Link to home
Start Free TrialLog in
Avatar of JP D
JP DFlag for Canada

asked on

Help configuring Cisco 1941 router

Hi Experts,

So, based on recommendations from here, I am replacing our existing 3com routers with newer Cisco 1941 routers (with security bundle).  I have worked with the 3com routers in the past and am quite comfortable with them, however, I have not worked with cisco products much until recently.  As such, I have successfully gotten into the 1941 router and have set up what I thought would work, but I cannot seem to communicate between my subnets, and cannot access the internet through any interface.  Obviously I do not have it configured correctly.  I have done some extensive research online, and have learned quite a bit, but still can't manage to put it all together properly.  Right now the 1941 routers that I am configuring are only being bench configured, and I am not pressed for time, so I do have the ability to mess around with them before bringing them live.  For my bench configurations I do have them connected to live WAN connections.  I am also using the Cisco Configuration Professional application to set them up, as I am not too savvy with CLI.  I can get around using CLI, but just not 100% comfortable.

I will first explain the network topology that the 1941 routers will be connected to.

We have 3 physical offices (A, B, and C).  All are part of the same domain.  All have their own subnet(s) and Win 2003 server.  All have 1 WAN connection and are connected together via VPN.

Office A (Primary Domain Controller)
- 2 seperate buildings (same subnet) connected via CAT6 trunk.
- 2 primary Cisco managed switches (one in each building) with the following connected:
     - 192.168.1.x general network (vlan 1)
     - 192.168.2.x cisco ip phone network (vlan 100)
     - Cisco UC500 phone router, one interface connection using (vlan 1) and (vlan 100)
     - PDC for 192.168.1.x
- IP camera subnet using 192.168.5.x (only connects to router)
- primary router with the following physical connections: (to 1 switch), (to IP camera switch), and WAN connection to a static internet connection.
- primary router also has (vlan 100) as a virtual interface.
- primary router has a vpn from Office B and Office C, terminating in the 192.168.1.x subnet.
- all subnets have full access to each other and the internet (only for email and general http browsing)
- no interally hosted services.
- primary router has a static route for to (phone system)

Office B
- similar setup as Office A
- networks 192.168.0.x (vlan 1)(general network), and 192.168.6.x (vlan 100)
- router physical interfaces: and WAN
- router virtual interface (vlan 100)
- no other subnets
- vpns from Offices A & C terminates in 192.168.0.x
- static route for to

Office C
- very basic set up (small office)
- network 192.168.3.x
- router physical interfaces: and WAN
- no other subnets
- no IP phone network
- vpns from Offices A & B terminates in 192.168.3.x

Currently I have the 1941 routers to replace the primary routers in Offices A & B, and I am working on Office A first.  Once I know how to get this one set up, then I can utilize the same info to set up the Office B router, and the Office C router when I obtain it.

The 1941 router that I have for Office A has the following interfaces: Gig 0/0 and Gig 0/1 (built in), EHWIC 0 interface 0/0/0 gig WAN card, EHWIC 1 (half) interfaces 0/1/0 to 0/1/3 gig 4 port switch card.

My initial thought and attempt for setting up the Office A 1941 router was to have the following interface connections:
0/0 - reserved for me to connect/set up & future subnet or 2nd WAN
0/1 - connected to IP camera switch
0/0/0 - connected to static WAN
0/1/0 - access mode connection to 192.168.1.x PDC (vlan 1 only)
0/1/1 - trunk mode connection to one switch (vlan 1 native, and vlan 100)
0/1/2 - trunk mode connection to second switch (vlan 1 native, and vlan 100)
0/1/3 - ? mode connection to UC500 IP Phone router (vlan 1 and vlan 100 ?, native ?)

and somehow creating virtual interfaces for (vlan 1) and (vlan 100)

I can physically connect to each interface (with the appropriate IP address), and can ping the 192.168.x.2 address that is associated to the interface.  However, I cannot ping to any other subnet (or the 192.168.x.2 router address associated to it), nor can I see the internet at all.  I can ping the static WAN interface ip, but not the default gateway or the external DNS addresses.

Long winded, I know, but I wanted to include everything I could think of.

Can someone help me out with configuring the 1941 router for Office A? (I'm sure from there I should be able to configure the others)
Avatar of Leeeee
Flag of United States of America image

I'm sure many would be glad to assist. Can you post the config of the 1941 router at office A as it stands right now? This will assist with getting you the help you need in a more timely manner. Please sanitize the config of any public IPs etc
A network diagram would help summarize your network.
Avatar of JP D


Here is the current running config that I've been playing around with.

Please note that I have replaced the external IP's with x.x.x.x, as well as usernames with xxxxxx.

I will dig up my visio and update our network diagram.  Will post it as soon as I can.

Before you load down the router with advanced IOS zone firewalls and ACLs etc, you should verify basic connectivity. I would recommend removing the ACL's, zone-based firewall until basic IP connectivity can be established. Once basic connectivity has been confirmed, then you should methodically begin locking down your device.

Regarding the WAN connection, you noted this was a live connection to another site. Keep in mind the other site has to know what to do with the traffic that is forwarded over that link. If the device on the other side doesn't have routes pointing back to your subnets on the office A 1941 lab router, the traffic will be dropped. Also note if the subnets on the lab router for office A are actual subnets in use on the current office A 3com routers,  you may have an asynchronous routing situation happening as the office b/c devices are forwarding traffic from those subnets to the existing 3com routers.

interface GigabitEthernet0/1/3
 description VOICE-OFFICE
switchport access vlan 100 - remove
 switchport mode trunk
 no ip address

You say you want to use VLAN 1 as the native vlan, but you have configured VLAN 1 with a subnet.
0/1/0 - access mode connection to 192.168.1.x PDC (vlan 1 only)
I would recommend not using VLAN 1 at all. I would move the network to a different vlan.

Your nat access-list doesn't account for  vlan 100 subnet. This is access-list 1. You will need to add this network if you want to NAT it.

Also, you will not need static routes for the networks that reside on the 1941. Remove:
ip route Vlan1
ip route Vlan100
ip route GigabitEthernet0/1

 I think providing visio diagrams as well as removing the zone-pair and ACL's from the interfaces is ideal to start.
Avatar of JP D


Totally forgot about the routing of the subnets with the external gateway/DNS....whoops! LOL

I will make the initial changes you suggested, and change the internal network ip's temporarily for my benchtop setup.  For ease of clarity we can still refer to the addresses as listed above.  I will translate to the temporary IP's myself, to limit confusion.

I couldn't find my old copy of Visio, so I just quickly sketched up a couple of diagrams using a draw program.

The "Office-A-Current with 3Com X5.pdf" drawing is exactly how the network is currently set up and running.

The "Office A-New Cisco 1941.pdf" drawing is just what I was thinking may work more efficiently.

Hope they make sense!
Avatar of JP D


I was just going through and making the changes, couldn't figure out how to remove the ACL's (or which I should be removing) and I was thinking that maybe it would just be easier to start over, as it may just be quicker and thorough for me to re-setup the interfaces.  Especially being that my planned setup may not work.

Can I obtain the default config file from somewhere on cisco?

In hindsight, I should have saved a copy of the shipping config file before working on the device.  Live and learn.
Basic Interface configuration for 1941:

Again, recommend not using vlan 1 at all

int g0/1
ip address
no shut

int g0/1/0
switchport mode access
switchport access vlan 1

int g0/1/1
description trunk ESW Switch A
switchport mode trunk
switchport trunk allowed vlan 1,100
switchport trunk native vlan x(different vlan than 1 if vlan 1 is being used)

int g0/1/2
description trunk Building B ESW Switch B
switchport mode trunk
switchport trunk allowed vlan 1,100
switchport trunk native vlan x(different vlan than 1 if vlan 1 is being used)

int g0/1/3 (do we need to trunk two vlans?) If not configured for host mode -
description UC500
switchport mode trunk
switchport trunk allow vlan 1,100
switchport trunk native vlan x
spanning-tree portfast trunk

int g0/0/0
ip address x
ip nat outside

int vlan 1
ip address
ip helper-address x (Appoints DHCP server to contact if not on local router)
ip nat inside
no shut

int vlan 100
ip address
ip helper-address x (Appoints DHCP server to contact if not on local router)
ip nat inside
no shut

Trunking considerations - Make sure you are allowing all used vlans on the ESW Switch A and B Switches. Set Spanning-tree root to 1941

Spanning-tree priority 4096 vlan 1, 100
spanning-tree mode rapid-pvst+

Routing (If no dynamic routing protocol desired):
ip route ISP_Gateway

ip access-list standard NAT_ACL
permit ip
permit ip
ip nat inside source list NAT_ACL interface g0/0/0 overload

Test without ACLs applied and no zone-based firewall. There's much much more we can configure but let's establish basic connectivity. Make sure host default gateways are associated with the gateway of the VLAN they're on. Test from a host in vlan 1 and ping around.

VoIP will be another consideration regarding option 150 and DHCP.

The site to site VPN should be straightforward as well, what IOS version are you running on the 1941's?
Hey no problem, simply issue,

erase startup-config
Avatar of Sandeep Gupta

I recently installed C1941 and faced the poblem with Gig flapping.

I would suggest to use IOS:


this is good
Avatar of JP D


Well dang it!

Tried to download the latest IOS software from Cisco (as my 1941 has 151), but it wouldn't let me because I need to enter a serial number or service contract.  I am not sure which is the actual serial number of the unit, so I tried entering most of the numbers on the bottom of the unit.  The Cisco website kept telling me that I have to contact my provider to get the ability to download for that serial number.  Which is not a big deal, I can totally call up my CDW rep and get him on the case....but I can see that taking a while.

So I just went ahead with the erase startup-config & reload command via CLI.

Now I can't even telnet into the thing using the default address, through the GE0/0 interface (or any interface for that matter).

I am pretty sure I have a console cable lying around, so I hope that works, because I remember that I could not attach to it using the USB console,  I put the drivers in my Win7 machine, but it just wouldn't connect to it.
Avatar of JP D


Well that has gone and done it.  I cannot access the router at all now.  Interface 0/0 does not respond to the default address, nor does it or any others seem to have DHCP.

I can't telnet into it either.  So I tried the usb console connection, and as before, my win7 laptop doesn't seem to like the drivers.  I tried using an older winXP laptop, which took the drivers fine, but still could not get in.  I then tried using the Cisco aux cable with a DB25-DB9 adapter and a usb RS232 dongle.  Still nothing.

All my attempts were done using PuTTy (either telnet, or serial with COM port for console connections)

I did notice that the EHWIC cards that I have in there, are no longer active at all, so that does at least tell me that the software was wiped, but could it be totally gone now?

I do have another 1941 sitting here as well, so if there is a way that I can get the startup config off of that and onto this dead one, that would be great.  Alternatively, I also now have a copy of the latest IOS software, 15.3.1T(ED), but am not sure if that is what I need here, nor how to do either of the above.  If memory serves correctly, I beleive I will have to TFTP to the device, but I'm not sure how, when I can't get a connection to it.  Unless I take the compact flash from the non-working unit and put it in CF1 in the working unit?

Before upgrading to new IOS did you save your configs?
don't you have your configs handy?
also with new IOS you will see Gig will show a command

rj45-auto-detect-polarity <<enable/disable>>

just enable it.
Avatar of JP D


It appears that I just needed to walk away, have a good sleep, and then come back to it.

I am back up and running with a clean slate.  This time my terminal connection is working fine.  Strange, but whatever, at least its all good now.

I have attached the new config.  Nice and clean.

Back to the grind.....I can begin setting up the interfaces as you suggest above, but regarding vlan1, I have no personal reasoning to its use.  vlan1 was configured originally by our telephony company, they did the initial configuration on our UC500 and X5 simply because I was able to have that work added to the purchase agreement of the cisco phone system.

Vlan100 is the only one that I don't particularly want to change.  With that being said, should I still duplicate the above suggested configuration?
Here's a good read regarding VLAN 1:

The choice is yours but it's a good practice to avoid using VLAN 1 by default. Another good practice going forward is to have your VLANs follow your IP ranges. IE could use VLAN2 while uses VLAN150. Again, this is just preference but it's a good habit as you build out your network.

The above recommendations will work for you. Another consideration are the IP cameras. I assume you are just going to use a routed port for those devices? If not, you will need to create a VLAN and SVI for them.

Once we get the basic configuration in place and connectivity verified, we can begin hardening the device and adding the VPN.
Avatar of JP D


That does make a lot of sense regarding VLAN1.

So with that, I assume that it would be best to put on VLAN10 (since following best practice and following the ip range doesn't work so well for our case).  VLAN100 for can remain the same (to save a bit of hastle with updating the phone system).

As for trunking two VLANs on int g0/1/3 (UC500), I really don't see the point in trunking the two.  In fact, I've always wondered why it was set up that way?  Why does the UC500 need to have a single interface with a (VLAN 1) address and a (VLAN 100) address?  The UC500 provides DHCP for, all of the Cisco phones are on the network, and I don't beleive that there is any communication that occurs between and  There is a good chance that I could be missing something there, but I have always wondered about that.  Could I not just change the UC500 interface to be VLAN100 only?

For the cameras, yes, my initial thought (and the current way I have it) is that they are fed from their own routed interface.  The cameras (and camera server) are all attached to switches which are dedicated to the network.  I did that because they chew a TON of bandwidth.  I do have a few users on the network who access the cameras and camera server (via http and/or a gui).

Should I simply replace all "VLAN1" with VLAN10, above?
Regarding VLAN10, that will work and get you away from using VLAN1. Make sure you make the changes on the Building A and B switches as well.

Regarding the UC500, I have always seen Call Manager and voice routers configured in 'host' mode. IE on interface g0/1/3 on the 1941, Switchport mode access, switchport access vlan100 and configure the UC500 port with the 2.3 IP. Is on the UC500 used for management? If there is something on VLAN1 (currently) that accesses the UC500 over 1.3 IP, you will naturally have to keep a trunk in place. But if phones are just communicating over the 2.0/24 network, I would just place the UC500 on an access port. Something to look in to and confirm before you migrate away from the 3COMs.

Good call with the cameras.
Avatar of JP D


I was just looking at the UC500, and it dawned on me why the 1.3 has an 8 port poe switch interface.  So I am assuming that it is for that?  Of which, i do not allow use of, since I do not want any data traffic touching the UC500 at all, plus they are only 10/100's and it would just create a bit of a un-necessary birds nest on my racks.

To confirm though, I don't see any harm in me testing the theory out after hours.
Avatar of JP D


I tried to test out shutting down the address on the UC500, but in CCA it shows vlan 1 by default, and you must have an ip address assigned to it.

So I logged into the ESW switch that the UC500 is physically connected to, thinking "I'll just make that port on the ESW access (vlan100).  Well, there is proof of standard practice, I can't make it access, because vlan1 is default and cannot seem to be removed from that port, and since our network is on vlan1....that = poop! LOL

From what I can see though, nothing ever uses  I even listened to traffic on my stations NIC, and 1.3 never came up once.  So I am going to leave g0/1/3 as access, and when ready, I'll plug it in live for a test after hours.

I attached the 1941 config as it is now.  I had a couple of issues when issuing the commands:

switchport trunk allow vlan 1,100
    this returned an error that I must include all default vlans

Both spanning-tree commands gave an invalid input error at:
spanning-tree priority 4096 vlan 1,100
spanning-tree mode rapid-pvst+

The permit ip nat commands would have the system begin to translate "ip"....domain server ( and then return an invalid input error at:
translating "ip"...domain server (
I am also going to try and get the ability to get back into the 1941 via CCP again, I think the enable secret 5 or enable password is preventing me from using CCP.
Since it's a router with a modular switch in it, it may not have any spanning-tree commands. See if you can tab it out,

Regarding the NAT ACL, I forgot I created a standard. We wont need to define the protocol as that is a feature of an extended ACL. The syntax will look like this:

(config)#ip access-list standard NAT_ACL
(config)#ip nat inside source list NAT_ACL interface g0/0/0 overload

Since are phones, you probably won't need that statement unless hosts are mixed up in that subnet as well.

Regarding VLAN 10, that is what you will use as the native VLAN? VLAN1 and 100 will still be used? That will work if this is the case. Make sure you suspend VLAN10 on the switches.

If removing the enable secret doesn't get CCP working, try enable the https server.
)#Ip http secure-server
Avatar of JP D


Alright, making headway.

I had to remove secret and enable the https server for CCP.  So I can get in that now, but I am kind of liking the CLI better, it is much more efficient.  It is nice to see some of the options in CCP though.

The NAT_ACL commands above worked just fine.

The network is only phones, so I didn't include them in the NAT_ACL.  I don't believe that anything on that network would access the WAN.

I also added permit to the NAT_ACL, and marked g0/1 as ip nat inside.  I took a guess at that, so I hope its correct. is the camera server, and that is the only device on that network that needs access to the WAN.  Eventually, I will have to open up some ports to that server, to access the cameras from outside.

Yes, I plan to use VLAN 10 as the native vlan for, and get us off vlan 1.  Looking on the switches, and I really don't think they are configured correctly anyway, so I will be going on them to make sure everything jives.

I can tab out to spanning-tree, but can only tab out spanning-tree p to portfast, and cannot tab out to any 'm' command. :(
Cool, regarding the following:

interface GigabitEthernet0/1/2 and interface GigabitEthernet0/1/1

Don't make vlan10 the native vlan as it is being used by the data uers. Native vlan is reserved for all untagged traffic and since vlan 10 needs to be tagged, you should remove it.

You can configure the native vlan as vlan 1 or something else not in use by the data network. Normally, you set the native vlan to a state of suspend as untagged traffic shouldn't be crossing your trunks.
Avatar of JP D


Ahhh, I understand.  So with that being said, should the network be assigned a vlan, as I have some users who access the cameras & server on that network from time to time? (which I also plan on locking down somewhat, as I don't want an unknown to plug into that network and access any of the other networks).
It might make things simpler to have a vlan for the cameras, but it's your call. We can place an ACL on g0/1 or on the vlan interface if you create one that will limit what networks or hosts can access the camera network.

Is the generic switch attached to g0/1 managed?
Avatar of JP D


I do like the idea of having a vlan for the cameras, however, the first switch on the camera network is pretty basic and not managed.  I have had a difficult time finding small (8 port) switches, with POE on at least 4 ports (only required on first two switches), and capable of a high bandwidth and throughput between switches.

I have attached a network diagram, as it is currently set up.  I currently have one Linksys SRW208P spare, but it only has 2 gig ports.  Mind you, I haven't seen a camera with a gig NIC yet, but I am sure it is coming.  The camera network is completely static, no DHCP.

I have no problem replacing any of those switches, I was just trying to make use of what we have.

2 x Netgear Prosafe GS108P - unmanaged
2 x Linksys SRW208P - semi-managed/webview (one of these is spare)
Avatar of JP D


So i just did a walk around, and I think I can do some minor re-wiring so that only the middle camera switch would require POE.  Then I could get something like a Cisco SG200-08 or SG300-08 for the first switch, get the POE version of the same switch for the middle switch, and use the Linksys SRW208P for the last switch.

What do you think?
Avatar of JP D


I was just looking at the specs for the two Cisco switches I mentioned above, and it appears that the 200 has a much higher Capacity and Switching Capacity than the 300.  Feature for feature, they are pretty close, except the 300 has much more security features and layer 3 switching, both of which I am not sure are too important on that network.

So in that case, I will be swapping over switches in the camera network, so that they will all have management capability.
Avatar of JP D


For the network on int g0/1, how do I give it a vlan id and assign it to that network?

Do I change the interface to switchport mode?  Then do I make it access or trunk?  No other vlan members will ever reside beyond that interface, but they will be communicating with devices in the network on int g0/1.

Another question.....I also have a couple of wifi access points for laptops and smartphones.  99% that connect to them, do so with their phones and only to access the internet.  A couple use their phones to access the camera ( network, and outside of myself, rarely do we have people with laptops that access any of the internal networks.  Actually, pretty safe to say that my notebook is the only one that accesses all networks via wifi.

What is the best practice for that?  Should I assign them a wifi vlan? (I assume yes)

Then, would it be best to have the 1941 serve DHCP for the wifi network, or have each access point supply a DHCP range dedicated to each AP? (but then do I simply not list an ip helper-address for that vlan?)

I have one access point attached to each ESW switch.
You can change the interface from layer 3 to layer 2 using 'switchport' and set it up like the other interfaces. It's probably easier to trunk on g0/1 and then set up a vlan interface for the cameras.

Best practice regarding wireless users is to place them on their own vlan. This way, lets say you had a guest wifi ssid set up, you could lock down that subnet to internet access only with an ACL. The only caveat is you will have to add that subnet to the NAT ACL to allow them internet access. If you can't put a dhcp scope on your windows server (or whatever type of server you're running) you could have the 1941 handle it. If you configure a dhcp pool on the 1941, you would not need to specify the ip helper address. If a dhcp server lives on a different segment than the host, that's when you place the ip helper address.
Avatar of JP D


Alright.  I set up vlan5 for the cameras, but am not sure how to change g0/1 to switchport trunk.  It doesn't seem to like the command "switchport mode trunk" on g0/1, it errors out at the 'w'....can't tab out either?

I also set up vlan50 for the trusted wifi network, and vlan51 for the guest wifi network.  As for the DHCP side, I'm thinking that it probably would be best to have that done on either the 1941 or the access points.  I'm leaning towards the 1941, as I imagine that it would just make for easier administration.

I've attached the current running config.
If you cant tab out switchport, g0/1 is probably a routed port. See if we can create a subinterface on that port..try config)#int g0/1.5 (for vlan5). If you can't add the wireless scopes to the windows server, then add them to the 1941.
Avatar of JP D


ok, the subinterface took.  However, I cant set any switchport command on that interface.  Here is all that I was able to add to the config(all I knew to add, outside of the switchport commands):
interface GigabitEthernet0/1.5
   description trunk camera network switch
   no ip route-chache

I am able to add the wireless scopes to the windows server.  I just figured that it would be better or more efficient if the 1941 handled them.  Then interface g0/1/0 could remain in access mode and cut down traffic to the windows server.  That was my thought anyway.  I am not 100% sure if it really would make any difference at all.  If it doesn't, then I have no problem at all with putting the wireless DHCP scopes on the windows server.
So for g0/1.5, the config will look like:

int g0/1.5
encapsulation dot1q 5
ip address

and remove the SVI (int vlan 5).

It's really up to you regarding DHCP, if the network was fairly large, having DHCP on a dedicated box is recommended. You can get away with it on the 1941.
Avatar of JP D


That worked great.

Although I haven't entered it yet, I am assuming that I should set g0/1.5 to ip nat inside?

As for the wireless DHCP scopes, in that case I will put the scopes on my windows server.  I added ip helper-address to vlan50 and vlan51.  Is that correct? or should I be putting an address in the specific vlan's range, and then create a route to  Am I also able to restrict access from vlan51 (guest wifi) to, limiting it to DHCP queries only?

I have attached the current running config.
Yep nat inside on g0/1.5. Also make sure the switch that is downstream from g0/1.5 is trunking to that port.

The VLAN interface configuration looks right with the helper address of your DHCP server. We can apply access lists to the wireless SVI's to lock down what hosts on the guest network can access. Typically DHCP and internet. If for some reason we don't lock down access to only DHCP on the server, we can just add a DHCP scope for the guest wifi on the 1941 so we don't have to deal with locking access down for wifi guests.
Avatar of JP D


I have set g0/1.5 to nat inside.  I am also proceeding with changing some of our existing network, so that I can do some after hour live tests and to make the transition smoother (when that time comes).

Question regarding the camera network: I am setting up the switches, and have defaulted them to vlan5 and trunked the ports connect between them.  What do I set the camera ports to, access or trunk?  I was going to set them to access, but then didn't know how that would effect when someone from lets say vlan10 wants to view a camera on their computer.  If the port to the camera is set to access, will they be able to connect to it?

Another side question.....rather minor and slightly the poop do you get the entire running config to show when you run show config?  It is so annoying to hit enter until I reach the bottom.

should I add the wifi vlans (vlan50 & 51) to the NAT_ACL? (Im assuming that this will allow them access to the internet)
Yes, the link off of g0/1.5 will be trunked to the downstream camera switch. The physical ports the cameras connect off of on the camera switch should be set to access and access vlan 5. Go ahead and enable 'spanning-tree portfast' under the access ports as well.

Users from different vlans will be able to reach the camera network because of the 1941 acting as the layer 3 device. if we had multiple vlans on multiple switches and we were trunking in between them with no layer 3 device, devices in other vlans would not be able to communicate. Note, We need to make sure that the other branches have routes (static or dynamic) to the networks on the 1941 we're currently working on, and that also the 1941 we are configuring has routes to the other networks in the other branches. If we don't install those routes, then users in different vlans will not be able to communicate. To further expand, since the 1941 has the vlan 10 and vlan 5 network locally connected, we won't need to create routes pointing to them on this 1941.

Regarding the wifi vlans, yes if they need internet access add them to NAT_ACL.

To display the entire config without breaks:
Avatar of JP D


That command to display the entire config with no breaks is GREAT!!!!

I've added the wifi vlans to NAT_ACL.  I was also thinking, since I only want to allow users on the guest wifi (vlan51) to have access to the internet, and maybe a printer, but not the windows domain (server), would it just be easier to put the DHCP scope for vlan51 on the 1941?

I am also in the process of changing over our existing network (creating the relevant vlans and adjusting the switches) to allow for some live tests.  So far, so good.  The camera network is changed over to vlan5 and seems to be running fine.

I've attached the current running config.  I think i'm good for the next step.
Yeah, I think that would be easiest to have the DHCP scope for vlan 51 on the 1941. We will still need to lock down that subnet to internet access only with an ACL.
Avatar of JP D


An interesting issue came up, and I am still trying to figure out how to test things with the 3Com x5...

The wireless access point that we have, does allow for up to 4 SSID's on seperate vlans, which is great.  So I set up vlan50 and vlan51.  Here is the catch though:  I cannot enter subnet info for each vlan, and I can only enter one IP address (or DHCP) for the access point itself.  Plus, it also states that if I enable trunking, then management of the access point can only be done from the vlan of SSID 1, or direct ethernet connection.  It doesn't state anything, anywhere, about if the IP assigned to the access point has to match the range of any of the SSID's.

So I have a couple of options, that are posing difficult to test with the x5 router that is currently in place:

1. assign the access point an ip address in the vlan 10 range (, trunk the port its connected to on the ESW switch, serve DHCP for vlan51 on the router and vlan50 on the windows server.  I would have to manage the access point via wifi on vlan50 , (connecting directly would be rather annoying, unless I can still connect from the vlan 10 network).  I am not quite sure how the routing of the DHCP requests would go though.
2. Another idea would be to create 3 SSID's.  SSID 1 would be on the same vlan as the access point (vlan10), and would have an obscure wifi key and maybe some other forms of locking it down.  SSID's 2 & 3 would be vlan50 and vlan51.  I am still not sure how the DHCP requests would go, but this may allow management connection to the access point without doing it via wifi or unplugging and connecting directly to it, if the above doesn't work.
3. I could also just assign the access point an ip that is on vlan 50, set SSID 1 to vlan 50, and SSID 2 to vlan 51.  Im pretty sure that everything would work fine for vlan 50, but am still not sure how the DHCP requests would go for SSID 2 (vlan 51).

I need to fool around with the X5 router so that I can test some options.
That is interesting, what kind of AP is it? It makes sense to only have one management IP on the access point, usually AP's are on their own VLAN and in an Autonomous set up, you will want to trunk to the AP to carry the different VLANs. You should be able to manage the AP from any routable IP in the network using the management IP, as the AP is connected to the switch.

The AP will send a DHCP Discover message to the entire subnet looking for a reply. Since we set up the IP-Helper command on the SVI's, the 1941 will respond with the DHCP servers to use. The AP knows what VLAN to send the request on because you probably associated the SSID with a specific VLAN, so when a user connects to that SSID, the AP knows what vlan to tag.
Avatar of JP D


It's a TP-Link WA901ND.

I'm really not sure where the issue is, but every way that I do it, it gives a DHCP address of 192.168.1.x no matter which wifi vlan your connected to.

I'm not a total expert with the Cisco ESW switches, but they seem to make sense.  I have vlans 50&51 trunked to the wifi access point and back to the router.  I set up the DHCP scope for 51 on the router and 50 on the server.  The server does only have a single NIC, but from what I understand, that should not matter.

However, there are a couple of things that are quite possibly responsible for it not working correctly.....I'm testing this out on our existing network, which is using the 3com X5 router and has the users all on vlan 1 to start with.  I also noticed that the 3com does have a DHCP relay server feature, but it's general.  It does not list the relay for each network/vlan/interface, such as using ip helper-address (which makes much more sense).

I'm not going to bother messing around with testing the wifi setup on our existing network any further.  The logic is there, and the wifi is not as important as the rest of our networks, so I think I'll just move on and if it doesn't work right away with the 1941, then I'm sure it won't be too difficult to get going.  If need be, then I could just leave the old wifi setup going until I get the new set up going.

Alright, back to the ACL's then (including the wifi vlans 50&51)....
Avatar of JP D


I've been reading the Cisco document 23602 on ACL's, and the basics seem to make sense.  However, I am not too sure what standard practice is to what you should have at a minimum (what should be blocked/permitted at a minimum)?

In the mean time, I'm also going to give a shot at setting up the 1941 for the other office, and then I'll post the config to see how I did.  Then a VPN can be set up between the two, as I am not sure how to do that on Cisco devices, especially through CLI.
Do some research and then post your findings and then we can go through it.
Avatar of JP D


I've attached my running config for the other office, I guess I put most of it in earlier.  Anyway, a couple of questions from it:
- I noticed that I have switchport trunk native vlan 20 for g0/0/1 and g0/0/2.  Should I be doing the same for g0/1/0 & g0/1/1 & g0/1/2 on the router we're working on above?
- For this router (MG_1941) the WAN connection is PPoE, how do I set that up?
- The above question leads to how I would set the nat inside source list with a gateway that is obtained through DHCP on the WAN interface

The MG_1941 network setup is pretty basic, no other networks (ie. cameras, wifi)

I know that I could just toss the above in via CCP, but I'd rather learn how using CLI.
Avatar of JP D


Will do.

I want to thank you for all your help thus far.  You've gone way above and beyond on this one.  

I really wish that the site admins would allow for some kind of additional or private rewards program or a way of creating/editing a posted question to allow for multiple & seperate reward allocations (not a multiple solution) when a question ends up spanning out to multiple questions (make sense?).  As I do feel that this question contains many sub questions, and to create a new question posting for each would complicate things immensely as they would all require background knowledge of the original question (and possibly other sub questions).  In the past, I have asked questions that I did feel were worth 500 points (and a grade of "A"), but this I feel is more than simply just a question.

Any site admins that can tune in with any suggestions?

Again, thank you so much for everything thus far Leeeee, I am learning an incredible amount here.

No problem, this is a lengthy one :) I'll look at the config and your comment above and post a little later. Thanks!
Avatar of JP D


I've come up with a starting list of which networks/IP's I want to allow or deny connections to each other.

Before I try and put that into ACL's, I do have one question.  I am not sure as to the best place to deny access.  Example: (made up arrangement)

Network A connected to int g0/0
Network B connected to int g0/1

If I want to deny Network B from accessing Network A, is it better to apply the denial ACL at int g0/0 or int g0/1? (If I understood what I read correctly, I have the choice to do either one)
You want to place extended ACL's as close to the source as possible. Since ACL's are layer 3, you will place them on the vlan interfaces.
Avatar of JP D


Alright, here is my first attempt for the IN ACL's for the vlan interfaces (and int g0/1.5).

I am sure that I am missing some things (or that I am a little off on all of it! LOL), and I am unsure as to how the DNS queries through the networks.  Right now, the PDC at vlan10 is also running DNS.  For the internal networks that have little to no reason to access vlan10, will their DNS queries be handled by the 1941 router?

I have only started with the inbound ACL's, as I feel that I will require a little help on the outbound and any ACL's that I should have to protect my internal networks from external attacks (or does the firewall setting handle that?)

I also just realized that we haven't set up the 1941 to handle the DHCP scope for vlan51 (, the guest wifi.

I have attached the files showing my first attempt (both the running config and show access-list, in case it makes it easier)
Avatar of JP D


Well, it's been about a week, and I think I have gone about as far as I can now, before having it Q.C.'d.

I've done lots of reading, and have added a couple things to the ACL's.  I also attempted to config the 1941 to serve DHCP requests for vlan51.

Looking up some info on utilizing the firewall, I added the CBAC ACL and applied it to inspections on int g0/0/0 (the external interface).

Also note that I decided to change the network to vlan11 (from vlan10).  That made more sense to me, since our other location uses the network

In the DHCP section, I wasn't sure if I should have the DNS pointing to the router, or to our ISPs DNS servers?

The only thing that I haven't done, is configure a VPN to/from our other offices (one will be running the other 1941 router and the other will be using a Cisco RV180 router).

Take a look, and let me know what changes I should be making or adding.
Avatar of Leeeee
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of JP D


I was kinda wondering about denying private IPs on the external interface.  I know that its best practice to place a permit ACL for established inbound traffic, but I guess that can be spoofed as well.  So in that case, I am guessing that it's best to place the denial of any traffic coming from a private IP (coming inbound from the internet) before the permit of established traffic.

The DHCP scope was placed on the 1941 router because I do not want the vlan51 network to touch our main server, and instead of placing a bunch of ACLs to allow only DHCP requests through our server (from vlan51), I figured it would just be easiest to place that DHCP range on the 1941 router.  I guess I could grab a spare device (maybe an old router, or a spare workstation) and make that a dedicated DHCP server for vlan51.

As for the ACL's that I have put in, here is a basic run down of what I was thinking to accomplish:

ACL 102 for VLAN 100 ( Cisco IP phone network)
- allowed to access VLAN 11 only
- not allowed to access any other internal network
- (Cisco UC520 phone system) allowed to access internet (I think I could probably even limit this to SMTP traffic going out, for voicemail to email, and NTP traffic.  I beleive those are the only reasons it ever needs to connect to the internet)
- all other clients in VLAN 100 not allowed to access internet

ACL 101 for VLAN 11 ( user network, including main server)
- not allowed to access VLAN51 (guest wifi network)
- allowed to access all other internal networks

ACL 150 for VLAN 50 ( trusted wifi network)
- allowed to access VLAN 11 and camera network ( only
- not allowed to access VLAN 51, VLAN 100, and (points to UC520 phone system)
- allowed to access internet

ACL 151 for VLAN 51 ( guest wifi network)
- not allowed to access any internal network
- allowed to access internet

ACL 105 for Camera Network ( int g0/1.5
- (camera NVR server) allowed to access VLAN 11 and VLAN 50 and Internet
- all other clients not allowed to access any internal network or internet

I beleive that is it.  I also just realized that I messed up a bit with not allowing VLAN 50 and VLAN 100 to talk (in the current config).  I'll make that change.

My logic was, following the idea of applying ACLs as close to the source as possible, I thought it best to place the ACLs on the inbound traffic, coming in from each internal network, and prevent any non-allowed traffic from even going through the router, rather then blocking the non-allowed traffic before it leaves its final interface to its destination.

I'm going to make the above revisions now.
Avatar of JP D


Alright, so I've been playing around with some spare switches that I have on hand, to test out the connectivity of the setup so far.  I can't seem to get anything to communicate.  I have a feeling that I have something misconfigured on the test switches.  

Here is how I have them:

I'm using a completely seperate WAN connection from that of the live office WAN.  The 1941 shows it as up.

I have a switch connected to int g0/1/1 on the 1941 to port 1 on the switch.  I have added vlans 5,11,50, 51, and 100 to the switch. I set the switch to with management vlan11.  Port settings are:
Port 1 - Trunk, PVID 1, membership=1U, 5T, 11T, 50T, 51T, 100T
Port 2-8 - Access, PVID 11, membership=11U
Spanning Tree enabled on all ports with Rapid STP and Flooding BPDU, Priority 32768
Multicast (a little fuzzy on this) is set to forward unregistered on all vlans

Right now I just set all the access ports to vlan 11, just to test that first. Then I'd move on to changing the vlans on some of the ports.

I connected a PC to port 2 on the switch, with ip (vlan 11), and I connected a PC to int g0/1/0 with ip (vlan 11, simulating the server).  From the pc connected to the switch (or even the pc connected to the 1941), I can only ping (the 1941 vlan 11 IP).  I cannot contact each other (PC's), and cannot contact the internet.

Am I missing something on the switch setup? Also, in our live office we have the users PC's connected to their Cisco IP phone, and that IP phone connects to the switch, so in that case, should I actually have those ports on the switch set to Trunk, rather than Access, because technically 2 vlans will connect to the same port on the swicth?

ESW Switch Port 6]-----enet cable----[IP Phone (vlan 100) ]-----enet cable-----[user PC (vlan 11)

Hope that makes sense.

Im going to keep playing around with the settings and see what I can get, but please let me know if you notice anything missing.
Hey Renfrey,

What kind of switches? Can you post the config? Make sure your firewall is off on your PC and the server or allow ICMP. Try removing ACL's from the interface on the 1941 and testing.

NAT is set up on the 1941? Make sure you have a default route to the internet on the 1941.
Make sure your firewall is off on your PC and the server.

Let me know.
Avatar of JP D


I was actually just going over the config for the 1941, and I noticed that besides the default route to the internet, there doesn't appear to be any routing set up.

Static routing I could probably enter without an issue (and I may just do that, so I can test it out).  Dynamic, not so familiar with on the Cisco's.  

What would be advisable for our network config, static or dynamic routing?

btw...the switches are Cisco ESW500 series, and a Cisco SG200-8 that im testing non-live with.
if your network is not too big then go with static else with dynamic.
Avatar of JP D


For the routing table, do I set up the local routes (as I've seen on many routers) by having one route going to the local routers interface ip, and then another route for that interface ip to the interface itself?


on the router, interface Vlan 5 has ip

ip route
ip route Vlan5
Avatar of JP D


Alright, I've various different attempts, and i just cannot seem to get anything communicating on the 1941.

I did end up removing the ACL's from each interface, by using "no ip access-group xxx in", with the exception of the external interface, as I just want to get the local routing working first.  Ive looked in CCP and I can see the static routes (which route the ip group to the specific interface).

It is quite possible that I still don't have the switch that I attached, set up correctly.  The switch is a Cisco SG200-08 (web managed), 8 port switch. I've attached the running config from that switch, but the configuration output is limited because this is a web managed switch.  Basically, this is what I have for the configuration of the switch:

Vlans: 1, 5, 11, 50, 51, 100
switch ip:, gw, dns, management vlan 11
Port1 - Trunk - Vlan membership 1up, 5t, 11t, 50t, 51t, 100t
port2-3 - Access - native vlan 11
port4 - Trunk - Vlan membership 1up, 11t, 50t, 51t
port5-8 - Access - native vlan 11

port 1 is physically connected to int g0/1/1 on the 1941 (simulating the trunk ESW switch), using a straight through connection.
Port 4 is physically connected to a wifi access point with static ip, and that access point is just set to serve vlan51 through wifi for now, because vlan51 should be getting it's DHCP from the 1941.
Port 5 is physically connected to a test laptop, with static ip (gw, dns

I also have another wifi access point physically connected to int g0/1 on the 1941, simulating the camera server.  It has a static ip of, and is setup to serve DHCP for the network, over wifi.  Thus allowing me to connect to it and simulate a camera.

I can't seem to ping or connect to anything beyond whatever I physically connect my test laptop to.  For example...if I connect my test laptop to the switch (with static ip, I can connect to the switch web interface, but cannot connect to anything else.  If I connect to either of the wifi access points, I can get the web interface of the access point that I am connected to, but nothing else.  Both the 1941 and the switch show that the interfaces connected, are up and running.

Any help, please!
Avatar of JP D


I seem to be getting closer to the problem, and I am pretty certain that it revolves around the set up on the switch.

I took the other 1941 that I have here, reset it to default, and then re-created the config so that it mimics the interfaces on the one that I am trying to get working.  I kept it very very basic and open though, only the interfaces, vlans, routing, and nat.

Then I hooked up the various access-points and test machines, with the appropriate addresses.  All the devices that I had physically connected to any "Access" interface, could get on the internet and communicate with each other without a problem.  I could not connect to anything that I had connected to the switch, which is physically connected to a trunk interface on the 1941.

The switch setup is exactly as stated in the above posting.

When I changed all the "access" ports on the switch to native vlan1, anything connected to those could access the internet through the 1941.  However, that is using vlan1, untagged, which I don't beleive is what I should have.

Avatar of JP D


Thank you very much for all your assistance.  I am aware that this was a very long process and I really wish I could award more points for this one.

It was an extremely educational process.

Thank you.
Avatar of JP D


After much testing of the 1941, under various scenarios,  it has become pretty obvious that the 1941 is now working as I had hopped it would.  The problem now seems to be related to the switches we have in place.

Our telephony provider had put Cisco ESW series switches in place, which initially seemed pretty good, and I am sure that they are, in the right environments.  However, the ESW series of switches do not have CLI capability, and are proving very difficult to set up the ports going to each iphone (then end user cpu) as access ports, and have the switch auto-detect the voice VLAN and allow it through.  The ESW switches seem to be built around having all the interfaces set up as trunk ports.

As such, I feel that my need for assistance with the 1941 is pretty well completed.  The switches really warrant a seperate case/question.

I have awarded the points and closed this support case.

Thank you for all your help.  I really, really appreciate it!!!!!