eq 443
access-list 102 permit tcp any host External IP address eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address eq ntp
access-list 102 deny   ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address echo
access-list 102 permit icmp host 203.122.234.3 host External IP address echo
access-list 102 permit icmp host 203.122.250.103 host External IP address echo
access-list 102 permit icmp host 150.101.243.85 host External IP address echo
access-list 102 permit icmp host 150.101.243.87 host External IP address echo
access-list 102 permit icmp host 203.122.227.198 host External IP address echo
access-list 102 permit icmp any host External IP address echo-reply
access-list 102 permit icmp any host External IP address time-exceeded
access-list 102 permit icmp any host External IP address unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny   ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any

The command you mentioned says dynamic mapping is in use.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
that1guy15

access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny   ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any


Your 172.16.0.0 networks are being denied NAT translation. In order for address on the 172.16.0.0 subnets to be translated to an external ip you need to change the first three lines as so:

access-list 120 permit ip 172.16.1.0 0.0.0.255 any

This line will replace all three lines

Also make sure the 120 ACL is not being applied to anything else :)
SectorX4

ASKER
Our 172.16.1.0 network does not require NAT, this is how its structured:

172.16.1.25 (Client PC) -> 172.16.1.2 (ISA int interface) -> 10.0.0.2 (ISA ext interface) -> 10.0.0.1 (Cisco)

Our other VLAN is (172.1.1.250) is for our PABX which transits via tge VPN and does not require NAT, those rules are just for preventing the PABX from using the internet.

I did however do that permit rule for the 192.168.0.0 network but soon after I found my VPN tunnels went down so I had to fall back to startup config.
that1guy15

Please post your full "sh run" minus any passwords or public IPs.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SectorX4

ASKER
Current configuration : 15234 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname glg
!
boot-start-marker
boot system flash flash:c870-advipservicesk9-mz.124-15.T1.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
no logging monitor
enable secret 5 $1$hashed_password
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone acst 9 30
clock summer-time ACDT recurring last Sun Oct 2:00 last Sun Mar 3:00
!
crypto pki trustpoint TP-self-signed-762479650
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-762479650
 revocation-check none
 rsakeypair TP-self-signed-762479650
!
!
crypto pki certificate chain TP-self-signed-762479650
 certificate self-signed 01
--removed--
   quit
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key --removed-- address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
!
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool eblen-customer
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.231.203.132
   domain-name customer.eblen.com.au
   lease 7
!
!
no ip bootp server
ip domain name --removed--
ip name-server 192.231.203.3
ip name-server 192.231.203.132
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 --removed--
username voipadmin privilege 15 secret 5 ==removed==
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map match-any WebEmail
 match protocol http
 match protocol secure-http
 match protocol ftp
 match protocol smtp
 match protocol pop3
class-map match-any VoIP
 match protocol h323
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map eblen-voip
 class VoIP
  priority percent 15
  set dscp ef
 class WebEmail
  bandwidth remaining percent 85
 class class-default
  fair-queue
!
!
!
!
interface Tunnel0
 bandwidth 4000
 ip address 10.1.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 83505045
 ip nhrp holdtime 360
 ip nhrp cache non-authoritative
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 8376
 delay 1000
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel key 83505045
 tunnel protection ipsec profile SDM_Profile1
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
 description Eblen Customer AP
 switchport access vlan 3
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Vlan2
 ip address 172.16.1.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1200
!
interface Vlan3
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 description $FW_OUTSIDE$
 bandwidth 872
 ip address negotiated
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nbar protocol-discovery
 ip nat outside
 ip inspect SDM_HIGH out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname --removed
 ppp chap password 7 --removed--
 service-policy output eblen-voip
!
router eigrp 8376
 network 10.1.0.0 0.0.0.255
 network 172.16.1.0 0.0.0.255
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.5.0 255.255.255.0 Tunnel0 10.1.0.6
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 172.16.1.25 9991
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 External IP address 25 extendable
ip nat inside source static tcp 10.0.0.2 80 External IP address 80 extendable
ip nat inside source static tcp 10.0.0.2 110 External IP address 110 extendable
ip nat inside source static tcp 10.0.0.2 443 External IP address 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 External IP address 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 External IP address 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 External IP address 5900 extendable
!
logging trap debugging
logging 172.16.1.25
access-list 1 permit 202.6.145.49
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 deny   any
access-list 1 permit 0.0.0.1 255.255.255.0
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip host 150.101.81.146 any
access-list 100 permit ip host 203.122.250.103 any
access-list 100 permit ip host 150.101.243.85 any
access-list 100 permit ip host 150.101.243.87 any
access-list 100 permit ip host 202.6.145.49 any
access-list 100 permit ip host 203.122.227.198 any
access-list 100 permit ip 219.90.128.0 0.0.127.255 any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 121.44.0.0 0.1.255.255 any
access-list 100 permit ip 59.167.0.0 0.0.255.255 any
access-list 100 deny   ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq www
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 101 deny   tcp any host 10.0.0.1 eq telnet
access-list 101 deny   tcp any host 10.0.0.1 eq 22
access-list 101 deny   tcp any host 10.0.0.1 eq www
access-list 101 deny   tcp any host 10.0.0.1 eq 443
access-list 101 deny   tcp any host 10.0.0.1 eq cmd
access-list 101 deny   udp any host 10.0.0.1 eq snmp
access-list 101 deny   ip 150.101.226.40 0.0.0.3 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address eq non500-isakmp
access-list 102 permit udp any host External IP address eq isakmp
access-list 102 permit esp any host External IP address
access-list 102 permit ahp any host External IP address
access-list 102 permit gre any host External IP address
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address
access-list 102 permit tcp any host External IP address eq telnet
access-list 102 deny   tcp any host External IP address eq 22
access-list 102 deny   tcp any host External IP address eq cmd
access-list 102 deny   udp any host External IP address eq snmp
access-list 102 permit tcp any host External IP address eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address eq 3389
access-list 102 permit tcp any host External IP address eq 4125
access-list 102 permit tcp any host External IP address eq pop3
access-list 102 permit tcp any host External IP address eq www
access-list 102 permit tcp any host External IP address eq 443
access-list 102 permit tcp any host External IP address eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address eq ntp
access-list 102 deny   ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address echo
access-list 102 permit icmp host 203.122.234.3 host External IP address echo
access-list 102 permit icmp host 203.122.250.103 host External IP address echo
access-list 102 permit icmp host 150.101.243.85 host External IP address echo
access-list 102 permit icmp host 150.101.243.87 host External IP address echo
access-list 102 permit icmp host 203.122.227.198 host External IP address echo
access-list 102 permit icmp any host External IP address echo-reply
access-list 102 permit icmp any host External IP address time-exceeded
access-list 102 permit icmp any host External IP address unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny   ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175105
ntp server 192.231.203.132 prefer
!
webvpn cef
end

that1guy15

This is the statement that is providing NAT to your local networks:

ip nat inside source list 120 interface Dialer0 overload

So it is using ACL 120 to determine which IPs are allowed and denied translation.

access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny   ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any

You will need to add a line for the vlan3 subnet (192.168.0.0) in order for it to be translated. I do not see anything else that references this ACL besides NAT.
SectorX4

ASKER
I now have NAT working with connectivity and DNS resolution,the only thing left is the traffic leaking between VLAN's which I find a bit strange.

Performing "sh int fast1 switchport" shows:

glg#sh int fast1 switchport
Name: Fa1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 3 (VLAN0003)
Trunking Native Mode VLAN: 3 (VLAN0003)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 3
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none

This all seems fine except im a bit unsure about Trunking All VLAN's being enabled (even though only 3 is active)

The other VLAN's (VLAN 1 on 10.0.0.0 and VLAN 2 on 172.16.1.0) are both reachable but the other odd thing is one of my IP phones is reachable (172.16.1.99). I tried patching it to another switch with no VLAN's setup and it's still reachable (via web interface and ping).

Although as far as I can tell nothing is reachable from that subnet (192.168.0.0) to the other VLAN interfaces (due to ACL's) I would like to have it all air tight before letting customers on the WLAN.

What I find interesting is that a traceroute from the WLAN to a host on the other networks traverses 192.168.0.1 as a hop (I assume its acting as a gateway to the other networks otherwise it wouldn't work due to different subnets)
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
that1guy15

Will you post an updated sh run please?
SectorX4

ASKER
Building configuration...

Current configuration : 15104 bytes
!
! Last configuration change at 15:27:13 acst Tue Mar 31 2009 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <hostname>
!
boot-start-marker
boot system flash flash:c870-advipservicesk9-mz.124-15.T1.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
no logging monitor
enable secret 5 <secret>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone acst 9 30
clock summer-time ACDT recurring last Sun Oct 2:00 last Sun Mar 3:00
!
crypto pki trustpoint TP-self-signed-762479650
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-762479650
 revocation-check none
 rsakeypair TP-self-signed-762479650
!
!
crypto pki certificate chain TP-self-signed-762479650
 certificate self-signed 01
  <key>
        quit
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
!
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool eblen-customer
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.231.203.132
   domain-name customer.business.com
   lease infinite
!
!
no ip bootp server
ip domain name business.com
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 <password>
username voipadmin privilege 15 secret 5 <password>
archive
 log config
  hidekeys
!
!
!
class-map match-any WebEmail
 match protocol http
 match protocol secure-http
 match protocol ftp
 match protocol smtp
 match protocol pop3
class-map match-any VoIP
 match protocol h323
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map eblen-voip
 class VoIP
  priority percent 15
  set dscp ef
 class WebEmail
  bandwidth remaining percent 85
 class class-default
  fair-queue
!
!
!
!
interface Tunnel0
 bandwidth 4000
 ip address 10.1.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp cache non-authoritative
 no ip split-horizon eigrp 8376
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel protection ipsec profile SDM_Profile1
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
 description <AP name>
 switchport access vlan 3
 switchport trunk native vlan 3
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Vlan2
 ip address 172.16.1.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 description $FW_OUTSIDE$
 bandwidth 872
 ip address negotiated
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nbar protocol-discovery
 ip nat outside
 ip inspect SDM_HIGH out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname <username>
 ppp chap password 7 <password>
 service-policy output voip
!
router eigrp 8376
 network 10.1.0.0 0.0.0.255
 network 172.16.1.0 0.0.0.255
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.5.0 255.255.255.0 Tunnel0 10.1.0.6
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 172.16.1.25 9991
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 External IP address2 25 extendable
ip nat inside source static tcp 10.0.0.2 80 External IP address2 80 extendable
ip nat inside source static tcp 10.0.0.2 110 External IP address2 110 extendable
ip nat inside source static tcp 10.0.0.2 443 External IP address2 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 External IP address2 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 External IP address2 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 External IP address2 5900 extendable
!
logging trap debugging
logging 172.16.1.25
access-list 1 permit 202.6.145.49
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 deny   any
access-list 1 permit 0.0.0.1 255.255.255.0
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip host 150.101.81.146 any
access-list 100 permit ip host 203.122.250.103 any
access-list 100 permit ip host 150.101.243.85 any
access-list 100 permit ip host 150.101.243.87 any
access-list 100 permit ip host 202.6.145.49 any
access-list 100 permit ip host 203.122.227.198 any
access-list 100 permit ip 219.90.128.0 0.0.127.255 any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 121.44.0.0 0.1.255.255 any
access-list 100 permit ip 59.167.0.0 0.0.255.255 any
access-list 100 deny   ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq www
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 101 deny   tcp any host 10.0.0.1 eq telnet
access-list 101 deny   tcp any host 10.0.0.1 eq 22
access-list 101 deny   tcp any host 10.0.0.1 eq www
access-list 101 deny   tcp any host 10.0.0.1 eq 443
access-list 101 deny   tcp any host 10.0.0.1 eq cmd
access-list 101 deny   udp any host 10.0.0.1 eq snmp
access-list 101 deny   ip External IP address0 0.0.0.3 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address2 eq non500-isakmp
access-list 102 permit udp any host External IP address2 eq isakmp
access-list 102 permit esp any host External IP address2
access-list 102 permit ahp any host External IP address2
access-list 102 permit gre any host External IP address2
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address2
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address2
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address2
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address2
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address2
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address2
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address2
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address2
access-list 102 permit tcp any host External IP address2 eq telnet
access-list 102 deny   tcp any host External IP address2 eq 22
access-list 102 deny   tcp any host External IP address2 eq cmd
access-list 102 deny   udp any host External IP address2 eq snmp
access-list 102 permit tcp any host External IP address2 eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address2 eq 3389
access-list 102 permit tcp any host External IP address2 eq 4125
access-list 102 permit tcp any host External IP address2 eq pop3
access-list 102 permit tcp any host External IP address2 eq www
access-list 102 permit tcp any host External IP address2 eq 443
access-list 102 permit tcp any host External IP address2 eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address2
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address2
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address2 eq ntp
access-list 102 deny   ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address2 echo
access-list 102 permit icmp host 203.122.234.3 host External IP address2 echo
access-list 102 permit icmp host 203.122.250.103 host External IP address2 echo
access-list 102 permit icmp host 150.101.243.85 host External IP address2 echo
access-list 102 permit icmp host 150.101.243.87 host External IP address2 echo
access-list 102 permit icmp host 203.122.227.198 host External IP address2 echo
access-list 102 permit icmp any host External IP address2 echo-reply
access-list 102 permit icmp any host External IP address2 time-exceeded
access-list 102 permit icmp any host External IP address2 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny   ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny   ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175114
ntp server 192.231.203.132 prefer

!
webvpn cef
end
that1guy15

Just create a new ACL that denies traffic to all VLANs/subnets and only allows traffic to the internet and apply it to the VLAN3 interface:

access-list 130 deny any 172.16.1.0 255.255.255.0
access-list 130 deny any 10.0.0.0 255.0.0.0
access-list 130 permit any any

int vlan 3
access-group 130 in

This will block all traffic originating on VLAN3 from accessing any subnet on the 172.16.1.0, and any 10.0 subnets, but still allows traffic to get to the internet.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SectorX4

ASKER
Doesn't that defeat the purpose of the VLAN? (Not that im complaining that's a pretty bulletproof way of stopping it)
ASKER CERTIFIED SOLUTION
that1guy15

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SectorX4

ASKER
Great help and follow through the entire length of the question with easy to understand help and examples.
that1guy15

Thanks, I glade I could help you out.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SectorX4

ASKER
No problem, I'm glad to have learned a lot more about VLAN's through this real world example and in future I'll know what the hell im doing :)
nasetech

Dear how to configure multipel dhcp in cisco access point and ssid and vlan.


scenireo


I want maintean 5 location 4 location are staff and one location are customer.


i want that 4 location are used as non broadcasting with static ip yaa dhcp also allow.
but customers required broadcasting wihout deny websites with dhcp also required.

i ahve a one managabel swith , one router for inter vlan routing,and one cisco access point and multipel access point as a client.


plz give me answer with in two days.