Cisco Help

[KDF]

Hi Cisco peeps,

Got an 871W (1 x WAN 4 x LAN), trying to set it up so

1) it transmitts two SSID's (1 Main SSID and 1 Guest SSID)
2) The main SSID give access to all internal and the internet and gets its ip from our dhcp server (this is working great !)
3) The Guest gives only access to the internet and gets its IP from dhcp in the 871 (not working properly)

The Guest access has confused the hell out of me. The main SSID acts as an access point so its just a fancy L2 switch really.. But I need the guest one to be able to speak to everything as well despite it being on a different subnet so that I can then create access rules. BTW there is an internal dhcp which dishes out IP's to the guest access no problem.. and I can ping 192.168.1.252 from the guest network but nothing else

Any ideas ? here is what I have so far

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco871
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid Main
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 password1
!
dot11 ssid Main-Guest
   vlan 2
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 password2
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.101.1 192.168.101.10
!
ip dhcp pool guest
   import all
   network 192.168.101.0 255.255.255.0
   domain-name mydomain.com
   default-router 192.168.1.252
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 bridge-group 1
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 encryption vlan 2 mode ciphers tkip
 !
 ssid Main
 !
 ssid Main-Guest
 !
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
 description Guest WLAN
 encapsulation dot1Q 2
 ip address 192.168.101.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface Vlan2
 no ip address
!
interface BVI1
 ip address 192.168.1.252 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
!
scheduler max-task-time 5000
end

 

[young_lew]

if the access point has 192.168.101.1 wouldn't it need a separate default gateway as it's on a different subnet?

we advertise 2 SSID's and each one has a separate network number and a separate default gateway, they can't share just 1.

 

[KDF]

I am thinking along the lines of two different Vlans, with restrictions thrown into the second vlan to stop it accessing anything on 192.168.1.* except our gateway to the net which is 192.168.1.254.

Hmm.. I am doing Cisco course but only on Sem 2.. and other than subnetting nothing they have taught me so far is relevent to what I'm doing now !!

 

[Longy]

show us the route table?

 

[cli0 172]

You're having a laugh right ? You learn this stuff at primary school :clown:

 

[Longy]

You're having a laugh right ? You learn this stuff at primary school :clown:

Helpful

 

[Phill1978]

ok explain this bit

"ip dhcp pool guest
import all
network 192.168.101.0 255.255.255.0
domain-name mydomain.com
default-router 192.168.1.252
"


also why not route the guest to the DHCP server ? why the difference out of interest. you can and have created two separate wireless vlans with there own subnet on the router and scope on dhcp is only for one ?


also i mainly work on switches n stuff but what about a trunk native vlan allowed command on interface ?

sorry my networky stuff aint as hot as it used to be

 

[KDF]

show us the route table?

Sorry aint at the router now, i'll post it up tomorrow. Remember for the most part this is acting as a Layer 2 device though

You're having a laugh right ? You learn this stuff at primary school :clown:

'ever.... :rasp:

ok explain this bit

"ip dhcp pool guest
import all
network 192.168.101.0 255.255.255.0
domain-name mydomain.com
default-router 192.168.1.252
"


also why not route the guest to the DHCP server ? why the difference out of interest. you can and have created two separate wireless vlans with there own subnet on the router and scope on dhcp is only for one ?


also i mainly work on switches n stuff but what about a trunk native vlan allowed command on interface ?

sorry my networky stuff aint as hot as it used to be

I want the cisco to act as a AP, and AP is really a L2 device... and to be honest it will be easier if the same Primary/backup DHCP server manages all the internal access IP's.

The Guest can be on its own subnet and I don't want guest access to reduce the number of IP's available to others as the previous network guy used a 255.255.255.0 mask !(which should be more secure) and I basically just want to route all its traffic to 192.168.1.254 which is our gateway for the internet.

The default-router entry I was actually mucking about with trying different things.. I also had this set to the BVI and VLAN addy to no avail. I also figured I might need to do some kind of internal NAT but not quite sure how to.

I will speak to my CCIE next Monday for advice if no-one can help, just seemed to be a few Cisco folk on here so thought I would give it a go.. even if its just to bounce a few ideas around.

 

[Phill1978]

I want the cisco to act as a AP, and AP is really a L2 device... and to be honest it will be easier if the same Primary/backup DHCP server manages all the internal access IP's.

so to clarify guest needs only internal DHCP from the router. your logic is to segregate traffic.

The Guest can be on its own subnet and I don't want guest access to reduce the number of IP's available to others as the previous network guy used a 255.255.255.0 mask !(which should be more secure) and I basically just want to route all its traffic to 192.168.1.254 which is our gateway for the internet.

can you not create a new subnet though ? i.e main is as it is, and guest is a new subnet both having separate scopes on DHCP.. the point being that if you create a vlan and trunk through the network there is no chance of the guest getting network file access, sure they are on your network but in a locked down segregated vlan on a different subnet with no access to the other network ?

maybe im not making sense, its hard when im not sat in front of it.. tbh ask the ccie guy.

sorry i couldnt help more

im working on WLAN full time at moment if you get stuck with wireless give me a shout

phill
CCNA,CWNA,CWSP

 

[@Spoonie]

You're having a laugh right ? You learn this stuff at primary school :clown:

Did you learn at school how to give answers?

 

[KDF]

so to clarify guest needs only internal DHCP from the router. your logic is to segregate traffic.

The Main SSID get its IP from one of our other servers and has access to everything. The Guest gets issued an IP from a different subnet to segregate traffic. But I would like traffic going to 192.168.1.254 to be allowed as its our gateway (Cisco Pix).

But for traffic to go from one subnet to another requires routing.. which is Layer 3 so maybe its not even possible on this little 871w.


can you not create a new subnet though ? i.e main is as it is, and guest is a new subnet both having separate scopes on DHCP.. the point being that if you create a vlan and trunk through the network there is no chance of the guest getting network file access, sure they are on your network but in a locked down segregated vlan on a different subnet with no access to the other network ?

maybe im not making sense, its hard when im not sat in front of it.. tbh ask the ccie guy.

sorry i couldnt help more

im working on WLAN full time at moment if you get stuck with wireless give me a shout

phill
CCNA,CWNA,CWSP

So what your saying is if I segregate the networks using VLAN there is no way of the traffic going to the existing gateway ?

 

[young_lew]

So what your saying is if I segregate the networks using VLAN there is no way of the traffic going to the existing gateway ?

only if you create sub-interfaces on the gateway, or if there's a spare ethernet port on the gateway

 

[KDF]

Ah.. Ok. No spare port on the gateway unfortunately.

here is the interface for the gateway on the cisco pix.

interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!

so if I was to add a subinterface like so ?

interface Ethernet1.1
 nameif inside
 security-level 100
 ip address 192.168.101.254 255.255.255.0
!

I leave the security level the same so the two gateways can't talk to each other, then just use a ACL to direct traffic ?

 

[young_lew]

yeah thats correct, then that way the guests have a cut off path through the network then out onto the internet

 

[KDF]

Well, gave up on that bit just now as i'm too busy to worry about it..

Instead I have it set up for Layer 2 AP with IAS authentication using PEAP, TLS, MS-CHAPV2, WPA, TKIP and root certificates (I would have prefered smartcard but heyho !) deployed using AD GP.

Awesome !

I'll sort guest access at a later date.