Cisco 877W Dual SSID/VLAN Security Issue

Similar Messages

• Ip phone and pc VLAN security issue - ISE 1.0

  Hello there.
  We are about to implement IP phones to our current network and during testing I have found 2 issues.
  1- ip phone connects to a protected port using ISE mab authentication for the data network.
  The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
  Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
  2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
  Let me know your thoughts...thanks
  Port config info....below
  interface GigabitEthernet0/2
  description Extra port by Camilos Desk
  switchport mode access
  switchport voice vlan 220
  srr-queue bandwidth share 1 30 35 5
  priority-queue out
  authentication event fail action next-method
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  mls qos trust cos
  snmp trap mac-notification change added
  auto qos trust
  spanning-tree portfast
  end

  On # 1
  You have the make sure that
  "authentication host-mode multi-domain" command is under each port
  This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
  On #2
  I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
  On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
  Hope this helps.

• Configure VPN Server Cisco 877W

  Hello!
  I need to implement VPN Server on a Cisco 877W.
  The idea is as follows:
  Access the network from anywhere using the Cisco VPN Client;
  The router need receive a minimum 5 simultaneous connections;
  Each User would have a login and password;
  Cisco 877W (System image file is "flash: C870-advipservicesk9-mz.150-1.M10.bin")
  Following script:
  version 15.0
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  service sequence-numbers
  hostname VPN
  boot-start-marker
  boot-end-marker
  logging buffered 10240
  enable secret PASS@PASS
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  clock timezone BR -3
  dot11 syslog
  dot11 ssid ACESSO01
  authentication open
  authentication key-management wpa
  guest-mode
  wpa-psk ascii PASS@PASS
  no ip source-route
  ip dhcp pool ODIM
     import all
     network 192.168.100.224 255.255.255.224
     default-router 192.168.100.254
     dns-server 10.151.176.80 201.10.120.3 10.151.176.79 201.10.1.2
     update arp
  ip cef
  no ip bootp server
  no ip domain lookup
  ip domain name local
  ip inspect name firewall tcp
  ip inspect name firewall udp
  ip inspect name firewall cuseeme
  ip inspect name firewall h323
  ip inspect name firewall rcmd
  ip inspect name firewall realaudio
  ip inspect name firewall streamworks
  ip inspect name firewall vdolive
  ip inspect name firewall sqlnet
  ip inspect name firewall tftp
  ip inspect name firewall ftp
  ip inspect name firewall icmp
  ip inspect name firewall sip
  ip inspect name firewall esmtp max-data 52428800
  ip inspect name firewall fragment maximum 256 timeout 1
  ip inspect name firewall netshow
  ip inspect name firewall rtsp
  ip inspect name firewall pptp
  ip inspect name firewall skinny
  no ipv6 cef
  multilink bundle-name authenticated
  archive
  path flash:config
  write-memory
  file verify auto
  username suporte privilege 15 secret 5 $1$WdPL$PHwugOutS3fztS8hBUl9g0
  ip tcp timestamp
  ip ssh version 2
  bridge irb
  interface ATM0
  description #### A D S L - INTERNET ####
  no ip address
  no ip proxy-arp
  load-interval 30
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  description #### A D S L - INTERNET ####
  pvc 0/35
    pppoe-client dial-pool-number 1
  interface FastEthernet0
  description #### I N T R A N E T ####
  switchport trunk native vlan 100
  switchport mode trunk
  load-interval 30
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  no ip proxy-arp
  load-interval 30
  encryption mode ciphers aes-ccm tkip
  ssid ACESSO01
  speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
  station-role root
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Vlan1
  description #### ETH`S ####
  no ip address
  no ip proxy-arp
  load-interval 30
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Vlan100
  description #### I N T R A N E T ####
  ip address dhcp
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  interface Dialer0
  description #### I N T E R N E T ####
  ip address negotiated
  ip access-group Traffic-Permit-IN in
  no ip redirects
  no ip unreachables
  ip mtu 1492
  ip nat outside
  ip inspect firewall out
  ip virtual-reassembly
  rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer-group 1
  ppp authentication pap chap callin
  ppp chap hostname user@user
  ppp chap password pass@pass
  ppp pap sent-username user@user password pass@pass
  ppp ipcp dns request
  ppp ipcp wins request
  ppp ipcp route default
  no cdp enable
  interface BVI1
  description #### BRIDGE Vlan1/Dot11Radio0 ####
  ip address 192.168.100.254 255.255.255.224
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  ip policy route-map PBR
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source route-map ADSL interface Dialer0 overload
  ip nat inside source route-map INTRANET interface Vlan100 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0 name ADSL
  ip route 0.0.0.0 0.0.0.0 10.48.50.1 name INTRANET
  ip access-list extended ADSL
  deny   ip any 10.0.0.0 0.255.255.255
  permit ip any any
  deny   ip any host 192.168.100.255
  deny   udp any any eq tftp log
  deny   ip any 0.0.0.0 0.255.255.255 log
  deny   ip any 127.0.0.0 0.255.255.255 log
  deny   ip any 169.254.0.0 0.0.255.255 log
  deny   ip any 172.16.0.0 0.15.255.255 log
  deny   ip any 192.0.2.0 0.0.0.255 log
  deny   ip any 192.168.0.0 0.0.255.255 log
  deny   ip any 198.18.0.0 0.1.255.255 log
  deny   udp any any eq 135 log
  deny   tcp any any eq 135 log
  deny   udp any any eq netbios-ns log
  deny   udp any any eq netbios-dgm log
  deny   tcp any any eq 445 log
  deny   ip any any log
  ip access-list extended INTRANET
  permit ip any 10.0.0.0 0.255.255.255
  deny   ip any any
  deny   ip any host 10.48.50.255
  deny   udp any any eq tftp log
  deny   ip any 0.0.0.0 0.255.255.255 log
  deny   ip any 10.0.0.0 0.255.255.255 log
  deny   ip any 127.0.0.0 0.255.255.255 log
  deny   ip any 169.254.0.0 0.0.255.255 log
  deny   ip any 172.16.0.0 0.15.255.255 log
  deny   ip any 192.0.2.0 0.0.0.255 log
  deny   ip any 192.168.0.0 0.0.255.255 log
  deny   ip any 198.18.0.0 0.1.255.255 log
  deny   udp any any eq 135 log
  deny   tcp any any eq 135 log
  deny   udp any any eq netbios-ns log
  deny   udp any any eq netbios-dgm log
  deny   tcp any any eq 445 log
  ip access-list extended Traffic-Permit-IN
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 224.0.0.0 0.15.255.255 any
  deny   ip any host 255.255.255.255
  permit tcp any any eq 1723
  permit gre any any
  deny   icmp any any echo
  deny   ip any any log
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any echo
  access-list 110 permit ip 192.168.100.224 0.0.0.31 any
  dialer-list 1 protocol ip permit
  no cdp run
  route-map ADSL permit 10
  match ip address 110
  match interface Dialer0
  route-map INTRANET permit 10
  match ip address 110
  match interface Vlan100
  route-map PBR permit 10
  match ip address ADSL
  set interface Dialer0
  route-map PBR permit 20
  match ip address INTRANET
  set interface Vlan100
  control-plane
  bridge 1 route ip
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  transport input telnet ssh
  scheduler max-task-time 5000
  end

  Some Help?

• Cisco 877W router and external ADSL modem

  Cisco 877W router and external ADSL modem
  In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.
  The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.
  The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.
  If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname xxxxxxxxxxxxxxxxxxxxx
  boot-start-marker
  boot-end-marker
  logging buffered 4096 warnings
  enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  aaa new-model
  aaa group server radius sdm-vpn-server-group-2
  aaa group server radius rad_eap
   server 192.168.253.1 auth-port 1812 acct-port 1813
   server 192.168.253.1 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa authorization network sdm_vpn_group_ml_2 local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone PCTime 0
  clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-2834265337
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2834265337
   revocation-check none
   rsakeypair TP-self-signed-2834265337
  crypto pki certificate chain TP-self-signed-2834265337
   certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
  dot11 syslog
  dot11 ssid GuestAP
     vlan 101
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 113B162712001F4A2D2B25
  dot11 ssid LanAP
     vlan 100
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
     mbssid guest-mode
  no ip source-route
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.252.1 192.168.252.8
  ip dhcp excluded-address 192.168.252.15 192.168.252.254
  ip dhcp pool sdm-pool1
     import all
     network 192.168.252.0 255.255.255.0
     domain-name XXX.Local
     dns-server xxx.xxx.xxx.xxx
     default-router 192.168.252.254
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  no ip bootp server
  no ip domain lookup
  ip domain name XXX.Local
  ip name-server xxx.xxx.xxx.xxx
  ip name-server xxx.xxx.xxx.xxx
  ip reflexive-list timeout 120
  vpdn enable
  vpdn-group 1
   request-dialin
    protocol pppoe
  username administrator privilege 15 secret 5 £££££££££££££££££££££
  class-map type inspect match-any IN_to_OUT_CLASS
   match protocol tcp
   match protocol udp
   match protocol icmp
  class-map type inspect match-any OUT_to_IN_CLASS
   match protocol https
   match protocol smtp extended
  class-map type inspect match-any DMZ_to_IN_CLASS
   match protocol http
   match protocol https
   match protocol smtp extended
  policy-map type inspect DMZ_to_IN_POL
   class type inspect DMZ_to_IN_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect IN_to_OUT_POL
   class type inspect IN_to_OUT_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect OUT_to_IN_POL
   class type inspect OUT_to_IN_CLASS
    inspect
   class class-default
    drop log
  zone security INSIDE
  zone security OUTSIDE
  zone security DMZ
  zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
   service-policy type inspect OUT_to_IN_POL
  zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_IN source DMZ destination INSIDE
   service-policy type inspect DMZ_to_IN_POL
  bridge irb
  interface Loopback0
   no ip address
  interface Null0
   no ip unreachables
  interface ATM0
   no ip address
   shutdown
   no atm ilmi-keepalive
   dsl operating-mode auto
  interface FastEthernet0
   description Outside Interface (PPPoE)
  interface FastEthernet1
   description Inside Interface
   switchport access vlan 10
  interface FastEthernet2
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface FastEthernet3
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface Dot11Radio0
   no ip address
   no ip route-cache cef
   no ip route-cache
   encryption vlan 100 mode ciphers aes-ccm tkip
   encryption vlan 101 mode ciphers aes-ccm tkip
   ssid GuestAP
   ssid LanAP
   mbssid
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
   channel 2437
   station-role root
  interface Dot11Radio0.100
   description LanAP
   encapsulation dot1Q 100
   no ip route-cache
   no cdp enable
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  !interface Dot11Radio0.101
  ! description GuestAP
  ! encapsulation dot1Q 101
  ! no ip route-cache
  ! no cdp enable
  ! bridge-group 1
  ! bridge-group 1 subscriber-loop-control
  ! bridge-group 1 spanning-disabled
  ! bridge-group 1 block-unknown-source
  ! no bridge-group 1 source-learning
  ! no bridge-group 1 unicast-flooding
  interface Vlan1
   description $ES_LAN$
   no ip address
   ip virtual-reassembly
   pppoe enable group global
   pppoe-client dial-pool-number 1
   bridge-group 1
  interface Vlan10
   no ip address
   ip virtual-reassembly
   bridge-group 10
  interface Dialer1
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly
   zone-member security OUTSIDE
   encapsulation ppp
   ip route-cache flow
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname XXXXXXX
   ppp chap password 7 xxxxxxxxxxxxxxxxxxx
   ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
   ppp ipcp dns request
   ppp ipcp wins request
   hold-queue 224 in
  interface Dialer0
   no ip address
  interface BVI10
   description Inside Interface
   ip address 192.168.253.254 255.255.255.0
   ip access-group 101 in
   ip helper-address 192.168.253.1
   ip nat inside
   ip virtual-reassembly
   zone-member security INSIDE
  interface BVI1
   description DMZ Interface
   ip address 192.168.252.254 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   zone-member security DMZ
  ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  ip http access-class 1
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
  ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
  ip access-list extended DMZ_to_IN_POL
   remark SDM_ACL Category=128
   permit ip any any
  ip access-list extended Inside_Clients_NAT
   remark SDM_ACL Category=2
   permit ip 192.168.253.0 0.0.0.255 any
  logging 192.168.253.10
  access-list 1 remark Auto generated by SDM Management Access feature
  access-list 1 remark SDM_ACL Category=1
  access-list 1 permit 192.168.253.0 0.0.0.255
  access-list 100 remark VTY Access-class list
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit ip 192.168.253.0 0.0.0.255 any
  access-list 100 deny   ip any any
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark SDM_ACL Category=1
  access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
  access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
  access-list 101 deny   tcp any host 192.168.253.254 eq telnet
  access-list 101 deny   tcp any host 192.168.253.254 eq 22
  access-list 101 deny   tcp any host 192.168.253.254 eq www
  access-list 101 deny   tcp any host 192.168.253.254 eq 443
  access-list 101 deny   tcp any host 192.168.253.254 eq cmd
  access-list 101 deny   udp any host 192.168.253.254 eq snmp
  access-list 101 permit ip any any
  access-list 199 permit ip any host 10.1.1.1
  dialer-list 1 protocol ip permit
  no cdp run
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
  radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
  radius-server vsa send accounting
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 10 protocol ieee
  bridge 10 route ip
  banner login C Border Router
  line con 0
   no modem enable
   transport output telnet
  line aux 0
   transport output telnet
  line vty 0 4
   access-class 100 in
   privilege level 15
   length 0
   transport input telnet ssh
  scheduler max-task-time 5000
  scheduler interval 500
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  sntp server xxx.xxx.xxx.xxx
  end

  Hi Jody,
  Apologies delay in replying. I have done the following:
  Made two of the FE ports vlan1,BVI1 (for LAN traffic)
  Left one port as VLAN10 as the pppoe client conected to the externalmodem
  Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
  I have DHCP configured to serve the DMZ  addresses.
  This all works for LAN clients and also works for a client attachedto that physical DMZ port.
  When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.
  I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.
  If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.
  I cannot add another VLAN due to the 2 vlan limit in this image.
  Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.
  Think I am about to give upon this.
  Regards,

• Cisco 877w -Configuration of subinterfaces and main interface within the same bridge group is not permitted

  Hi,
  I have another problem - after upgrade ios wirelles connection not work.
  After reload i have :
  Configuration of subinterfaces and main interface
  within the same bridge group is not permitted
  STP: Unable to get the port parameters.
  Please configure the bridge group on this interface first.
  Please configure the bridge group on this interface first.
  Please configure the bridge group on this interface first.
  SETUP: new interface NVI0 placed in "shutdown" state
  my old configuration work propertly in the old software, but after update i have notificatio.
  Old thread:
  https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
  my current sh run:
  version 12.4 
  no service pad 
  service tcp-keepalives-in 
  service tcp-keepalives-out 
  service timestamps debug datetime msec localtime 
  service timestamps log datetime msec localtime 
  service password-encryption 
  hostname cisco 
  boot-start-marker 
  boot system flash:c870-advipservicesk9-mz.124-24.T6.bin 
  boot-end-marker 
  logging message-counter syslog 
  logging buffered 4096 informational 
  enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s. 
  aaa new-model 
  aaa session-id common 
  dot11 syslog 
  dot11 ssid ciscowifi 
   vlan 1 
   authentication open 
   authentication key-management wpa 
   guest-mode 
   wpa-psk ascii 7 050D031D26595D0617 
  dot11 wpa handshake timeout 500 
  ip source-route 
  no ip dhcp use vrf connected 
  ip dhcp excluded-address 192.168.56.1 
  ip dhcp pool CLIENT 
     import all 
     network 192.168.56.0 255.255.255.0 
     default-router 192.168.56.1 
     dns-server 8.8.8.8 194.204.159.1 194.204.152.34 
     lease 0 2 
  ip cef 
  no ip domain lookup 
  no ipv6 cef 
  multilink bundle-name authenticated 
  username marek password 7 00121A0908500A 
  archive 
   log config 
    hidekeys 
  ip tcp path-mtu-discovery 
  bridge irb 
  interface ATM0 
   description Polaczenie ADSL do ISP$ES_WAN$ 
   no ip address 
   no atm ilmi-keepalive 
   pvc 0/35 
    encapsulation aal5mux ppp dialer 
    dialer pool-member 1 
   hold-queue 224 in 
  interface FastEthernet0 
   description Edzia 
  interface FastEthernet1 
   description dom 
  interface FastEthernet2 
   description Dziadek 
  interface FastEthernet3 
  interface Dot11Radio0 
   no ip address 
   no ip redirects 
   ip local-proxy-arp 
   ip nat inside 
   ip virtual-reassembly 
   no dot11 extension aironet 
   encryption vlan 1 mode ciphers tkip 
   encryption mode ciphers aes-ccm tkip 
   broadcast-key change 3600 
   ssid ciscowifi 
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 
   station-role root 
   world-mode dot11d country AU indoor 
   no cdp enable 
   bridge-group 1 
   bridge-group 1 subscriber-loop-control 
   bridge-group 1 spanning-disabled 
   bridge-group 1 block-unknown-source 
   no bridge-group 1 source-learning 
   no bridge-group 1 unicast-flooding 
  interface Dot11Radio0.1 
   description ciscowifi 
   encapsulation dot1Q 1 native 
   no cdp enable 
  interface Vlan1 
   no ip address 
   bridge-group 1 
  interface Dialer0 
   description Interfejs dzwoniacy 
   ip address negotiated 
   ip nat outside 
   ip virtual-reassembly 
   encapsulation ppp 
   dialer pool 1 
   dialer-group 1 
   ppp chap hostname [email protected] 
   ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx 
  interface BVI1 
   description Polaczenie dla sieci LAN 
   ip address 192.168.56.1 255.255.255.0 
   ip nat inside 
   ip virtual-reassembly 
  no ip forward-protocol nd 
  ip route 0.0.0.0 0.0.0.0 Dialer0 
  no ip http server 
  no ip http secure-server 
  ip nat inside source list 100 interface Dialer0 overload 
  ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80 
  ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22 
  logging trap debugging 
  logging 192.168.56.10 
  access-list 100 permit ip 192.168.56.0 0.0.0.255 any 
  access-list 100 deny   ip any any 
  no cdp run 
  snmp-server community ciskacz RO 
  snmp-server chassis-id ciskacz 
  control-plane 
  bridge 1 protocol ieee 
  bridge 1 route ip 
  line con 0 
   no modem enable 
  line aux 0 
  line vty 0 4 
   exec-timeout 0 0 
   transport preferred ssh 
   transport input ssh 
  scheduler max-task-time 5000 
  end 
  please help - thanks!

  Hello Marek,
  I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
  In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
  Remove the Dot11Radio0.1 subinterface entirely
  In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
  In the dot11 ssid ciscowifi section, remove the vlan 1 command
  After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
  Best regards,
  Peter

• Creating Dual SSID's

  We are running phat architecture (WLSE, ACS, 1230 AP's) and PEAProtocol. I want to create additional SSID's on every AP (WPA-PSK) for vendors.
  My questions is this: "Are there any good documents that discuss the creation of dual SSID's, VLAN/AP configuration, and/or best practice approaches?"

  Hi Darin,
  jep there are some documents.
  Using VLANs with Cisco Aironet Wireless Equipment
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  For usage of a WLSE, PEAP and ACS have a look here
  Protected EAP (PEAP) Application Note
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_technical_reference_chapter09186a008025d6ee.html
  Additional Information about WDS can be found here
  Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  These documents will give you the right hints for your task.
  Best reagrds,
  Frank

• Configuring wireless on cisco 877w router

  Hi all
  I have a Cisco 877W wireless/ADSL router and having great difficulty with configuring wireless on this router. Here is a quick summary.
  1. The ADSL is configured to obtain public IP from the ISP
  2. Default interface vlan 1 is configured with an IP address
  3. I went into vlan database, tried to configure multi vlans and the router prompted me that it can only have max 2 vlans. Hence what's the use of up to 16 different SSID using wireless?
  4. I've setup DHCP scope on the router to give out IP address to clients (both wireless and wired)
  5. I'm able to configure WPA-PSK on the router and was able to connect wirelessly to the router but I won't be able to obtain an IP address from the router
  6. There are two scenarios that I'd like to do:
  A. Setup wireless to connect to the same subnet as what's on vlan1
  B. Setup wireless to connect to a different subnet to vlan1
  For the life of me, I could not find docs on Cisco web site that shows me how to exactly this. I found some documents that use interface F0 as a trunk port and treat the interface Dot11Radio0 with sub-interfaces. I don't connect this router to a switch (standalone router) so how can I do this? Please point me to some docs.
  Thanks in advance for your help.

  My configuration works for wireless no authentication, but failed for WPA-PSK:
  ip dhcp excluded-address 172.16.250.1
  ip dhcp pool TEST
  import all
  network 172.16.250.0 255.255.255.0
  default-router 172.16.250.1
  bridge irb
  interface FastEthernet4
  description $ES_WAN$
  ip address dhcp client-id FastEthernet4
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface Dot11Radio0
  no ip address
  ssid 111
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii 0 Cisco1234
  speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Vlan1
  no ip address
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 172.16.250.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  After I configured the same wpa-psk key on the XP computer using windows zero configuration and tried to connect to the wireless work, I got the following errors on the router:
  *Mar 1 03:00:51.623: *** Not encrypted dot1x packet from 000c.f123.25cf has been discarded
  *Mar 1 03:00:52.623: %DOT11-7-AUTH_FAILED: Station 000c.f123.25cf Authentication failed
  What could be wrong? Thanks!

• Channel configuration on dual SSID

  I am installing a few aironet around a environment which requires dual SSID one for Guest and the other for business.
  When configuring the channel for each SSID should I make both SSIDs on the same aironet the same channel and then ensure the closest aironet with the same dual SSIDs is both on the same but different (non-overlapping) channels ?
  Or should both SSIDs on each aironet be on different channels?
  Thank you.

  Channel selection ... Hmmmm ... autonomous IOS ... Not a good combo.
  I mean the issue here is your 802.11b radio.  If you have neighborhood wifi around, smart money 802.11b is being used and  Channels 1, 6 and 11 are used too.  No issues with 802.11a since there are more channels to play with.
  It's OK if you have a WLC because of the Dynamic Channel Assignment feature.  But with autonomous WAP, you need to constantly monitor your neighbor.

• Is Cisco Nexus 5596UP support vlan base Policing and traffic shaping on code NX OS version: 5.1(3)N1(1)

  Is Cisco Nexus 5596UP support vlan base Policing and traffic shaping on code NX OS version: 5.1(3)N1(1)
  where i couldn't see any police command under the policy map 

  I have tested this issue on another 5548UP with L3 running the same NX-OS version and get the same problem. Show CDP from the switch is not discovering devices, but the neightbors can see the 5K in question. Reboot sometimes will fix it, but not always. I suspect a problem with the software since that doesn't happen in NX-OS 5.2. The one I am using is
  Software
    BIOS:      version 3.6.0
    loader:    version N/A
    kickstart: version 5.1(3)N2(1)
    system:    version 5.1(3)N2(1)

• Cisco RV320 DUAL WAN router USB setup with Telstra 4G MF823

  I am trying to setup Cisco RV320 DUAL WAN router to work with my prepaid Telstra 4G MF823 device. Could you please assist. My settings are as follows: InterfaceUSB2Connection Type:3G/4G PIN Code:Confirm PIN Code:USB Connection Status:3G/4G modem is not available.Access Point Name:telstra.internetDial Number:Username:Password:Enable DNSDNS Server (Required): 8.8.8.8DNS Server (Optional): 8.8.4.4MTU:AutoManualB

  Hi oz000,
  Unfortunately we don't have anyone here to assist with this particular issue. Our team here provides assistance for the device standalone, we ensure that the 4G device connects to the network and functions correctly on its own.
  -Matt W
   

• Can not view slidshows or creat a book on Snapfish.  SF IT folks say it's a security issue on my end.  Any ideas?

  Can not view slidshows or creat a book on Snapfish.  SF IT folks say it's a security issue on my end.  Any ideas?

  You will need to contact Snapfish to find out their system requirements and which plugin you need
  - http://support.snapfish.com/app/answers/detail/a_id/669/brand/3

• I updated some security issues and suddenlly my gmail does not open. it shows 75% of the procees and does not go on

  I updated automatically some security issues in my computer (I don't remember which) and now my gmail will start opening until it reaches 75% and it will not go on opening.
  I can open it Internet explorer but not in Mozila fireworks

  Clear the cache and the cookies from sites that cause problems.
  "Clear the Cache":
  *Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
  "Remove Cookies" from sites causing problems:
  *Tools > Options > Privacy > Cookies: "Show Cookies"
  Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.org/kb/Safe+Mode
  *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

• Other web browsers and security issues?

  Since even an Apple KB article recognizes the need for an additional browser and because of Safari's limitations and problems, I'm going to try switching to another browser (most likely OmniWeb and am looking at Firefox, Shira and Opera also though perhaps not as a primary browser) but I'm wondering about their ability to keep on top of any security issues for Mac? (and how do you keep up with security updates?)
  Though perhaps unfounded, at least with Safari, I feel that Apple has a vested interest in keeping on top of security issues (for Safari and Java) and I can readily find out about security updates via software updater.

  Most of the other Mac browsers have their adherents. They are all good browsers (I have 7 browsers installed to test various web sites and for change-of-pace usage). They all have their strengths and they all have their weaknesses. Only iCab and OmniWeb are still shareware, the rest are now or always have been free (Opera just recently stopped charging for its browser).
  I have settled on Firefox as my alternate browser and I use it maybe just a tad more than Safari, but I do switch back and forth between them. The Mozilla foundation is good at getting security updates out when needed. Firefox has a button on the toolbar to check for updates. One nice thing about Firefox is that you can install free extensions which enhance the features available. I have one to supplement tab features, one to control iTunes from Firefox's status bar, one to help me format messages in discussion forums, and one to block ads.
  I prefer OmniWeb for doing intensive research because of the way it handles tabs in its sidebar, showing me which ones I've looked at and which ones I haven't, and giving me great flexibility in rearranging tabs, which are viewable as thumbnails or text names (I have had up to a hundred or so tabs open in OmniWeb.
  Shiira is good and its fast. I have not checked for updates for a while, but the last time I updated there was still a problem with Shiira kicking you out of logged-in sites when you moved from page to page with in web site. This may have been fixed by now - they were aware of the problem back then.
  Camino is a native OS X cousin of Firefox and is also fast, but is not updated as often.
  I would stay away from Mozilla or Netscape unless you need all the additional modules they have and which take up hard disk space. Firefox and Camino represent the browser module of Mozilla/Netscape. Mozilla and Netscape have modules for email, irc chat, newsgroups, and for creating and editing web pages. Netscape is a branded and slightly customized version of Mozilla and is not updated as often.
  Opera is a nice browser and some use it as their main browser, but I have not seen anything that really stands out for me, but that does not mean it is not worth a look.
  I would stay away from abandonware Internet Explorer.
  As for checking for updates, several of them, as with many Mac programs, now have a menu item that allows you to check for updates. Most of them also announce their updates on both VersionTracker and MacUpdate.
  Happy Exploring.

• Security Issue with Apple ID

  Today while using my iphone and trying to use facetime for the first time since updating to IOS6, my phone asked me if I wanted to use some email address that I do not have for facetime. What? The message pretty much said that this email address was linked to my apple ID. So I got to work logged into AppleID.Apple.com and saw the email address verified and also saw it displayed as an alternate apple id. Immediately, I changed my Apple ID password and called apple at 1800myapple since that is the number on the website and try to talk to someone that could assist me with this severe issue. Anyway, my iphone went dead and the people on the phone couldn't connect me to anyone because I couldn't give them a serial number to an apple device. I tried to explain to the technicians that this is a problem with my ID and that the alternate ID has access to everything that my Apple ID has access to. Both times the call went nowhere. This is ridiculous. Why can't I talk to a security team? Why is the technician telling me that I can manage my ID from the website, when I know that I am looking at the website and I cannot remove the alternate ID? How did this ID get associated with my account and why did I never receive an email informing me of the change?
  Since Apple has other services and not just products STOP ASKING FOR A SERIAL NUMBER AND ASSIST THE CUSTOMER WITH THE ISSUE especially since it is a SECURITY ISSUE.

  oh man, I know exactly what you're talking about. i have a relatively easy to guess apple id email and everybody in the world thinks it's theirs... but once I turned on two-step authentication, the emails stopped completely.  here's a faq about it:
  http://support.apple.com/kb/HT5570
  once i turned that on, whenever they'd want to reset my password, they would get asked for my recovery key, which they don't have, haha!  victory is mine.

• My account was deleted for security issues. I made a new account, but I can't syncronise my apps with this new account. I bought a new Iphone and would like to transfer the apps ans music on this new one. Can somebody help me?

  My account was deleted for security issues. I made a new account, but I can't syncronise my apps with this new account. I bought a new Iphone and would like to transfer the apps ans music on this new one. Can somebody help me?

  Why would you make a new account?  This will likely cause many problems.  Just get you old account enabled.
  Apple ID: "This Apple ID has been disabled for security reasons" alert appears
  Frequently Asked Questions About Apple ID
  Everything you purchased with the old account will always be tied to that account.  You will have to authorize the computer for that account and you will have to update the apps from that account.