VLAN Setup & Help

Hello,

I have a cisco 1242 AP
SSID Office Network - 192.168.1.0 (VLAN 1 *Native)
SSID Guest -  192.168.5.0 (VLAN 20)

On level TWO of the building i have a HP 1700 series 8 port procurve switch. Port 1 is where the Cisco accesspoint connects, port 2 is where the wall port connects that then connects to my 24 port HP Procurve 1700 series switch on the FIRST floor of the building on port 7. and on this 24 port switch port #16 connects to FA0/0 on my Cisco 2651 router.

I have configured my 2651 router FA0/0.1 sub interface as follows:

interface FastEthernet0/0.1
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip helper-address 192.168.1.59


So my question is this.

please show tell me what ports need to be tagged and what ports need to be untagged etc... and what ones need to be trunks. also there is only 1 physical connection between the switches and for some reason when i configure trunks on the procurve it wants TWO ports to act as a trunk ports. do i need to run another cable? i can connect to GUEST SSID but it fails to get an IP address from DHCP so i need help.,

thanks
LVL 1
mxrider_420Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chad_rCommented:
Things are a bit different between HP procurve switches and cisco devices.  Any port that you want to run 802.1q (in the cisco world, trunk) to, you need to tag all vlans that participate across that link except the native vlan, which will be untagged.  In procurve land, a "trunk" or trk port is an aggregated port (think Fast Ether Channel or Gig Ether Channel), which you aren't setting up here, so don't try to trunk on the procurve unless you are setting up LACP aggregation.

does that help? Looking at what you describe, you will need to tag vlan 20 on the port going to the ap and the port going to the router, and since you show vlan 1 as native on the ap, you will need to untag vlan 1 on the port going to the ap as well.  I'm not sure what the connection is to the other procurve, but you should tag vlans if this is an 802.1q link and they need to cross, but untag the native.  

Hopefully that helps, it's a bit backwards to me as I'm more in my element on cisco devices, but I do support quite a few procurves as well.
0
mxrider_420Author Commented:
Is there an option on the cisco 1242 for tagging? i set in the k9 interface vlan 1 as native (network) and vlan 20 asigned to g radio with multi BSSID, i still dont get an ip when connected to guest. i am using a LACP trunk with auto negotiation from procurve-procurve and have them accepting all tagged and un tagged. so where do i go from here?

thanks
0
mxrider_420Author Commented:
also how do you "tag" with a procurve? since the AP only can physically connect to one port i assume the AP is what needs to TAG or UNTAG its vlans?....
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

chad_rCommented:
the AP won't be doing the tagging.  Well, technically it will be tagging since you have configured dot1q, but you don't have to actually tell it to "tag" anything.  For the procurve, the easiest way is to connect, go into "enable" mode, type "menu".  From there, go to Switch Configuratio -> Vlan Menu -> Vlan Port Assignment and then Edit.  You should have the vlan created before doing this however so it shows up in the list of vlans to be assigned.
0
mxrider_420Author Commented:
can i ssh to a 1700 series? i assume you meant through CLI.
0
chad_rCommented:
You can, if you have it configured.  You can telnet to it by default, and configure ssh if you prefer.
0
mxrider_420Author Commented:
it said connection refused and i didnt see anywhere to allow it in the GUI. ..
0
chad_rCommented:
well, you can also do the same exercise in the web gui if you prefer.  

To create a vlan, click vlans -> vlan setup

after you create the vlan, you can change the port vlan behavior in the "vlan port config".  For ports connecting to dot1q devices, you can select select "vlan aware enabled", packet type "all", and and set PVID to 1 since that is the vlan you are using as the native vlan.
0
mxrider_420Author Commented:
This sounds great, now do i do this to the ports on the 24 port procurve as well? if so what ones? i assume that the port where the AP connects needs to be tagged as vlan 20 for guest traffic but what i dont understand is the PVID. that is vlan assigned to all non tagged vlans through the interface, so there fore if the port is set to vlan aware, packet type all and pvid 1 how does it know when its vlan 2 from the second SSID on the AP?
0
chad_rCommented:
This really boils down to the concept of 802.1q vlan tagging.  802.1q inserts a 4 byte header called a "tag" into the frame before sending it (and a new FCS trailer).  A portion of this field is used to identify the VLAN that this frame is assigned to.  So, without getting in too much detail, another .1q port will know which packet belongs to which vlan based on the vlan tag in the 802.1q header of the ethernet frame.  The important thing to understand is 802.1q tags all vlans *except* the native vlan, which comes across unaltered.  The PVID filed on the procurve is where you tell the procurve which vlan is the "native", or untagged vlan.  Any frames received on the port untagged will be assigned to this vlan by the procurve.
0
mxrider_420Author Commented:
Okay that makes sense. I just find it strange based on my original post/setup that when i connect to the GUEST SSID it simple does not get an IP address from the DHCP server. Keep in mind i only had the port where the access point connects to the procurve  as part of vlan 20 as vlan20 will ONLY be used for wireless guest traffic. based on my router sub interface fa0/0.1 config above you can clearly see that i got a ip-helper address. soooooo..... in summation

port where AP connects should be part of VLAN 20. any other port on either switch?.... i have left the ports as vlan enabled, and the only trunk i have is switch to switch with LACP.....


please clairify as id love to get this working asap. thanks so much!
0
chad_rCommented:
The router is off of the other switch, correct?  One thing you could do just to test everything else is to assign vlan 20 to another port on the switch (port 2, something like that) and plug your laptop in and see if you get an IP.  The port for your laptop should be set to vlan 20, so, just setting PVID to vlan 20 should probably do it.  Then your laptop, or system should get an IP.  If it does not, you could assign yourself an IP on that subnet and try to ping the router interface.  If that doesn't work, you may need to validate you can do it from a port on the switch connected to the router.  This will help you narrow down the issue, if there is indeed an issue.
0
mxrider_420Author Commented:
here is my config
the switch that goes directly to the router i did as you suggested. vlan on port 22 tagged only pvid20. router config is as follows. and still cant get IP from DHCP. took DHCP out of the picture by creating a manual one in the 192.168.5.x range then could not ping 192.168.5.1

interface FastEthernet0/0.1
 description $ETH-LAN$
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip helper-address 192.168.1.59
 ip nat inside
 shutdown
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/1
 network 192.168.1.0
 network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip http server
ip http authentication local
no ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxxxxx
 login local
 !
!
end
0
chad_rCommented:
Your interface fa0/0.1 is shutdown.

conf t
int fa0/0.1
 no shut
end

0
mxrider_420Author Commented:
i realized that. lol my bad. i actually raised it and it still doesnt get an ip. keep in mind my simple test setup has no trunking . do i need to establish a trunking port from the router to switch too? so far for testing i removed my testing port 22 from vlan 1 (native) and ONLY put it in vlan 20. its the PVID as well. so is that the reason its not traversing to the router?...
0
chad_rCommented:
You have the router configured for dot1q trunking, so you need to do the same on the port connecting to it if it is not already.  
0
mxrider_420Author Commented:
Ok, so establish the port from switch to fa0/0 as a trunk instead of adding that port to vlan 20 as well?... any reason why the procurve switches want 2 ports to use trunking?.... i mena there is only 1 going to my router so this is impossible. it says, please add a second port to the trunk in order to create T1? :S
0
mxrider_420Author Commented:
This is what happens when i set it to trunk
trunk.JPG
0
chad_rCommented:
Sorry, this goes back to the earlier confusion I mentioned.  In "cisco world", a trunk port is an 802.1q or ISL link between two devices to send multiple vlans across a link.  In HP Procurve land, a trunk port is port aggregration, (port channel in cisco-speak).  So, you need set up the port to the router as an 802.1q link, not a HP trunk, but a cisco trunk, haha, confusing eh?  Sorry, I am so used to calling a dot1q port a "trunk" since in reality it is "vlan trunking".  I will just refer to them as dot1q "links" now.
0
mxrider_420Author Commented:
its alright i work with cisco, but yes i am VERY new to HP talk. haha. okay so i know this sounds really stupid and i really appreciate your patience through all of this btw. but how do i do this on the procurve.... also i took another look through the GUI to enable SSH so i can do commands instead of CLI and im not positive my 1700 switch supports it, at least i found no where to turn this on. so if you wouldnt mind id appreciate these two answered and then i can cross my fingers for it to work. lol so far i see that my router configuration on my dot1q sub-inter is set up correctly, my 'simple tes' (with a pc tagged as vlan20) is also set up (too simple for even me to go wrong ;) lol) and so the only missing piece seems to be this "trunk, or link" as you call it.

thanks 10 fold
0
chad_rCommented:
well, unfortunately I found out there is no CLI interface for the 1700-24.  I was basing my help off of other procurve models, and assumed this one also had a CLI.  After a little digging, it turns out I was incorrect.  But, the web info I was providing comes directly out of the 1700, so that still applies.

So, for the connection to the router you need to make it "vlan aware", packet type all, and PVID 1.  Although unless you are using an IP on the physical interface if fa0/0, the native vlan won't matter.
0
mxrider_420Author Commented:
OK thanks. its working HOWEVER. here is my router config. i need some help with my access lists or something. vlan 20 can ping ips in 192.168.1.0 network and even connect to domain shares. see my configuration bellow to tell me how to change this. then i am done :) thanks to your help! :)

Building configuration...

Current configuration : 1956 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxx/
enable password xxxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username andrew privilege 15 password 0 Teambrap420
!
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.1.59
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description $ETH-LAN$
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip helper-address 192.168.1.59
 ip nat inside
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/1
 network 192.168.1.0
 network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxx
 login local
 transport input telnet ssh
!
!
end
0
mxrider_420Author Commented:
basically EVERYTHING is working but my vlans can speak to each-other. its ok if VLAN 1 (management) can talk to vlan 20 GUEST. but i do NOT want vlan20 having access to ANYTHING but internet. (hence guest)


please advise.

thanks
0
chad_rCommented:
This should do the trick:


ip access-list extended block-guest
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any

interface fa0/0
 ip access-group block-guest out

end

0
chad_rCommented:
There are a couple different ways to manage it though, and what I posted above is pretty simple.  You could also create and apply an ACL blocking traffic to the prod network from the guest network and apply it inbound on fa0/0.1.  Either would work though.  
0
mxrider_420Author Commented:
arent the vlans supposed to just NOT be ale to talk to eachother by default though? as in act as two physical networks that dont know how to even reach eathother?...
0
mxrider_420Author Commented:
Ps. i did this as suggested it worked HOWEVER the internet connection when on GUEST SSID (VLAN20) is SLOW as Sh*^ how come? can i make it faster? its doing too much thinking. here is my new config

ip access-list extended block-guest
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any

interface fa0/0
 ip access-group block-guest out

end

______
NEW CONFIG
________
Building configuration...

Current configuration : 2187 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$ccxcxcx/
enable passwordxxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef    
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxxx privilege 15 password 0 xxxxx
!
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group block-guest out
 ip helper-address 192.168.1.59
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description $ETH-LAN$
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip helper-address 192.168.1.59
 ip nat inside
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/1
 network 192.168.1.0
 network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxxx
 login local
 transport input telnet ssh
!
!
end
0
chad_rCommented:
VLANs can talk to each other by default as long as there is a router between them that will route the packets.  On a layer 2 switch they are completely isolated, but a router (or a router on a stick, which is essentially the config you have) will happily pass the packets.

regarding the slowness, it is probably dns resolution since your dns server appears to be192.168.1.59(also a dhcp server for this subnet?).  So, I'm guessing that the guest folks also need to talk to that server?  If you wanted it completely isolated I would remove that dns and remove the ip helper from fa0/0.1.  You also don't need the ip helper on fa0/0 since it is an IP on the local subnet.  If clients need to talk to that server, you could change the ACL:

if it's just dns:

conf t
no ip access-list extended block-guest
ip access-list extended block-guest
 permit udp any host 192.168.1.59 eq domain
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any

if it's other services as well, you can change it appropriately.  For instance, to allow dhcp as well:

conf t
no ip access-list extended block-guest
ip access-list extended block-guest
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any

Also, unless you have routers on this subnet that run rip and need to talk to this router, I would add:

router rip
 passive-interface FastEthernet0/0.1

That will stop your router from sending RIP advertisements/updates out of that interface as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mxrider_420Author Commented:
Great this helps alot!

so i have no problem just using the router as a DHCP server, assuming it is capable (Cisco 2651).

Also where you have

eq domain  <------ is this supposed to be substituted for my domain name? or do i leave is as is 'eq domain'

same goes for 'eq bootpc'

Thank you.
0
mxrider_420Author Commented:
_______
Hows this look now?...
______
Building configuration...

Current configuration : 2280 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxrs/
enable password xxcdx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef    
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.59 208.67.222.222
!
!
!
username xxx privilege 15 password 0 xxxx
!
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group block-guest out
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description $ETH-LAN$
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip helper-address 192.168.1.59
 ip nat inside
!        
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/0.1
 passive-interface FastEthernet0/1
 network 192.168.1.0
 network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!

line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxxx
 login local
 transport input telnet ssh
!
!
end
0
chad_rCommented:
Looks good to me.
0
mxrider_420Author Commented:
thanks. and finally how do i permit only port 80 internet access for guests? and since you have been so helpful i thought id ask this (perhaps a bit off topic and i wont go on and on about it or ill open a new thread) but do you know of a simple way, or perhaps a software product out there that would allow me to leave the guest SSID open without a password and when connected directs them to a log in page where they have to enter a valid email address then confirm the email address in order to gain continued access? if not validated the connection drops after that 5 minute window?..
thanks
0
chad_rCommented:
Well, as far as the restriction to port 80, unless you have a firewall you could apply another ACL.  This one should be inbound on the guest vlan.  So, something like:

ip access-list extended guest-inet
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip any any

int fa0/0.1
 ip access-group guest-inet in

Give that a shot and let me know.  Actually, if you apply this, you can probably remove the other ACL since this one now will effectively block connectivity to anything from that subnet except port 80 (WWW), port 443 (HTTPS), DNS (listed here as "domain") and DHCP (bootpc).  You will of course want to test this.

As far as a terms of service spash page (or "captive portal"), I have worked with a couple, but not in depth.  If you are looking for something for low cost, or free, check out some of the open source solutions and see if perhaps they provide what you are looking for.  I haven't used any of these, but they look interesting enough:

http://dev.wifidog.org/ (might not run on your hardware, but something to scope out)
http://salite.stillsecure.com/ (NAC, might not be exactly what you are looking for, but looks cool)

So, generally just search for "captive portal software" or something along those lines and you should find something that suits you.  You may need to start a new thread though if you need help with it as I really don't have any experience there.  I would definitely be interested though to find out what you decide to use, and if it works well as I'm always curious.  Good luck!
0
mxrider_420Author Commented:
THanks sounds great. i have a problem though. If you lok at my running config you can see that i have a nat so that all port 443 traffic and port 80 go to my sonicwall SSL appliance. since last night when i implemented the acl rules you suggested when i type connect.exchangesolution.ca it goes to my router logon page and NOT my SSL appliance 192.168.1.99 as it was and is supposed to. can you help me out? i see in SDM and show run that the rules are still there but not working....

ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
0
mxrider_420Author Commented:
also the new config you gave me didnt work. are you sure you had the correct directions? when i added the rule
ip access-list extended guest-inet
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip any any

int fa0/0.1
 ip access-group guest-inet in

NOTHING worked from the 192.168.5.0 network. where as your example before worked perfect! .. hmmm. im trying to understand this but its strange to me so perhaps we wrote this for the wrong direction or interface?...
0
chad_rCommented:
hmm, I wonder.  Try this one and see what you can get

no ip access-list extended guest-inet
ip access-list extended guest-inet
 permit icmp any any
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip any any

I added the other dns server, and allowed all icmp.  (more than is needed, but just there for testing at the moment.  Try to ping www.google.com, ping www.yahoo.com
0
mxrider_420Author Commented:
LOL.. now i cant even get an IP address when i do the above.

here is a visual for you :


Current configuration : 2518 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xx/
enable password xxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef    
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group block-guest out
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description $ETH-LAN$
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip access-group guest-inet in
 ip helper-address 192.168.1.59
 ip nat inside
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/1
 network 192.168.1.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/0.1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!        
!
!
ip access-list extended block-guest
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any
ip access-list extended guest-inet
 permit icmp any any
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!

!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxx
 login local
 transport input telnet ssh
!
!
end
0
chad_rCommented:
doh, that's certainly not good.  

Ok, lets start by adding dhcp and then we'll take it from there:

no ip access-list extended guest-inet
ip access-list extended guest-inet
 permit udp any any eq bootpc
 permit icmp any any
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip any any
0
mxrider_420Author Commented:
hmm....

no dice. what could be the cause? did you want to see any configs or anything?
0
mxrider_420Author Commented:
You really seem to know what your doing so could it be that we are applying this to the wrong direction?.... i mean like the first config you gave me worked perfect, but since then these recent ones have not. Perhaps its the wrong interface we are applying this to?...

also do you know where i can download the enterprise IOS for the Cisco 2651 or perhaps you can provide me a copy. i called cisco and they said i dont have a valid contract (as i bought this used online) and i offered to buy one but they said it is End of sale on this model router. so i assume i should be able to just download it. there by if i get it it will enable the firewall feature of the router and allow us to persue this that way instead of ACLs.
0
chad_rCommented:
sorry, been a long day at work.  So, still no dice.  Sorry about that.  Although the first mistake I see here is that I allowed bootpc but not bootps.  Since this is not originating from the client, the destination is bootps (udp 67).  So, hopefully that will allow the dhcp request to go through.  Once that is verified, that should allow us to continue on and verify the other things.

no ip access-list extended guest-inet
ip access-list extended guest-inet
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit icmp any any
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 192.168.1.59 eq domain
 deny   ip any any
0
mxrider_420Author Commented:
YES! this works :) ok so i got a DHCP again and can connect to the internet, altho MSN messenger and works still as does i can still ping amongst things in the 192.168.1.0 network. so whats the next step? :)
0
mxrider_420Author Commented:
oops perhaps i forgot. am i supposed to apply this to Fa0/0?....
0
chad_rCommented:
where do you have it applied?  Had you removed it?
0
mxrider_420Author Commented:
Building configuration...

Current configuration : 2346 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxx/
enable password xxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxprivilege 15 password 0 xx
!
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description $ETH-LAN$
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip helper-address 192.168.1.59
 ip nat inside
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/0.1
 passive-interface FastEthernet0/1
 network 192.168.1.0
 network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended guest-inet
 permit icmp any any
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any host 208.67.222.222 eq domain
 permit udp any host 192.168.1.59 eq domain
 deny   ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxx
 login local
 transport input telnet ssh
!
!
end
0
mxrider_420Author Commented:
So with this configuration any other suggestions? and also did you or can you get me the enterprise ios for this router? cisco wont sell it to me because its EOS and its more than i need so i would like to get the upgraded firmware to enable the firewall useage for easier use etc..
0
chad_rCommented:
you need to re-apply it to fa0/1.1 and make sure it works.

Unfortunately I don't have access to the IOS you need, sorry.
0
mxrider_420Author Commented:
ohh alright i have done that and i am able to still ping the 192.168.1.0 network and log into msn messenger etc..... hmmm (the good news is it does allow me internet access. but your first ruie did as well. lol
0
mxrider_420Author Commented:
im annoyed, i'll just purchase a firewall and then do it through that way instead. have any reccomendations?
0
mxrider_420Author Commented:
OK,

somehting is funky

do this over again and i can still ping my 192.168.1.0 network. hmm please help!!! haha im lost.
conf t
no ip access-list extended block-guest
ip access-list extended block-guest
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any

Also, unless you have routers on this subnet that run rip and need to talk to this router, I would add:

router rip
 passive-interface FastEthernet0/0.1

That will stop your router from sending RIP advertisements/updates out of that interface as well.


__________
SH RUN
__________

Building configuration...

Current configuration : 2393 bytes
!
! Last configuration change at 20:10:03 PCTime Wed May 5 2010 by andrew
! NVRAM config last updated at 20:09:57 PCTime Wed May 5 2010 by andrew
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxxx/
enable password xxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.59 208.67.222.222
!
 
!
username xxx privilege 15 password 0 xx
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description $ETH-LAN$
 encapsulation dot1Q 20
 ip address 192.168.5.1 255.255.255.0
 ip helper-address 192.168.1.59
 ip nat inside
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
router rip
 version 2
 passive-interface FastEthernet0/0.1
 passive-interface FastEthernet0/1
 network 192.168.1.0
 network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
 permit udp any host 192.168.1.59 eq domain
 permit udp any host 192.168.1.59 eq bootpc
 deny   ip 192.168.5.0 0.0.0.255 any
 permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!

!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxxxx
 login local
 transport input telnet ssh
!
!
end
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.