mxrider_420
asked on
VLAN Setup & Help
Hello,
I have a cisco 1242 AP
SSID Office Network - 192.168.1.0 (VLAN 1 *Native)
SSID Guest - 192.168.5.0 (VLAN 20)
On level TWO of the building i have a HP 1700 series 8 port procurve switch. Port 1 is where the Cisco accesspoint connects, port 2 is where the wall port connects that then connects to my 24 port HP Procurve 1700 series switch on the FIRST floor of the building on port 7. and on this 24 port switch port #16 connects to FA0/0 on my Cisco 2651 router.
I have configured my 2651 router FA0/0.1 sub interface as follows:
interface FastEthernet0/0.1
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
So my question is this.
please show tell me what ports need to be tagged and what ports need to be untagged etc... and what ones need to be trunks. also there is only 1 physical connection between the switches and for some reason when i configure trunks on the procurve it wants TWO ports to act as a trunk ports. do i need to run another cable? i can connect to GUEST SSID but it fails to get an IP address from DHCP so i need help.,
thanks
I have a cisco 1242 AP
SSID Office Network - 192.168.1.0 (VLAN 1 *Native)
SSID Guest - 192.168.5.0 (VLAN 20)
On level TWO of the building i have a HP 1700 series 8 port procurve switch. Port 1 is where the Cisco accesspoint connects, port 2 is where the wall port connects that then connects to my 24 port HP Procurve 1700 series switch on the FIRST floor of the building on port 7. and on this 24 port switch port #16 connects to FA0/0 on my Cisco 2651 router.
I have configured my 2651 router FA0/0.1 sub interface as follows:
interface FastEthernet0/0.1
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
So my question is this.
please show tell me what ports need to be tagged and what ports need to be untagged etc... and what ones need to be trunks. also there is only 1 physical connection between the switches and for some reason when i configure trunks on the procurve it wants TWO ports to act as a trunk ports. do i need to run another cable? i can connect to GUEST SSID but it fails to get an IP address from DHCP so i need help.,
thanks
ASKER
Is there an option on the cisco 1242 for tagging? i set in the k9 interface vlan 1 as native (network) and vlan 20 asigned to g radio with multi BSSID, i still dont get an ip when connected to guest. i am using a LACP trunk with auto negotiation from procurve-procurve and have them accepting all tagged and un tagged. so where do i go from here?
thanks
thanks
ASKER
also how do you "tag" with a procurve? since the AP only can physically connect to one port i assume the AP is what needs to TAG or UNTAG its vlans?....
the AP won't be doing the tagging. Well, technically it will be tagging since you have configured dot1q, but you don't have to actually tell it to "tag" anything. For the procurve, the easiest way is to connect, go into "enable" mode, type "menu". From there, go to Switch Configuratio -> Vlan Menu -> Vlan Port Assignment and then Edit. You should have the vlan created before doing this however so it shows up in the list of vlans to be assigned.
ASKER
can i ssh to a 1700 series? i assume you meant through CLI.
You can, if you have it configured. You can telnet to it by default, and configure ssh if you prefer.
ASKER
it said connection refused and i didnt see anywhere to allow it in the GUI. ..
well, you can also do the same exercise in the web gui if you prefer.
To create a vlan, click vlans -> vlan setup
after you create the vlan, you can change the port vlan behavior in the "vlan port config". For ports connecting to dot1q devices, you can select select "vlan aware enabled", packet type "all", and and set PVID to 1 since that is the vlan you are using as the native vlan.
To create a vlan, click vlans -> vlan setup
after you create the vlan, you can change the port vlan behavior in the "vlan port config". For ports connecting to dot1q devices, you can select select "vlan aware enabled", packet type "all", and and set PVID to 1 since that is the vlan you are using as the native vlan.
ASKER
This sounds great, now do i do this to the ports on the 24 port procurve as well? if so what ones? i assume that the port where the AP connects needs to be tagged as vlan 20 for guest traffic but what i dont understand is the PVID. that is vlan assigned to all non tagged vlans through the interface, so there fore if the port is set to vlan aware, packet type all and pvid 1 how does it know when its vlan 2 from the second SSID on the AP?
This really boils down to the concept of 802.1q vlan tagging. 802.1q inserts a 4 byte header called a "tag" into the frame before sending it (and a new FCS trailer). A portion of this field is used to identify the VLAN that this frame is assigned to. So, without getting in too much detail, another .1q port will know which packet belongs to which vlan based on the vlan tag in the 802.1q header of the ethernet frame. The important thing to understand is 802.1q tags all vlans *except* the native vlan, which comes across unaltered. The PVID filed on the procurve is where you tell the procurve which vlan is the "native", or untagged vlan. Any frames received on the port untagged will be assigned to this vlan by the procurve.
ASKER
Okay that makes sense. I just find it strange based on my original post/setup that when i connect to the GUEST SSID it simple does not get an IP address from the DHCP server. Keep in mind i only had the port where the access point connects to the procurve as part of vlan 20 as vlan20 will ONLY be used for wireless guest traffic. based on my router sub interface fa0/0.1 config above you can clearly see that i got a ip-helper address. soooooo..... in summation
port where AP connects should be part of VLAN 20. any other port on either switch?.... i have left the ports as vlan enabled, and the only trunk i have is switch to switch with LACP.....
please clairify as id love to get this working asap. thanks so much!
port where AP connects should be part of VLAN 20. any other port on either switch?.... i have left the ports as vlan enabled, and the only trunk i have is switch to switch with LACP.....
please clairify as id love to get this working asap. thanks so much!
The router is off of the other switch, correct? One thing you could do just to test everything else is to assign vlan 20 to another port on the switch (port 2, something like that) and plug your laptop in and see if you get an IP. The port for your laptop should be set to vlan 20, so, just setting PVID to vlan 20 should probably do it. Then your laptop, or system should get an IP. If it does not, you could assign yourself an IP on that subnet and try to ping the router interface. If that doesn't work, you may need to validate you can do it from a port on the switch connected to the router. This will help you narrow down the issue, if there is indeed an issue.
ASKER
here is my config
the switch that goes directly to the router i did as you suggested. vlan on port 22 tagged only pvid20. router config is as follows. and still cant get IP from DHCP. took DHCP out of the picture by creating a manual one in the 192.168.5.x range then could not ping 192.168.5.1
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
shutdown
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip http server
ip http authentication local
no ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxxxx
login local
!
!
end
the switch that goes directly to the router i did as you suggested. vlan on port 22 tagged only pvid20. router config is as follows. and still cant get IP from DHCP. took DHCP out of the picture by creating a manual one in the 192.168.5.x range then could not ping 192.168.5.1
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
shutdown
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip http server
ip http authentication local
no ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxxxx
login local
!
!
end
Your interface fa0/0.1 is shutdown.
conf t
int fa0/0.1
no shut
end
conf t
int fa0/0.1
no shut
end
ASKER
i realized that. lol my bad. i actually raised it and it still doesnt get an ip. keep in mind my simple test setup has no trunking . do i need to establish a trunking port from the router to switch too? so far for testing i removed my testing port 22 from vlan 1 (native) and ONLY put it in vlan 20. its the PVID as well. so is that the reason its not traversing to the router?...
You have the router configured for dot1q trunking, so you need to do the same on the port connecting to it if it is not already.
ASKER
Ok, so establish the port from switch to fa0/0 as a trunk instead of adding that port to vlan 20 as well?... any reason why the procurve switches want 2 ports to use trunking?.... i mena there is only 1 going to my router so this is impossible. it says, please add a second port to the trunk in order to create T1? :S
ASKER
This is what happens when i set it to trunk
trunk.JPG
trunk.JPG
Sorry, this goes back to the earlier confusion I mentioned. In "cisco world", a trunk port is an 802.1q or ISL link between two devices to send multiple vlans across a link. In HP Procurve land, a trunk port is port aggregration, (port channel in cisco-speak). So, you need set up the port to the router as an 802.1q link, not a HP trunk, but a cisco trunk, haha, confusing eh? Sorry, I am so used to calling a dot1q port a "trunk" since in reality it is "vlan trunking". I will just refer to them as dot1q "links" now.
ASKER
its alright i work with cisco, but yes i am VERY new to HP talk. haha. okay so i know this sounds really stupid and i really appreciate your patience through all of this btw. but how do i do this on the procurve.... also i took another look through the GUI to enable SSH so i can do commands instead of CLI and im not positive my 1700 switch supports it, at least i found no where to turn this on. so if you wouldnt mind id appreciate these two answered and then i can cross my fingers for it to work. lol so far i see that my router configuration on my dot1q sub-inter is set up correctly, my 'simple tes' (with a pc tagged as vlan20) is also set up (too simple for even me to go wrong ;) lol) and so the only missing piece seems to be this "trunk, or link" as you call it.
thanks 10 fold
thanks 10 fold
well, unfortunately I found out there is no CLI interface for the 1700-24. I was basing my help off of other procurve models, and assumed this one also had a CLI. After a little digging, it turns out I was incorrect. But, the web info I was providing comes directly out of the 1700, so that still applies.
So, for the connection to the router you need to make it "vlan aware", packet type all, and PVID 1. Although unless you are using an IP on the physical interface if fa0/0, the native vlan won't matter.
So, for the connection to the router you need to make it "vlan aware", packet type all, and PVID 1. Although unless you are using an IP on the physical interface if fa0/0, the native vlan won't matter.
ASKER
OK thanks. its working HOWEVER. here is my router config. i need some help with my access lists or something. vlan 20 can ping ips in 192.168.1.0 network and even connect to domain shares. see my configuration bellow to tell me how to change this. then i am done :) thanks to your help! :)
Building configuration...
Current configuration : 1956 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxx/
enable password xxxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username andrew privilege 15 password 0 Teambrap420
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxx
login local
transport input telnet ssh
!
!
end
Building configuration...
Current configuration : 1956 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxx/
enable password xxxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username andrew privilege 15 password 0 Teambrap420
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxx
login local
transport input telnet ssh
!
!
end
ASKER
basically EVERYTHING is working but my vlans can speak to each-other. its ok if VLAN 1 (management) can talk to vlan 20 GUEST. but i do NOT want vlan20 having access to ANYTHING but internet. (hence guest)
please advise.
thanks
please advise.
thanks
This should do the trick:
ip access-list extended block-guest
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
interface fa0/0
ip access-group block-guest out
end
ip access-list extended block-guest
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
interface fa0/0
ip access-group block-guest out
end
There are a couple different ways to manage it though, and what I posted above is pretty simple. You could also create and apply an ACL blocking traffic to the prod network from the guest network and apply it inbound on fa0/0.1. Either would work though.
ASKER
arent the vlans supposed to just NOT be ale to talk to eachother by default though? as in act as two physical networks that dont know how to even reach eathother?...
ASKER
Ps. i did this as suggested it worked HOWEVER the internet connection when on GUEST SSID (VLAN20) is SLOW as Sh*^ how come? can i make it faster? its doing too much thinking. here is my new config
ip access-list extended block-guest
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
interface fa0/0
ip access-group block-guest out
end
______
NEW CONFIG
________
Building configuration...
Current configuration : 2187 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$ccxcxcx/
enable passwordxxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxxx privilege 15 password 0 xxxxx
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip access-group block-guest out
ip helper-address 192.168.1.59
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxx
login local
transport input telnet ssh
!
!
end
ip access-list extended block-guest
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
interface fa0/0
ip access-group block-guest out
end
______
NEW CONFIG
________
Building configuration...
Current configuration : 2187 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$ccxcxcx/
enable passwordxxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxxx privilege 15 password 0 xxxxx
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip access-group block-guest out
ip helper-address 192.168.1.59
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxx
login local
transport input telnet ssh
!
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great this helps alot!
so i have no problem just using the router as a DHCP server, assuming it is capable (Cisco 2651).
Also where you have
eq domain <------ is this supposed to be substituted for my domain name? or do i leave is as is 'eq domain'
same goes for 'eq bootpc'
Thank you.
so i have no problem just using the router as a DHCP server, assuming it is capable (Cisco 2651).
Also where you have
eq domain <------ is this supposed to be substituted for my domain name? or do i leave is as is 'eq domain'
same goes for 'eq bootpc'
Thank you.
ASKER
_______
Hows this look now?...
______
Building configuration...
Current configuration : 2280 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxrs/
enable password xxcdx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
username xxx privilege 15 password 0 xxxx
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip access-group block-guest out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxx
login local
transport input telnet ssh
!
!
end
Hows this look now?...
______
Building configuration...
Current configuration : 2280 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxrs/
enable password xxcdx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
username xxx privilege 15 password 0 xxxx
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip access-group block-guest out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxx
login local
transport input telnet ssh
!
!
end
Looks good to me.
ASKER
thanks. and finally how do i permit only port 80 internet access for guests? and since you have been so helpful i thought id ask this (perhaps a bit off topic and i wont go on and on about it or ill open a new thread) but do you know of a simple way, or perhaps a software product out there that would allow me to leave the guest SSID open without a password and when connected directs them to a log in page where they have to enter a valid email address then confirm the email address in order to gain continued access? if not validated the connection drops after that 5 minute window?..
thanks
thanks
Well, as far as the restriction to port 80, unless you have a firewall you could apply another ACL. This one should be inbound on the guest vlan. So, something like:
ip access-list extended guest-inet
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
int fa0/0.1
ip access-group guest-inet in
Give that a shot and let me know. Actually, if you apply this, you can probably remove the other ACL since this one now will effectively block connectivity to anything from that subnet except port 80 (WWW), port 443 (HTTPS), DNS (listed here as "domain") and DHCP (bootpc). You will of course want to test this.
As far as a terms of service spash page (or "captive portal"), I have worked with a couple, but not in depth. If you are looking for something for low cost, or free, check out some of the open source solutions and see if perhaps they provide what you are looking for. I haven't used any of these, but they look interesting enough:
http://dev.wifidog.org/ (might not run on your hardware, but something to scope out)
http://salite.stillsecure.com/ (NAC, might not be exactly what you are looking for, but looks cool)
So, generally just search for "captive portal software" or something along those lines and you should find something that suits you. You may need to start a new thread though if you need help with it as I really don't have any experience there. I would definitely be interested though to find out what you decide to use, and if it works well as I'm always curious. Good luck!
ip access-list extended guest-inet
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
int fa0/0.1
ip access-group guest-inet in
Give that a shot and let me know. Actually, if you apply this, you can probably remove the other ACL since this one now will effectively block connectivity to anything from that subnet except port 80 (WWW), port 443 (HTTPS), DNS (listed here as "domain") and DHCP (bootpc). You will of course want to test this.
As far as a terms of service spash page (or "captive portal"), I have worked with a couple, but not in depth. If you are looking for something for low cost, or free, check out some of the open source solutions and see if perhaps they provide what you are looking for. I haven't used any of these, but they look interesting enough:
http://dev.wifidog.org/ (might not run on your hardware, but something to scope out)
http://salite.stillsecure.com/ (NAC, might not be exactly what you are looking for, but looks cool)
So, generally just search for "captive portal software" or something along those lines and you should find something that suits you. You may need to start a new thread though if you need help with it as I really don't have any experience there. I would definitely be interested though to find out what you decide to use, and if it works well as I'm always curious. Good luck!
ASKER
THanks sounds great. i have a problem though. If you lok at my running config you can see that i have a nat so that all port 443 traffic and port 80 go to my sonicwall SSL appliance. since last night when i implemented the acl rules you suggested when i type connect.exchangesolution.c
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
ASKER
also the new config you gave me didnt work. are you sure you had the correct directions? when i added the rule
ip access-list extended guest-inet
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
int fa0/0.1
ip access-group guest-inet in
NOTHING worked from the 192.168.5.0 network. where as your example before worked perfect! .. hmmm. im trying to understand this but its strange to me so perhaps we wrote this for the wrong direction or interface?...
ip access-list extended guest-inet
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
int fa0/0.1
ip access-group guest-inet in
NOTHING worked from the 192.168.5.0 network. where as your example before worked perfect! .. hmmm. im trying to understand this but its strange to me so perhaps we wrote this for the wrong direction or interface?...
hmm, I wonder. Try this one and see what you can get
no ip access-list extended guest-inet
ip access-list extended guest-inet
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
I added the other dns server, and allowed all icmp. (more than is needed, but just there for testing at the moment. Try to ping www.google.com, ping www.yahoo.com
no ip access-list extended guest-inet
ip access-list extended guest-inet
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
I added the other dns server, and allowed all icmp. (more than is needed, but just there for testing at the moment. Try to ping www.google.com, ping www.yahoo.com
ASKER
LOL.. now i cant even get an IP address when i do the above.
here is a visual for you :
Current configuration : 2518 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xx/
enable password xxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip access-group block-guest out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip access-group guest-inet in
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/1
network 192.168.1.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/0.1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
ip access-list extended guest-inet
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxx
login local
transport input telnet ssh
!
!
end
here is a visual for you :
Current configuration : 2518 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xx/
enable password xxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip access-group block-guest out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip access-group guest-inet in
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/1
network 192.168.1.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/0.1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
ip access-list extended guest-inet
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxx
login local
transport input telnet ssh
!
!
end
doh, that's certainly not good.
Ok, lets start by adding dhcp and then we'll take it from there:
no ip access-list extended guest-inet
ip access-list extended guest-inet
permit udp any any eq bootpc
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
Ok, lets start by adding dhcp and then we'll take it from there:
no ip access-list extended guest-inet
ip access-list extended guest-inet
permit udp any any eq bootpc
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip any any
ASKER
hmm....
no dice. what could be the cause? did you want to see any configs or anything?
no dice. what could be the cause? did you want to see any configs or anything?
ASKER
You really seem to know what your doing so could it be that we are applying this to the wrong direction?.... i mean like the first config you gave me worked perfect, but since then these recent ones have not. Perhaps its the wrong interface we are applying this to?...
also do you know where i can download the enterprise IOS for the Cisco 2651 or perhaps you can provide me a copy. i called cisco and they said i dont have a valid contract (as i bought this used online) and i offered to buy one but they said it is End of sale on this model router. so i assume i should be able to just download it. there by if i get it it will enable the firewall feature of the router and allow us to persue this that way instead of ACLs.
also do you know where i can download the enterprise IOS for the Cisco 2651 or perhaps you can provide me a copy. i called cisco and they said i dont have a valid contract (as i bought this used online) and i offered to buy one but they said it is End of sale on this model router. so i assume i should be able to just download it. there by if i get it it will enable the firewall feature of the router and allow us to persue this that way instead of ACLs.
sorry, been a long day at work. So, still no dice. Sorry about that. Although the first mistake I see here is that I allowed bootpc but not bootps. Since this is not originating from the client, the destination is bootps (udp 67). So, hopefully that will allow the dhcp request to go through. Once that is verified, that should allow us to continue on and verify the other things.
no ip access-list extended guest-inet
ip access-list extended guest-inet
permit udp any any eq bootps
permit udp any any eq bootpc
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
deny ip any any
no ip access-list extended guest-inet
ip access-list extended guest-inet
permit udp any any eq bootps
permit udp any any eq bootpc
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
deny ip any any
ASKER
YES! this works :) ok so i got a DHCP again and can connect to the internet, altho MSN messenger and works still as does i can still ping amongst things in the 192.168.1.0 network. so whats the next step? :)
ASKER
oops perhaps i forgot. am i supposed to apply this to Fa0/0?....
where do you have it applied? Had you removed it?
ASKER
Building configuration...
Current configuration : 2346 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxx/
enable password xxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxprivilege 15 password 0 xx
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended guest-inet
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
deny ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxx
login local
transport input telnet ssh
!
!
end
Current configuration : 2346 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxx/
enable password xxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxprivilege 15 password 0 xx
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended guest-inet
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any any eq www
permit tcp any any eq 443
permit udp any host 208.67.222.222 eq domain
permit udp any host 192.168.1.59 eq domain
deny ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxx
login local
transport input telnet ssh
!
!
end
ASKER
So with this configuration any other suggestions? and also did you or can you get me the enterprise ios for this router? cisco wont sell it to me because its EOS and its more than i need so i would like to get the upgraded firmware to enable the firewall useage for easier use etc..
you need to re-apply it to fa0/1.1 and make sure it works.
Unfortunately I don't have access to the IOS you need, sorry.
Unfortunately I don't have access to the IOS you need, sorry.
ASKER
ohh alright i have done that and i am able to still ping the 192.168.1.0 network and log into msn messenger etc..... hmmm (the good news is it does allow me internet access. but your first ruie did as well. lol
ASKER
im annoyed, i'll just purchase a firewall and then do it through that way instead. have any reccomendations?
ASKER
OK,
somehting is funky
do this over again and i can still ping my 192.168.1.0 network. hmm please help!!! haha im lost.
conf t
no ip access-list extended block-guest
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
Also, unless you have routers on this subnet that run rip and need to talk to this router, I would add:
router rip
passive-interface FastEthernet0/0.1
That will stop your router from sending RIP advertisements/updates out of that interface as well.
__________
SH RUN
__________
Building configuration...
Current configuration : 2393 bytes
!
! Last configuration change at 20:10:03 PCTime Wed May 5 2010 by andrew
! NVRAM config last updated at 20:09:57 PCTime Wed May 5 2010 by andrew
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxxx/
enable password xxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
username xxx privilege 15 password 0 xx
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxxx
login local
transport input telnet ssh
!
!
end
somehting is funky
do this over again and i can still ping my 192.168.1.0 network. hmm please help!!! haha im lost.
conf t
no ip access-list extended block-guest
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
Also, unless you have routers on this subnet that run rip and need to talk to this router, I would add:
router rip
passive-interface FastEthernet0/0.1
That will stop your router from sending RIP advertisements/updates out of that interface as well.
__________
SH RUN
__________
Building configuration...
Current configuration : 2393 bytes
!
! Last configuration change at 20:10:03 PCTime Wed May 5 2010 by andrew
! NVRAM config last updated at 20:09:57 PCTime Wed May 5 2010 by andrew
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER1A-EXCHANGE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Z8lR$xxxxx/
enable password xxxx
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.59.176.13
ip name-server 192.168.1.59
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.59 208.67.222.222
!
!
username xxx privilege 15 password 0 xx
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 20
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.59
ip nat inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
router rip
version 2
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/1
network 192.168.1.0
network 192.168.5.0
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.1.70 29 interface FastEthernet0/1 29
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1 permanent
!
!
!
ip access-list extended block-guest
permit udp any host 192.168.1.59 eq domain
permit udp any host 192.168.1.59 eq bootpc
deny ip 192.168.5.0 0.0.0.255 any
permit ip any any
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password xxxxxx
login local
transport input telnet ssh
!
!
end
does that help? Looking at what you describe, you will need to tag vlan 20 on the port going to the ap and the port going to the router, and since you show vlan 1 as native on the ap, you will need to untag vlan 1 on the port going to the ap as well. I'm not sure what the connection is to the other procurve, but you should tag vlans if this is an 802.1q link and they need to cross, but untag the native.
Hopefully that helps, it's a bit backwards to me as I'm more in my element on cisco devices, but I do support quite a few procurves as well.