Help with 871w WLAN & VLANs

Hi! I think I'm too stupid for this...
I have a 871w with IOS c870-advipservicesk9-mz.124-9.T.bin. I'd like to have a config consisting of 4 VLANs: eth-priv, eth-guest, wlan-priv and wlan-guest. The *-guest vlans should only be able to get into the internet, not in my *-priv vlans. I want to use routing and ACLs, so I don't want bridging configured. All clients should get their IPs by DHCP, because my provider gives me my outer IP by DHCP, including DNS-server to use. I have the ethernet-vlans working fine, but can't get the hang of the wireless vlans...
Can someone point me to a config which does the things I want? Just the basics, I hope I can guess the details...
Thanx in advance!

as far as i know you need the bridging configured to get the puppy to work. i do not run multiple vlans but see if my config helps you
hostname xxxxxx
boot-start-marker
boot-end-marker
no logging buffered
enable password xxxxx
username admin password 0 xxxxxxxx
no aaa new-model
ip subnet-zero
ip cef
ip dhcp excluded-address xxxxxxxx
ip dhcp excluded-address xxxxxxxx
ip dhcp excluded-address xxxxxxxx
ip dhcp pool dcp
network xxxxxxxx 255.255.255.0
domain-name dcpartners.com
dns-server xxxxxxxx
default-router xxxxxxxx
ip dhcp pool xxxxxxxx
ip name-server xxxxxxxx
ip name-server xxxxxxxx
no ftp-server write-enable
bridge irb
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers tkip
ssid xxxxxxxx
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 xxxxxxxx
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address xxxxxxxx 255.255.255.0
no ip http server
no ip http secure-server
ip nat pool dcp xxxxxxxx netmask 255.255.255.248
access-list 15 permit 192.168.1.0 0.0.0.255
access-list 15 permit 0.0.0.0 255.255.255.0
access-list 100 permit ip host xxxxxxxx 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.199.0 0.0.0.255 192.168.1.0 0.0.0.255
control-plane
bridge 1 route ip
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
login
transport preferred all
transport input all
transport output all
scheduler max-task-time 5000
end

Similar Messages

Help with starting a VLAN implementation

Our network is currently all a single subnet with two 3550 and one 3524XL switches, as well as an ICS-7750 VoIP system. Our default gateway is a 515 Pix.
I would like to implement VLANs - probably users, voice, a WLAN guest for internet only, and a WWAN. DHCP server is Windows.
From here I know that I'll need a router, but I would like advice as to which. I think I have enough sample documentation to get it from there, however if what I have planned isn't possible I would like advice on a revised plan.
Thanks for any direction that can be provided!

Hello Brian,
What software version are you running on the 3550 ?? Is it EMI or SMI ?? If it is EMI, the 3550 can support the Intervlan routing. You do not need an external router for this. Incase, it is SMI, & if you have an IOS more than 12.1(11) EA1, you can run Intervlan routing. Its always good to have a Layer 3 switch which does the L3 routing between VLANs, since you can have more control of the traffic flowing through it. You can also implement stuffs like HSRP on these core switches and give a higly available design.. Have a look at this doc, which can help you in Inter-vlan routing:
http://cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml
You can implement VLANs on the core and configure it as a VTP server. The edge switches can be configured as clients or transparent mode.
You can implement different kinds of VLANs. I guess u have all the config docs on CCO. For WLAN guests, you can manually configure the Guest VLAN on the interface or use some kinda ACS authentication server for automatic allocation of VLAN through DOT1X protocol. So, your case it would be straight forward for the other VLANs --- go to the vlan database, add the VLAN, assign the VLAN on the interface, define Layer 3 VLAN interface if required and finish it off. For more security, u can configure VLAN ACL's on the Layer 3 interface to restrict traffic between VLANs.
Hope this helps. all the best.. rate replies if found useful.
Raj

Help with untagged traffic VLAN, Cisco 2960

I guess I am getting old because I just can't seem to make this work once I start configuring the VLAN. I've attached a JPG of the scenario of the network model I am trying to deploy, but I have simplified it to the most basic model possible. I have also attached the config from SW-1 (Top) which is the same as the other two switches.My Questions: #1 Why can't traffic from Laptop 192.168.2.101 ping Laptop 192.168.2.102 0r 103#2 What am I missing in this designReasoning (or my thoughts): I thought untagged traffic will traverse VLAN 99 from switch to switch. I thought this was automatic since the Native VLAN is 99 and working. Am I not understanding tagged vs. untagged vs. Native VLAN vs Default VLAN traffic??? I am perplexed.wr tBuilding configuration...Current configuration : 1329 bytes!version 12.2no service timestamps log datetime...
This topic first appeared in the Spiceworks Community

I have solved this, I have posted the relevent configs. I'm aware that the WAN ip address isn't valid, but I scrambled it to protect my identity
http://pastebin.com/2LXuPr2c
http://pastebin.com/pRPujJbj

Help with wireless controller and VLANs

Hi I'm trying to setup a wireless controller in preparation for a large site go live later this year. I'm struggling to get the controller and the WLAN using the correct VLAN. I want the controller on VLAN 100 and the clients on the WLAN on VLAN 200.
My thought is that I would need a config similar to:
Switchport for wireless controller management port set to trunk VLAN 100 and 200 with no native VLAN set.
The management interface on the controller set to VLAN 100.
A dynamic interface created on VLAN 200.
When setup like this I can get to the controller on its management address but only from VLAN100 not from another VLAN on site or from other sites over the WAN.
I have setup a WLAN which is set to use the dynamic interface on VLAN 200.
I have set the AP to use HREAP and set the native VLAN as 200 and added the dynamic interface into the VLAN mappings
When I connecting a client to the WLAN I get an address on VLAN 100.
The switchport for the AP is set to native VLAN 100 and trunk 200 – this setup works for standalone APs at other sites.
What am I missing?
Also any idea why the management interface address is not routing? The netmask and gateway are set correctly.
Thanks
Paul

Just to add to Steve's post... You only need to create a dynamic interface for vlan 200 if you have ap's also in local mode. If your ap's are in H-REAP/FlexConnect mode, you don't need a dynamic interface for vlan 200.
In you H-REAP/FlexConnect ap, you would set the wlan to vlan mapping there and the switchport configuration would be a trunk allowing vlan 100 (im assuming your native vlan for your ap) and vlan 200. You should see something like the following:
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Help with larger sized voice wlan.... design considerations.... tips...etc...

Hi Everyone,
I'm hoping that you guys and gals can help me with an ongoing problem that we have at one of our sites. We're working on areas of the location due to it's size and phone load. We have an area, that I will refer to as building A, that is roughly a square that is 240' x 240'. The inside of the building has some pallets inside for storage(they allow RF to penetrate through them) and also some metal production lines. There is also a mezzanine / elevated area in the middle that the users can walk under. It's not very large, but it would affect a phone if you walked underneath it while making a call. So, now that I have a brief description of the environment, I will tell you the equipment I'm running...
1 x 4402 50AP Wireless Controller with 6.0.199.3 (MR3) installed.
We currently have nine AP's installed in this area, with 4 up front so that way they cover the office areas better. Most are 1231G's, but some are 1242's.
Since we do not have A radios everywhere (budgetary decision) we are running all of these phones on 2.4Ghz (Yikes! I know!)
The 7920's use LEAP and the 7921's use PEAP MS-CHAP v2 with CCKM enabled on the controller.
I also have 802.1p wired QoS enabled for the voice QoS profile and it is applied to our voice WLAN.
We have conference rooms in the front area that will need to support roughly 20-30 maximum mixed 7920 and 7921G phones in a roughly small area. (Yikes! I know!)
We also have a 2106 with mesh .54M installed, but it is for outdoor AP's and should not be affecting this area.
So, I guess my questions are....
Has anyone ever operated the 7920 and 7921G's in mixed mode?
I'm thinking about separating the 7920s on 2.4 and tell the 7921's to prefer the A band or just use A. This will require A radios / surgery, but we've dealt with different code trains, TAC configs, and even added a few more radios. I think it's time to say we need to redesign this area. It doesn't help that phones keep getting purchased either....
What rule of thumb would you guys / gals say would be appropriate for this phone count in terms of the number of AP's I should use?
Since we're dealing with two different phone models, it makes it hard to simply just read the deployment guide. I know these phones can coexist, I just think we're running into over capacity and problems with 802.11B in the mix. In the conf room right now, there are most likely signals from at least two AP's. This doesn't seem like enough bandwidth for just the 2.4 Ghz range when 20 - 30 phones are in there. Not all of them are calling, but the associations / mgmt traffic alone must be horrendous since the phones are 802.11B
We are going to do a manual survey with a 1242 since that AP will support both phone models. I think we may need to survey twice if we're going to go this route; One survey for the 7920's on 2.4Ghz with a 1242AG and one survey on 5Ghz with a 7921G. I think that will provide the info we need to get the AP's repositioned where they need to be.
What kind of power levels should I be using in an area like that? We've originally had a survey at 50mW, but since then we turned the power down to pwr lvl 3 in some spots due to the additional AP's. I've seen references of roughly 1 AP per 3000 sq. ft at pwr level 4, but that seems overkill.
Can we run mixed power levels on AP's with the phones? Or will that cause one way audio due to the transmit power diffrences in the cells?
I'm thinking that we should pick a power level, survey the -67 cell size at the power level, add more AP's so that way they are overlapped 15-20%, and then actually implement the design. I'm pretty good at getting decent channel assignments in place. I know of non-overlapping channels, RRM, etc. I also have an AirMagnet laptop with an Aironet Adapter. It is good for finding noise, interference, etc...
I understand this is practically a book, but at this point, we've been trying a LOT of different things in order to get this to work properly. I think it's finally time for me to "strongly suggest" that we do the following...
1. Choose ONE phone model.
2. Choose ONE AP model.
3. Make sure to implement the 5Ghz band for all AP's so we have complete coverage.
4. Choose ONE power level for each band. This will affect the coverage and placement of AP's. I'd imagine that we'd need to survey with A first, and then survey with b/g. Typically we can use the 1242 and get about the same cell size on both bands, but 5Ghz is a higher frequency and may not penetrate as much as 2.4 Ghz..
5. Come up with a new coverage map based on a manual site survey with the phones mentioned above.
6. Implement the design.
7. Use it.
8. Try not to have a heart attack when the system actually supports that many phones in that area...
So, please, let me know your thoughts and if you have any suggestions. It would be greatly appreciated. We've been slowly working out the gremlins in the phones there over the past few years. I'm more of a data wireless person myself, but I do have good luck with a low to moderate phone count (usually no more than 7 calls per AP). Once we start doing craziness like trying to get 20-30 802.11B phones to work in the same area on only one or two AP's, then things start to become a challenge, especially when we don't have the 5Ghz cells to help with the bandwidth requirements for voice....
Thank you for your time,
Craig

There's a pretty recent (last few months) Voice over Wlan design guide published (was published for the 9971 phones - but all great advice) and it recommends just about all the settings required for an off the shelf wireless voice network.
http://www.ciscosystems.com/en/US/docs/voice_ip_comm/cuipph/9971_9951_8961/7_1_3/english/deployment/guide/9971dply.pdf

Help with VLANs on SG200-18 and two SG200-08 switches

Hi everybody. My apologies but I'm only average at best with my CISCO skills. I have simple setup running a few network devices connected via 3 CISCO switches. It's small office and there are two rooms - one with servers and one with printer and pc's. Each room has 8-port SG200-08 switch.
Router/ firewall is Sonicwall TZ215 and it handles internal routing between VLAN's. Each SG200-08 was connected directly to TZ215 (no SG200-18 yet) and VLANs were working perfectly. Please see diagram below...
Problems started when I added in the middle larger SG200-18 to handle extra devices. Whatever I'm doing wrong but I can't make VLANs work anymore. Something I'm not setting up correctly in SG200-18.
Please help me to setup VLANS here - tagged, untagged, PVID, trunk........ I'm completely lost and already had to reset SG200-18 twice.
My working setup without 18 port switch was like this.
SG200-08 (1)
    g1 Trunk 1     1U,100T
    g2 Trunk 1     1U
    g3 Trunk 1     1U
    g4 Trunk 1     1U
    g5 Trunk 1     1U
    g6 Trunk 1     1U           SERVER3
    g7 Trunk 100   100U      SERVER1
    g8 Trunk 100   100U      SERVER2
SG200-08 (2)
    g1 Trunk 1     1U,50T,200T
    g2 Trunk 1     1U
    g3 Trunk 1     1U
    g4 Trunk 1     1U         PC1A
    g5 Trunk 1     1U         PC1B
    g6 Trunk 50    50U      PC2A
    g7 Trunk 50    50U      PC2B
    g8 Trunk 200   200U    NETWORK PRINTER
Thank you in advance.

Hello,
Small switches would remain untouched but 200-18 needs to have the following settings:
g15 Trunk 1     1U,100T
g16 Trunk 1     1U,50T,200T
g17 Trunk 1     1U,50T,200T
g18 Trunk 1 1U,50T,100T,200T
Sonicwall now would have only one port connected to SG200-18 with settinngs matching port g18 on big switch.
If you notice there is a change as now you would have only 1 port connecting your network to the Sonicwall, would advise you to use port 17 or 18 since they are uplink ports.
If you have tried to connect two ports to big switch STP would block one of the ports.
Let me know how it is going :-)
Aleksandra

Help with inline VLAN Pair and switch configuration

Hello,
I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.
SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.
I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.
From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.
My IPS is configured with inline VLAN pair 100->200 and associated to vs0.
Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?
Below are my configs for the switches and the IPS.
Any help would be appreciated. Thank you!
IPS Config
service interface
physical-interfaces GigabitEthernet0/0
no description
admin-state enabled
duplex auto
speed auto
alt-tcp-reset-interface interface-name GigabitEthernet0/3
subinterface-type inline-vlan-pair
subinterface 1
description test
vlan1 100
vlan2 200
exit
exit
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/0 subinterface-number 1
inline-TCP-session-tracking-mode vlan-only
exit
exit
SW1 and SW2 config
interface FastEthernet0/1
switchport access vlan 100
interface FastEthernet0/9
switchport access vlan 200
interface FastEthernet0/18
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/24 (Sw 2 only)
description IPS port
switchport trunk encapsulation dot1q
switchport mode trunk

It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.
I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.
It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:
switchport trunk allowed-vlan 100,200
You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"
And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.
On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.
You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.
You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.
NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.

PLEASE HELP! Problems with Cisco WLAN and WPA encryption

I checked the threads and didn't see this posted. I have a Cisco WLAN card in my T42_2373_C88. It's a very unfortunate thing that this wireless LAN card/wireless config. utitlity doesn't support WPA encryption. I'm not entirely sure that it's the problem with the WLAN card, and the reason for this is that I initially set up a network through the Windows config. utility bypassing the IBM utility (which I can no longer do). I wasn't actually able to connect to my local network until I completely removed the profile for my home network in the access connections, only then was I able to connect (WPA-PSK (TKIP)). I saw some drivers available for my make and model on the lenovo.com driver site. I downloaded the drivers and went through device manager specifying the folder where the drivers were located and the drivers were not recognized by windows as valid drivers. Unless specifically told otherwise, I don't want to manually override and load these drivers. This is a business machine, and this specific wireless function is VERY critical.
Thanks

try using URLConnection instead of HTTPConnection.

Can anyone help with iPlayer and Sky Mobile?

Ok, I'm so close to giving up with this useless phone. There are 3 apps on my N97 which give me a constant headache.
BBC iPlayer
Sky Mobile*
YouTube
*I should point out that I only use Sky Mobile to set recordings on my Sky+. I do not use it for, nor have any desire to use it for actually watching Mobile TV.
All of these apps work absolutely fine over my home WiFi network. It's when I try to use them over 3G (my Vodafone Live! connection) that I start running in to trouble.
All 3 give me connection problems, errors, and simply refuse to load half the time when on 3G. I got so annoyed I just did a hard reset the other week, and magically all three started working again. However, now 2 of them are failing me again. YouTube (touch wood) is working fine at the moment, but iPlayer and Sky Mobile just aren't.
iPlayer sometimes works. But sometimes I get script errors (unable to load content), and sometimes it says something about checking my connection settings. I wouldn't mind but it's not actually possible to access any options for the iPlayer. Even in application settings there are no options you're able to set.
Sky Mobile simply flat out refuses to work ever on 3G. But it did after I did a hard reset for a couple of weeks, now it just stopped working! It wont even load. It just gives the error message 'Unable to connect to network - please check connection settings" or something along those lines.
I've tried so many different things. Tried setting my internet connections to 'always ask', tried setting it to default to Vodafone Live! all the time, tried setting my video streaming settings to WAP, all sorts. Every combination I can think of.
I just can't wait to get rid of this phone. I've put so many people off buying one. They see it and think it's all swish and cool, and I just say 'Don't. You'll regret it'. I can't wait for my contract to be up so I can upgrade to an iPhone now Vodafone have got them.
Can anyone help with these problems? Thanks in advance, but I don't hold out much hope...

About iPlayer.
Have a chat with Vodaphone. Streaming iPlayer over 3G IS allowed on Vodaphone contract, unlike my O2 contract. As long as your contract allows it, and you have the correct AP address, it should be fine. Vodaphone should be able to give you the setting.
Mine only works over Wlan.
FWIW, "... streaming over 3G is not currently available on iPhone handsets on any mobile network".
p.s. Just to be clear. You say "Tried setting my internet connections to 'always ask', tried setting it to default to Vodafone Live!".
iPlayer uses the Nokia browser "Web". So that's where you should make the setting "Ask when needed". It should then offer you the choice of whatever you've set in Destinations> Internet> then select whatever you've chosen as your GPRS connection.(as advised, or sent to you by Vodaphone).

NCS Prime 1.4 does not display previous AP WLAN-VLAN mappings

Hi,
Just wondering if others have experienced this issue. I upgrade our Prime NCS from 1.3 to 1.4 last night. Upgrade appeared successful but today when looking through the web interface for testing I noticed that the 'Access Point Details' (Configure > Access Points > Access point details" no longer displays the flex connect vlan mappings which previously were shown in 1.3.
When clicking on the WLAN-VLAN Mappings tab nothing appears there too? I tried to apply the wireless configuration template again but received an error.
Has anyone had this issue? On the WLC, these configurations are still intact with the correct vlan-mappings so it only appears to be NCS that is having the issues.
Only thing I can see from the release notes regarding NCS 1.4 Flexconnect VLAN mappings is CSCug17718. But this caveat is under the resolved section.
Cheers,
Wil

Cheers thanks for the reply.
I figured out what the problem was. Appears that Audit status has mismatches but once another audit is done it appears to display vlan mappings with at the access point detail page.
Now... to figure out how to perfect bulk audits..
Anyways thanks for your advice.

Help with a simple 1811 configuration

I have a very basic level of understanding with Cisco products and I need help with what should be simple and even doable by me.
I have a Cisco 1811 integrated router and am simply trying to use it on my home network. I can configure the router with an enable secret password, password encryption, VTY, aux, and cons logins with no issues. The router has 2 Ethernet interfaces, 0 and 1 and 8 switch ports.
The idea is to bring Comcast ISP service into one of the Ethernet ports and then have three machines on the switch ports able to access the Internet. Also I have an off-the shelf wireless router that I thought I would just plug that into an available switch port and allow a wireless AP as well.
This is so simply, that I can't believe I can't figure it out, but I can't.
I set int F1 to DHCP, performed a 'no shut', and connected the ISP's router and have an up and up indication. I have setup a static network with my three machines on the switch ports and enabled all applicable ports and have up and up indications - however, no traffic flow, even amongst my static Layer 2 switched LAN - not even a 'ping'. By my understanding of Layer 2, this should work right now, whether the ISP service is working or not - WHAT AM I DOING WRONG?
The addressing scheme I have ended up on is 172.16.1.0/28
Obviously without the first hurdle cleared, of why the switched LAN doesn’t work, I haven't got any deeper. Do I need to configure NAT? I don't think I would need to in the scenario right?
All of my experience, and none at the CCNA level, has been with larger Cisco equipment. One thing I noticed on the 1811 was that when trying to create a new VLAN, it appears to work yet does not do anything and the 'sh vlans' output returns nothing, not even the VLAN1 I can see with 'sh ip int brief".
Anyway, if anyone has time to help a newbie out I would appreciate it; I’m lost.
Thanks,
Josh

Thanks for the help Andrew! You know, I think if this was two separate devices (switch and router) I think I would be up and running, but this integrated stuff is throwing me off, not to mention that the IOS is a much older version (I guess) than what I'm used to.
They were throwing this 1811 in the trash can at work, so I just emptied the trash can. I have no documentation at all but I have since found the 1800 series documentation on Cisco.com and have tried to implement the basic configurations cited; with what seems like success, but still no joy. I did have to recover the password and did so with 0x2142, I bypassed the setup and compared the default configuration with what is listed in the documentation and they DO NOT match; I also tried to go through setup mode with the same indications. Additionally I've also learned that the 1800 series is pre-configured on certain options (DHCP, VLAN), which is new to me - I thought Cisco routers were not configured by default - isn't that kind of the point? (By the way, the below port status may not be correct since I now have all the ports unplugged)
Anyway, here is the 'show run' command, the 'sh ip int brief' command, followed by the 'sh version' command:
Show Run
Casino#sh run
Building configuration...
Current configuration : 2006 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Casino
boot-start-marker
boot-end-marker
enable secret 5 $1$meWw$nsMTp6US7axi/uE0MWULK.
enable password 7 06535E741C1B584C55
no aaa new-model
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1
ip dhcp pool Casino
   import all
   network 172.16.1.0 255.255.255.240
   default-router 67.165.208.1
   dns-server 68.87.89.150
   domain-name hsd1.co.comcast.net
no ip domain lookup
ip domain name GinRummy.localhost
ip name-server 68.87.85.102
ip name-server 68.87.69.150
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
archive
log config
hidekeys
interface Loopback0
ip address 172.16.1.1 255.255.255.240
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface FastEthernet9
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip mtu 1492
encapsulation ppp
dialer pool 1
ppp authentication chap
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat pool Casino 172.16.1.2 172.16.1.14 netmask 255.255.255.240
ip nat inside source list 1 interface Dialer0 overload
access-list 1 permit 172.16.1.0 0.0.0.15
dialer-list 1 protocol ip permit
control-plane
line con 0
password 7 080E5916584B4442435E5C
login
line aux 0
password 7 013C135C0A59475A70191E
login
line vty 0 4
password 7 09635B51485756475A5954
login
end
Show IP Interface Brief
Casino#sh ip int brief
Interface                  IP-Address      OK? Method Status                Prl
FastEthernet0              unassigned      YES NVRAM administratively down do
FastEthernet1              unassigned      YES DHCP   up                    do
BRI0                       unassigned      YES NVRAM administratively down do
BRI0:1                     unassigned      YES unset administratively down do
BRI0:2                     unassigned      YES unset administratively down do
FastEthernet2              unassigned      YES unset up                    do
FastEthernet3              unassigned      YES unset up                    do
FastEthernet4              unassigned      YES unset up                    do
FastEthernet5              unassigned      YES unset up                    do
FastEthernet6              unassigned      YES unset up                    do
FastEthernet7              unassigned      YES unset up                    do
FastEthernet8              unassigned      YES unset up                    do
FastEthernet9              unassigned      YES unset up                    up
Vlan1                      unassigned      YES NVRAM up                    up
Loopback0                  172.16.1.1      YES manual up                    up
Dialer0                    unassigned      YES manual up                    up
NVI0
'show version'
Casino#sh ver
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15))
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 24-Jan-08 13:05 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YH12, RELEASE SOFTWARE (fc1)
Casino uptime is 52 minutes
System returned to ROM by reload at 17:09:25 UTC Fri Jul 1 2011
System image file is "flash:c181x-advipservicesk9-mz.124-15.T3.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 1812 (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of m.
Processor board ID FHK120622J3, with hardware revision 0000
10 FastEthernet interfaces
1 ISDN Basic Rate interface
31488K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Thanks again for your help,
Josh

Help with some ACLs for VACL

I need some help with acls for a vacl. Goal - have the 1.1.1.0/24 subnet only communicate with certain IP.
So, they cannot get out to anywhere else and no one except that IP can get in.
Here is what I have so far:
access-list acl1 permit tcp 1.1.1.0 255.255.255.0 host 1.2.3.4
access-list acl1 permit tcp host 1.2.3.4 1.1.1.0 255.255.255.0
access-list acl1 ip 1.1.1.0 255.255.255.0 any log
access-list acl1 ip deny any any log
vlan access-map vacl1 1
match ip address set acl1
action forward
exit
vlan filter vacl1 vlan-list 11
Will this work as I expect it to?
Thanks for any help

Hi,
I implemented this on my 6509 and it didn't work. I even modified it to look like the following and it didn't work (I could RDP to one of the boxes on that the subnet).
ip access-list extended rapt_acl
deny ip any any
deny tcp any any
deny udp any any
vlan access-map rapt_vacl 10
match ip address set rapt_acl
action forward
vlan filter rapt_vacl vlan-list 90
Any thoughts what I may be missing?

Help with unetbootin install

I'm doing unetbootin Arch install (don't ask why ) and I need to gain internet access after booting "unetbootin" to install Arch. I have NO CLUE whatsoever how to do it and it's kinda urgent that I install it and I have D-Link DWL-G122 USB Wireless Adapter (and, if it matters, WEP key encryption on router).
Please, help?
Thanks in advance!

Sorry, but I couldn't quite follow the method.
Anyway, I googled a bit, found that my adapter works fine with linux-wlan-ng drivers. But (there's always "but" on linux, isn't it?) I need to make configure the drivers, and bash complains that there is no make ( ). lsusb command lists everything USBish on my comp (including the D-Link adapter). How can I determine which dev is the D-Link adapter and do I need to do something with it before making drivers?

WLAN VLAN Primary & Secondary DHCP

HI
We've got a primary and secondary DHCP setup on all our wlan vlan.
The server with the primary DHCP died the other day, so all requests are going via the secondary.
My question is, the primary server is backup bu not running DHCP yet.
As the primary server is physically up but not running DHCP would this cause a noticeable lag for client device getting a IP address from the secondary DHCP server?
Many thanks in advance
Cheers
Craig

The secondary DNS server - which as you correctly point out does not let you add additional records to the zone is only intended to be a backup DNS server. The idea is that while the primary DNS server is broken it is 'good enough' to answer queries from clients. You are expected to fix the primary DNS server and once fixed you can continue to edit/add records to it.
The secondary DNS server is not intended to become the primary DNS server in the event the primary fails. This is different to OpenDirectory for example which does allow you to 'promote' a replica server to the master role.
An alternative approach you could consider which might let you do this, would be to setup the primary to export its DNS settings to the secondary machine. You should still initially have the secondary act as a proper secondary DNS server which as discussed means it cannot be edited or become the primary, but you could then wipe the DNS config from the secondary and restore the backup from the primary making the secondary in to the primary.
Remember you need to advertise both the IP addresses of the primary and secondary as valid DNS servers for your network (via DHCP) and for your domains.

ISM with NAT44 - Need help with configuration

Hello everyone,
I'm trying to set up NAT44 in the following scenario below and I'm having a hard time figuring out how to redirect the traffic. As you can see the big problem is that I have one single interface that connects to the internal network (10.0.0.0/8) and also to the tunnel destinations all in the same VRF. Can you guys give me a hand? The trafiic comes from network network 10.0.0.0/8 enters interface bundle-ether 2 (Now it needs to be translated), once it is translated, now it needs to reach the destination known via GRE tunnel.
Configurations
vrf NAT_IN
address-family ipv4 unicast
vrf BLUE
address-family ipv4 unicast
hw-module service cgn location 0/3/CPU0
interface Bundle-Ether2
description UPLINK TO METRO ETHERNET
interface Bundle-Ether2.2 l2transport
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet200/0/0/43
description LINK TO METRO ETHERNET
bundle id 2 mode active
interface GigabitEthernet300/0/0/43
description LINK TO METRO ETHERNET
bundle id 2 mode active
interface BVI2
description METRO
vrf BLUE
ipv4 address 100.0.0.10/24
interface tunnel-ip 101
description GRE_TUNNEL
vrf BLUE
ipv4 address 1.1.1.1/32
tunnel mode gre ipv4
tunnel source interface bvi 2
tunnel destination 200.0.0.1
interface BVI 100
vrf BLUE
ipv4 address [GATEWAY_100] [MASK_100]
interface BVI 200
vrf BLUE
ipv4 address [GATEWAY_200] [MASK_200]
interface BVI 300
vrf BLUE
ipv4 address [GATEWAY_300] [MASK_300]
interface ServiceApp1
vrf NAT_IN
ipv4 address 10.0.2.1 255.255.255.252
service cgn CGN service-type nat44
interface ServiceApp2
vrf BLUE
ipv4 address 10.0.2.2 255.255.255.252
service cgn CGN service-type nat44
interface ServiceInfra1
ipv4 address 10.0.3.1 255.255.255.0
service-location 0/3/CPU0
router static
address-family ipv4 unicast
vrf NAT_IN
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
10.0.0.0/8 vrf BLUE bvI 2 <NEXT HOP>
vrf BLUE
address-family ipv4 unicast
172.16.0.0/24 ServiceApp2
router ospf METRO
vrf BLUE
router-id [ROUTER_ID]
redistribute bgp 65500 metric 100
area 0
interface bvi 2
router ospf BLUE
vrf BLUE
router-id [ROUTER ID]
redistribute bgp 65500 metric 100
area 10
interface BVI100
interface BVI200
interface BVI200
router bgp 65500
address-family ipv4 unicast
address-family vpnv4 unicast
vrf BLUE
rd 65500:2
address-family ipv4 unicast
redistribute static
redistribute ospf BLUE
neighbor 1.1.1.2
remote-as 64512
ebgp-multihop 5
address-family ipv4 unicast
route-policy PASS in
route-policy PASS out
service cgn CGN
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 20000
inside-vrf NAT_IN
map outside-vrf BLUE address-pool 172.16.0.0/24
Thanks in advance,
Renato

Hi Somnath,
Let's see if you can help with this new scenario. I want to extend this NAT configuration to a new site (BO1), but instead of using this entire setup with ASR9K, etc, I just want to use ASR9000v module and have this AS9K + ISM as the host. The first problem I see in this scenario is that I have the same 10.0.0.0/8 network in both sites, network which will access the same resources as the devices in the 10.0.0.0/8 in the main site.
1) Do you think if I create a new inside VRF [NAT_IN1] would address this issue?
2) Can I use the same outside VRF?
Here is the configurations.
!! IOS XR Configuration 4.3.1
vrf NAT_IN
address-family ipv4 unicast
import route-target
   65500:2
   65500:3
export route-target
   65500:3
vrf RED
address-family ipv4 unicast
import route-target
   65500:1
export route-target
   65500:1
vrf NAT_OUT
address-family ipv4 unicast
import route-target
   65500:4
export route-target
   65500:4
vrf SATELLITE
vrf BLUE
address-family ipv4 unicast
import route-target
   65500:2
export route-target
   65500:2
hw-module service cgn location 0/3/CPU0
ipv4 access-list ABF
5 permit ospf any any
10 permit ipv4 any 10.200.0.0 0.0.255.255 nexthop1 vrf NAT_IN ipv4 10.0.2.2
20 permit icmp any any
interface Bundle-Ether3
description Uplink (BE3 - VRF NAT_IN) - VLAN 20
vrf NAT_IN
ipv4 address 1.1.1.1 255.255.255.0
ipv4 access-group ABF ingress
interface Bundle-Ether22
description LOOPBACK CABLE NAT_OUT
vrf NAT_OUT
ipv4 address 10.0.1.1 255.255.255.0
interface Bundle-Ether23
description LOOPBACK CABLE BLUE
vrf BLUE
ipv4 address 10.0.1.2 255.255.255.0
interface 6
description Uplink (BE6 - Global) - VLAN 20,51,80-82
interface 6.2
ipv4 address 1.1.1.2 255.255.255.0
encapsulation dot1q 2
interface 6.51 l2transport
description EFP - BE6 - VLAN 51
encapsulation dot1q 51
rewrite ingress tag pop 1 symmetric
interface 6.80 l2transport
description EFP - BE6 - VLAN 80
encapsulation dot1q 80
rewrite ingress tag pop 1 symmetric
interface 6.81 l2transport
description EFP - BE6 - VLAN 81
encapsulation dot1q 81
rewrite ingress tag pop 1 symmetric
interface 6.82 l2transport
description EFP - BE6 - VLAN 82
encapsulation dot1q 82
rewrite ingress tag pop 1 symmetric
interface Bundle-Ether100
description Bundle to Satellite 100
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 100
   remote-ports GigabitEthernet 0/0/0-43
interface Bundle-Ether200
description Bundle to Satellite 200
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 200
   remote-ports GigabitEthernet 0/0/0-43
interface Bundle-Ether300
description Bundle to Satellite 300
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 300
   remote-ports GigabitEthernet 0/0/0-35
interface Loopback0
description MGMT SATELLITE
vrf SATELLITE
ipv4 address 10.0.0.254 255.255.255.0
interface tunnel-ip31101
description BLUE-TUNNEL01
vrf BLUE
ipv4 address 10.200.253.90 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 13.13.13.13
interface tunnel-ip31102
description BLUE-TUNNEL02
vrf BLUE
ipv4 address 10.200.253.94 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 14.14.14.14
interface tunnel-ip31103
description RED-TUNNEL03
vrf RED
ipv4 address 10.200.253.90 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 13.13.13.13
interface tunnel-ip31104
description RED-TUNNEL04
vrf RED
ipv4 address 10.200.253.94 255.255.255.252
tunnel mode gre ipv4
tunnel source 6.2
tunnel destination 14.14.14.14
interface TenGigE0/0/0/0
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/0/0/1
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/0/0/2
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/0/0/3
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/0/0/4
description LINK TO SATELLITE 300
vrf SATELLITE
ipv4 point-to-point
ipv4 unnumbered Loopback0
nv
satellite-fabric-link satellite 300
   remote-ports GigabitEthernet 0/0/36-43
interface TenGigE0/0/0/5
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/0/0/16
description UPLINK (BE6 - GLOBAL) - VLAN 20,51,80-82
bundle id 6 mode active
interface TenGigE0/1/0/16
description UPLINK (BE6 - GLOBAL) - VLAN 20,51,80-82
bundle id 6 mode active
interface TenGigE0/0/0/17
description UPLINK (BE3 - VRF NAT_IN) - VLAN 20
bundle id 3 mode active
interface TenGigE0/1/0/17
description UPLINK (BE3 - VRF NAT_IN) - VLAN 20
bundle id 3 mode active
interface TenGigE0/0/0/22
description LOOPBACK CABLE TE0/1/0/22
bundle id 22 mode on
interface TenGigE0/0/0/23
description LOOPBACK CABLE TE0/1/0/23
bundle id 22 mode on
interface TenGigE0/1/0/0
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/1/0/1
description LINK TO SATELLITE 100
bundle id 100 mode on
interface TenGigE0/1/0/2
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/1/0/3
description LINK TO SATELLITE 200
bundle id 200 mode on
interface TenGigE0/1/0/4
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/1/0/5
description LINK TO SATELLITE 300
bundle id 300 mode on
interface TenGigE0/1/0/22
description LOOPBACK CABLE TE0/0/0/22
bundle id 23 mode on
interface TenGigE0/1/0/23
description LOOPBACK CABLE TE0/0/0/23
bundle id 23 mode on
interface BVI30
vrf RED
ipv4 address 10.200.25.193 255.255.255.192
interface BVI31
vrf BLUE
ipv4 address 10.200.1.1 255.255.255.248
interface BVI32
vrf BLUE
ipv4 address 10.200.25.129 255.255.255.224
interface BVI33
vrf BLUE
ipv4 address 10.200.25.1 255.255.255.128
interface BVI36
vrf BLUE
ipv4 address 10.200.237.145 255.255.255.240
interface BVI51
vrf RED
ipv4 address 192.168.7.12 255.255.255.0
interface BVI80
vrf RED
ipv4 address 10.200.26.169 255.255.255.224
interface BVI81
vrf BLUE
ipv4 address 10.200.25.164 255.255.255.240
interface BVI82
vrf BLUE
ipv4 address 10.200.25.180 255.255.255.240
interface ServiceApp1
description NAT_IN
vrf NAT_IN
ipv4 address 10.0.2.1 255.255.255.252
service cgn CGN service-type nat44
interface ServiceApp2
description NAT_OUT
vrf NAT_OUT
ipv4 address 10.0.2.5 255.255.255.252
service cgn CGN service-type nat44
interface ServiceInfra1
description ISM
ipv4 address 10.0.3.1 255.255.255.0
service-location 0/3/CPU0
prefix-set PS_ROUTES
10.200.0.8,
10.200.5.40/29,
10.200.1.0/29,
10.200.5.32/29,
10.200.0.144/28,
10.200.106.0/28,
10.200.106.16/28
end-set
prefix-set PS_BGP_BLUE_OUT
10.200.24.192/26,
10.200.5.40/29,
10.200.240.0/25,
10.200.1.0/29,
10.200.25.128/27,
10.200.25.0/25,
10.200.5.32/29,
10.200.26.0/25,
10.200.0.144/28,
10.200.27.128/27,
10.200.27.0/25,
10.200.106.0/28,
10.200.106.128/25,
10.200.106.16/28,
10.200.107.128/25
end-set
route-policy RP_DENY_ALL
drop
end-policy
route-policy RP_PASS_ALL
pass
end-policy
route-policy RP_BGP_BLUE_OUT
if destination in PS_BGP_BLUE_OUT then
    pass
endif
end-policy
route-policy RP_PASS_ROUTES
if destination in PS_ROUTES then
    pass
endif
end-policy
router static
address-family ipv4 unicast
0.0.0.0/0 1.1.1.20
vrf NAT_IN
address-family ipv4 unicast
   0.0.0.0/0 ServiceApp1
vrf RED
vrf NAT_OUT
address-family ipv4 unicast
   0.0.0.0/0 10.0.1.2
   10.200.24.192/26 ServiceApp2
vrf BLUE
address-family ipv4 unicast
   10.200.24.192/26 10.0.1.1
router ospf
log adjacency changes
vrf NAT_IN
router-id 1.1.1.1
disable-dn-bit-check
redistribute bgp 65500 metric 5 metric-type 2 route-policy RP_PASS_ROUTES
area 7
   interface Bundle-Ether3
router ospf RED
log adjacency changes
vrf RED
router-id 10.200.26.169
disable-dn-bit-check
redistribute bgp 65500 metric 10 metric-type 2
area 11
   interface BVI30
   interface BVI80
router ospf BLUE
log adjacency changes
vrf BLUE
router-id 10.200.25.164
disable-dn-bit-check
redistribute static
redistribute bgp 65500 metric 10 metric-type 2
area 0
   interface BVI81
   interface BVI82
area 2
   interface BVI31
   interface BVI32
   interface BVI33
   interface BVI36
router bgp 65500
address-family ipv4 unicast
address-family vpnv4 unicast
vrf NAT_IN
rd 65500:3
bgp router-id 1.1.1.1
address-family ipv4 unicast
   route-target download
vrf RED
rd 65500:1
bgp router-id 10.200.253.90
address-family ipv4 unicast
   network 10.200.25.192/26
   network 10.200.26.128/27
   network 10.200.26.192/27
   network 10.200.27.192/26
   network 10.200.104.128/27
   network 10.200.104.160/27
neighbor 10.200.253.89
   remote-as 64512
   ebgp-multihop 5
   update-source tunnel-ip31103
   address-family ipv4 unicast
    route-policy RP_PASS_ALL in
    route-policy RP_PASS_ALL out
    soft-reconfiguration inbound
neighbor 10.200.253.93
   remote-as 64512
   ebgp-multihop 5
   update-source tunnel-ip31104
   address-family ipv4 unicast
    route-policy RP_PASS_ALL in
    route-policy RP_PASS_ALL out
    soft-reconfiguration inbound
vrf BLUE
rd 65500:2
bgp router-id 10.200.253.90
address-family ipv4 unicast
   network 10.200.0.144/28
   network 10.200.1.0/29
   network 10.200.5.32/29
   network 10.200.5.40/29
   network 10.200.24.192/26
   network 10.200.25.0/25
   network 10.200.25.128/27
   network 10.200.26.0/25
   network 10.200.27.0/25
   network 10.200.27.128/27
   network 10.200.106.0/28
   network 10.200.106.16/28
   network 10.200.106.128/25
   network 10.200.107.128/25
   network 10.200.240.0/25
neighbor 10.200.253.89
   remote-as 64512
   ebgp-multihop 5
   update-source tunnel-ip31101
   address-family ipv4 unicast
    route-policy RP_PASS_ALL in
    route-policy RP_BGP_BLUE_OUT out
    soft-reconfiguration inbound
neighbor 10.200.253.93
   remote-as 64512
   ebgp-multihop 5
   update-source tunnel-ip31102
   address-family ipv4 unicast
    route-policy RP_PASS_ALL in
    route-policy RP_BGP_BLUE_OUT out
    soft-reconfiguration inbound
l2vpn
load-balancing flow src-dst-ip
bridge group VLAN30
bridge-domain VLAN30
   routed interface BVI30
bridge group VLAN31
bridge-domain VLAN31
   routed interface BVI31
bridge group VLAN32
bridge-domain VLAN32
   routed interface BVI32
bridge group VLAN33
bridge-domain VLAN33
   routed interface BVI33
bridge group VLAN36
bridge-domain VLAN36
   routed interface BVI36
bridge group VLAN51
bridge-domain VLAN51
   routed interface BVI51
bridge group VLAN80
bridge-domain VLAN80
   interface 6.80
   routed interface BVI80
bridge group VLAN81
bridge-domain VLAN81
   interface 6.81
   routed interface BVI81
bridge group VLAN82
bridge-domain VLAN82
   interface 6.82
   routed interface BVI82
nv
satellite 100
type asr9000v
ipv4 address 10.0.0.1
satellite 200
type asr9000v
ipv4 address 10.0.0.2
satellite 300
type asr9000v
ipv4 address 10.0.0.3
service cgn CGN
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 20000
inside-vrf NAT_IN
   map outside-vrf NAT_OUT address-pool 10.200.24.192/26
Thanks in advance,
Renato

Help with 871w WLAN & VLANs

Similar Messages

Maybe you are looking for