SRW2048 - Restrict LAN Traffic

Hi All,
I have a situation that I'm struggling with.
We're setting up serviced offices for one of our clients. They're requirements are different from anything that we've set up before and I've hit a roadblock here and was wondering if someone could give me some advise.
Setup:
The setup is for 24 serviced offices where clients rent an office (long-term or temporary) and the company provides internet access, printing, scanning receptionist etc. We have installed an IBM Server running SBS 2008 which provides exchange to the Reception PC's and Company PC's as well as DNS and DHCP to the Clients PC's. So far no problems.
The switch is a Linksys SRW2048 and the Router is a Cisco 857W and they are connected via ADSL.
Here comes the problem: They do not want the Client PC's to see each other, only the Server, Printer and Internet (optional Reception PC)
What I have tried so far:
1. Setup VLANS on the switch, which failed miserably because the Cisco 857W router does not support additional VLANS.
2. Setup IP Based ACL's in the Switch which allow traffic to the Server (192.168.0.10), Printer (192.168.0.9), Switch (192.168.0.254) and Router (192.168.0.1) but block access to the 100 addresses in the DHCP Pool. (192.168.0.100 - 192.168.0.200)
This worked great right up to the point where I enbale the rule and the internet stops working.
If I try to open Google, it works perfectly
If I enable the rule on a client port (bottom row) I cannot see Google (Gets the IP from DNS but cannot ping, telnet etc..)
I disable the rule, Google starts working again
I add Google's IP address to the allow list, renable the rule, works fine.
I'm trying to avoid adding every IP address known to man into the Allow list
The problem here is beyond my understanding. I havent told it to block everything just a specific range of IP's, but it seems to automatically block every IP except the ones I have allowed.
I also tried allowing Port 80 but it doesn't seem to allow the adding of ports (greyed out)
3. Tried setting up individual Subnets, but then I cannot see the Printer.
So now I'm well and truly stuck. Could any of you guys either give me another idea or tell me if I'm doing something wrong or advise if I need additional equipment to achieve this.
Many Thanks in advance.
Ryan
Message Edited by TechsOnsite on 03-10-2009 03:00 AM
Message Edited by TechsOnsite on 03-10-2009 03:01 AM
Message Edited by TechsOnsite on 03-10-2009 03:01 AM

Re 1. If the Cisco does not support (enough) VLANs you have to use a single LAN subnet.
Re 2. For ACLs there is always an implicit "deny all all" rule at the end. Any traffic which does not match any ACL rule will be dropped. Evaluation starts with the first rule and continues until one matches. The matching rule is executed and evaluation stops there. If no rule matches the implicit drop all is effective and drops all your traffic. In other words: you have to add a rule at the end to allow all traffic. The general outline should be something like this:
R1 allow traffic to server, printer, and router. The switch IP address would not be necessary except for the port from which you want to manage the switch.
R2 allow traffic to the broadcast address 255.255.255.255. Otherwise a device on that work won't get an IP address through DHCP.
R3 block traffic to 192.168.0.0/255.255.255.0. This blocks all traffic to your LAN subnet except the traffic which matches R1 before.
R4 allow traffic to 0.0.0.0/0.0.0.0 (or any IP address depending on what you can configure exactly on your switch). This allows all traffic except the one handled by R1,R2,R3.
Re 3. Don't use different subnets in a single LAN. Won't be a secure separation.

Similar Messages

Cisco RV042 Firewall Blocking LAN Traffic

Hello Everyone,
I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces. Connected to the SG-300 are a couple servers running ESXi. Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped. I have concluded that the firewall seems to be culprit in blocking my traffic. If I turn the firewall off, everything acts as expected. There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections. To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
Regardless, here's how my rules currently stand below. I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule. I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible. I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running. Thanks in advance.
Priority
Enable
Action
Service
Source
Interface
Source
Destination
Time
Day
Delete
123
Allow
All Traffic [1]
LAN
10.10.21.1 ~ 10.10.21.31
10.10.10.10 ~ 10.10.10.10
Always
123
Allow
All Traffic [1]
LAN
10.10.10.10 ~ 10.10.10.10
10.10.21.1 ~ 10.10.21.31
Always
123
Allow
All Traffic [1]
LAN
Any
Any
Always
Allow
All Traffic [1]
LAN
Any
Any
Always
Deny
All Traffic [1]
WAN1
Any
Any
Always
Deny
All Traffic [1]
WAN2
Any
Any
Always

I guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042. Maybe there's a more efficient way of doing this?
Below is a scrubbed copy of my switch configuration.
config-file-header
SWITCH01
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
vlan database
vlan 2
exit
no bonjour enable
hostname SWITCH01
no logging console
ip ssh server
ip ssh password-auth
clock timezone CEST +1
interface vlan 1
ip address 10.10.10.2 255.255.255.0
no ip address dhcp
interface vlan 2
name VIRTUAL-MANAGEMENT
ip address 10.10.21.1 255.255.255.224
interface gigabitethernet1
description ESXI01:VMNIC0:MGMT
switchport trunk allowed vlan add 2
interface gigabitethernet20
description UPLINK
exit
ip route 0.0.0.0 /0 10.10.10.1 metric 15
The routes I have defined is:
Destination IP
Subnet Mask
Default Gateway
Hop Count
Interface
10.10.21.0
255.255.255.224
10.10.10.2
1
eth0
10.10.10.0
255.255.255.0
0
eth0
255.255.252.0
0
eth1
239.0.0.0
255.0.0.0
0
eth0
default
0.0.0.0
40
eth1
Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later. When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection. Maybe I have a misconfiguration somewhere that is causing some issues? I appreciate the help.

Restricting Coherence traffic to a single NIC in a box with 2 NICs

Hi All,
I have a new question, or rather a request for confirmation / correction.
Am I right, that for restricting Coherence traffic to a dedicated network card and segment, I need to do the following things:
1. Set up a route entry in the routing table directing the multicast address to the particular network interface, e.g. (syntax might not be correct, assume 225.1.1.1 to be the clusteraddress and eth1 the dedicated network interface).:
route add 225.1.1.1/32 eth12. Set tangosol.coherence.localhost to the ip address of eth1 within the same machine. (different setting on each box).
Do I need to do anything else?
Thanks and best regards,
Robert

Hi Cameron,
it seems, we needed to add the route for the multicast IP on Linux to be directed to the Gigabit network interface, after all. Without that, the cluster heartbeat was noticed, but the Linux box was not able to join the cluster of HP-UX boxes.
We are also receiving this warning, but I don't think it has anything to do with the connection problem:
2006-11-13 12:38:02.154 Tangosol Coherence 3.2/357 (Pre-release) <Warning> (thread=main, member=n/a): UnicastUdpSocket failed to set receive buffer size to 1428 packets (2096304 bytes); actual size is 89 packets (131071 bytes). Consult your OS documentation regarding increasing the maximum socket buffer size. Proceeding with the actual value may cause sub-optimal performance.
Best regards,
Robert

Port forwarding and LAN traffic suddenly stopped working

My WRT54G was chugging along happily for many months, and suddenly all port forwarding and local LAN traffic stopped flowing. All PCs behind the router on the LAN side can get to all WAN sites just fine, but they cannot ping one another. All of them can ping the router (192.168.1.1) just fine.
Any ideas?
Thanks,
Curtis

I solved this. Turned out to not be the router at all, but the accidental enablement of the "Stateful Firewall" within my Cisco VPN client. Once this option is turned on, the machine gets isolated from the LAN, even when the VPN client isn't visibly running.

ISCSI & Server LAN Traffic in Same Trunk Port

Hi,
I plan to use a Cisco UCS Rack mountable C200 server with a dual port PCIe card with TOE iSCSI. Is it acceptable to:
To use just one dual port PCIe card for both iSCSI storage traffic and server LAN traffic - separated by VLANs? - With the ports connected two upstream swtches (for redundancy) and the switch ports configured as Trunks for both iSCSI & data VLANs??
To use 1GE TOE iSCSI ports instead of 10GE TOE iSCSI ports
To use a TOE iSCSI port for server data VLAN traffic??

Yes doable. Also you can mark iSCSI with cos 2 and 9000 MTU with certain badwidth gaurantee for your iSCSI traffic and rest stays in default queue.
class-map type qos iSCSI-qos-class
     match cos 2
policy-map type qos iSCSI-qos-policy
     class iSCSI-qos-class
          set qos-group 2
     class class-default
          set qos-group 0
class-map type queuing iSCSI-queuing-class
     match qos-group 2
policy-map type queueing iSCSI-queuing-policy
     class type queuing iSCSI-queuing-class
          bandwidth percent 30
     class type queuing class-default
          bandwidth percent 70
class-map type network-qos iSCSI-network-class
     match qos-group 2
policy-map type network-qos iSCSI-network-policy
     class type network-qos iSCSI-network-class
          mtu 9216
     class type network-qos iSCSI-network-class
          mtu 1500
system qos
     service-policy type qos input iSCSI-qos-policy
     service-policy type queueing output iSCSI-queuing-policy
     service-policy type network-qos iSCSI-network-policy

Put a throttle on lan traffic

Cisco 2651XM router
I'm looking for a sample config or help which would enable me to restrict the speed of traffic of a particular PC on the lan connected to my router.
My lan comprises several PC's on 172.16.1.xx, which connects to f0/0, and internet access for the whole lan is via a wic-adsl card in the router. I did a bit of reading on google about this but found it confusing. I understand I have to set up an access list but as a beginner I'm not sure where to start. I use SDM too but that only seems to cater for traffic going out of the router (unless I'm mistaken). What I'd ideally like to do is be able to pick one machine on the lan (eg PC 172.16.1.15) and restrict the speed of all traffic to and from it to say 50Kb/sec. Is that possible? Thanks for any pointers.

ok thanks, I know about the ? for getting help with commands and I did try this before my last reply but I'm still stuck at this step.
router(config-cmap)#match access TrafficToBeControlled
^
% Invalid input detected at '^' marker.
router(config-cmap)#match access-group TrafficToBeControlled
^
% Invalid input detected at '^' marker.
router(config-cmap)#match ?
access-group Access group
any Any packets
class-map Class map
cos IEEE 802.1Q/ISL class of service/user priority values
destination-address Destination address
discard-class Discard behavior identifier
dscp Match DSCP in IP(v4) and IPv6 packets
flow Flow based QoS parameters
fr-de Match on Frame-relay DE bit
fr-dlci Match on fr-dlci
input-interface Select an input interface to match
ip IP specific values
mpls Multi Protocol Label Switching specific values
not Negate this match result
packet Layer 3 Packet length
precedence Match Precedence in IP(v4) and IPv6 packets
protocol Protocol
qos-group Qos-group
source-address Source address
vlan VLANs to match
(I don't know which sub menu I should select)
router(config-cmap)#match access ?
<1-2699> Access list index
name Named Access List
(again, the name doesn't work and I don't know if I should select a number)
router(config-cmap)#match access-group ?
<1-2699> Access list index
name Named Access List
tia if you have any further thoughts...

[SOLVED] How to forward lan traffic from router to openvpn client....

Hi all,
I have maybe a strange situation. I recently started testing a VPN service on my home network. Ideally I would like most of my home machines to connect through this VPN. I am using it for both privacy and to circumvent geo-restricted sites. I have a router, Asus WL-500gp which is running the Tomato Firmware, and I did first attempt to setup OpenVPN on it which did work but didn't provide very much bandwidth due to probably not having enough processing power to deal with the encryption and the compression involved. I was only able to get about 5Mbit down when normally I get approx 30+ so this was not an acceptable performance hit.
I then decided to try setting up the VPN on my media server which is running Arch(of course). This was easily accomplished and is working extremely well with approx 25Mbs down. An acceptable performance hit. Now, as it stands only this machine is running through the VPN, the rest of the machines are still connecting to the net normally through the router. Is there a way to have other devices on my lan also get forwarded through the VPN on my Arch server. I do realize I could run my server as a router but I would rather leave the tomato router for that as it works well and is easy to setup whereas I suspect it may be complicated to setup on Arch. Is it possible to configure the tomato to forward certain IP's(my wired network is all static ip's) or even MAC's to the media server rather than the ISP. I suspect it can be done with some new routes added in but I am not that familiar with routing tables to figure it out.
So for example my tomato router is on ip 192.168.1.1, media server is on 192.168.1.2, xbmc 1 is on 192.168.1.3, xbmc 2 is on 192.168.1.4 etc. So say I would also like to have xbmc 1 and 2 go through the VPN as well. Is there a relatively simple way to accomplish this? I am thinking something along the lines of having the tomato forward request from IP 192.168.1.3-192.168.1.4 to 192.168.1.2(rather than the default gateway), then on the server tell it to forward these request to tun0(the VPN's network device).
Any thoughts? Anyone done something like this?
Thanks,
Kevin
Last edited by ould (2012-12-26 13:29:59)

Xyne wrote:
My first thought was to just set the server up as a router, but then I got to the part where you reject the idea. If you change your mind, you may find my recent notes on configuring something similar useful.
I'm pretty much a networking noob so I may be way off, but I would try the following. Here I'm assuming that the lan and vpn interfaces on the server are eth0 and tun0, respectively. These commands are adapted from the aforementioned notes.
On the server:
# Enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow postrouting to tun0. You may want to use "-s" here to strictly limit forwarding to IPs on your LAN.
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# Enable forwarding from the LAN to the VPN (and back via related and established connections).
# Again, you may want to use "-s".
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
After that, I think you can you just need to set the server as the default gateway on the other machines. I am not familiar with the Tomato firmware, but I would expect there to be some easy way to do it there.
You probably want the router to return the VPN's DNS servers instead of your ISP's DNS servers if you use DHCP on the LAN.
Thank you very mach! It's has been useful for me when i wanna connect my VBox mashines to do my lab)

Core Sync kills LAN traffic on Mac

Hi,
why core sync process for 1 mac generates a lot of traffic, killing navigation on whole lan?
If I stop process, i get 27ms time response ping, if I restart process "Core Sync", time increase to 2200ms - 3000ms and the entire lan users come to me a bit angry.
Note that all files on my Creative Clouds folder are already syncronized, also fonts and Apps are updated.
ps. working on iMac OSX 9.0.2, Adobe Creative Cloud 1.5.0.3.367.
thank you. Luca.

Moving this discussion to the File and Font Sync Early access forum.
Aculine I would recommend contacting our support team For the best assistance, I recommend our chat support at http://adobe.ly/yxj0t6. Our chat representatives can provide a personalized experience to resolve the issues you have described.
If you could also have your CoreSync logs available it would be beneficial. They are located at ~/Library/Application Support/Adobe/CoreSync/CoreSync-yyyy-mm-dd.log. for Mac OS.
If you have Windows user experiencing the same difficulty then the CoreSync logs can be found at %USERPROFILE%\AppData\Roaming\Adobe\CoreSync\CoreSync-yyyy-MM-dd.log.

Securing LAN traffic

Hi,
On a remote branch i have a router which is conencted via internet to data center over DMVPN cloud. LAn side of this brnach is connected to multiple switches which are spanned over differnet buildings, connected through fiber to the main router. Most of these LAN devices are 2960 & 3560 switches. I have a requirment to encrypt traffic between the router and LAN switches. (While i have only one internet port/Public IP on remote branch router, i am assuming DMVPN will not be able to map one Public IP to multiple LAN routers/Subnets?)
What would be the best solution;
1- With current devices.
2- In case we upgrade remote LAN devices to routers etc.
Thanks

Hey curtis03,
This is a pretty open question so I'll try to go with just recommending what we use. We've run Compuware NetworkVantage for a few years and love it. It works as a probe and can be wired of a monitoring port on a switch. It will summarize all data sent and received into reports you can customize. We found this valuable when assessing whether a bandwidth increase was required. You can find info on it at:
http://www.compuware.com/products/vantage/networkvantage.htm
If you're looking for an open-source solution... look into the use of NetFlow capturers/parsers. There's a variety of free ones that will get the job done if you're on a tight/non-existant budget. Anything else I can help with let me know.
-Mike
http://cs-mars.blogspot.com

Dual wan failover config: failback does not always work as expected for existing LAN traffic flows

I have an 881 router configured with 2 dhcp WAN connections. I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection. When the first connection is restored it should restore the route and everything should pass through the first connection again. This works for all my tests except one. If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds. After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back). If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic. A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired). It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route. This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect. My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic). The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
config (edited):
interface FastEthernet3
description Backup ISP
switchport access vlan 800
no ip address
interface FastEthernet4
description Primary ISP
ip dhcp client route track 100
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN-to-1941
interface Vlan800
description Backup ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
track 100 list boolean or
object 101
object 102
track 101 ip sla 10 reachability
track 102 ip sla 20 reachability
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 20 life forever start-time now
ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
Observation: the last 2 routes appear in the order shown above. Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue? Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

I have an 881 router configured with 2 dhcp WAN connections. I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection. When the first connection is restored it should restore the route and everything should pass through the first connection again. This works for all my tests except one. If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds. After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back). If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic. A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired). It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route. This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect. My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic). The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
config (edited):
interface FastEthernet3
description Backup ISP
switchport access vlan 800
no ip address
interface FastEthernet4
description Primary ISP
ip dhcp client route track 100
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN-to-1941
interface Vlan800
description Backup ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
track 100 list boolean or
object 101
object 102
track 101 ip sla 10 reachability
track 102 ip sla 20 reachability
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 20 life forever start-time now
ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
Observation: the last 2 routes appear in the order shown above. Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue? Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

Separate Internet and Lan traffic

Hi Experts,
I need your help.
We have two branch offices, and we are using a private MPLS network to connect branch offices and headquarter office, and each office has a Cisco ASA 5512-x installed, and has its own internet access. We also use VoIP.
My questions is
For all internet request on each office, they should go through their own internet access, and data/voip traffic must go through MPLS. How can I configure Cisco ASA to do that?
Thanks a lot for your help.
Kevin

You can't have multiple default routes pointing to different next hops otherwise the ASA won't know where to send the right traffic to.
Your default route should be point to the ISP router.
You then need a route or routes pointing to the MPLS router for the remote networks ie. your other sites.
If you have multiple internal networks behind the ASA inside interface you also need routes for those.
If you want to use the internet as backup then it depends on what you are trying to protect against ie.
if you are simply trying to use the backup if the local MPLS router or it's connection fails then you can use a static route (or routes) on the ASA and track them.
If you want to use the VPN if a remote site fails ie. to get to that site then it would be much better if you used a dynamic routing protocol over your MPLS network and had the ASA receive these routes then if the remote site fails you no longer receives those routes and the default route via the ISP is used ie. the VPN.
Really depends on what you are trying to do.
Jon

Block internet traffic but allow LAN traffic

Hi,
I have a WAP54G. Is it possible to set it so that when someone accesses the device, they can only access my local network (no internet access).
Thanks,
JT

There are a few ways to do this.
In your router, you can block a computer's Internet access by MAC address or by LAN IP address. I would suggest blocking by MAC address.
Obtain the MAC address of the offending computer. Then enter your router and go to the "Security" tab, "Filter" subtab. Click on "Edit MAC filter setting" and enter the MAC address of the offending computer. Click on "Apply". You might also need to return to the "Security-Filter" page and click on "Save settings". Reboot the router.
Alternatively, you could block by LAN IP address, but this might interfere with the computer's ability to access other wireless systems, at home or while traveling. If you do this, you would need to go into the offending computer, and assign it a fixed LAN IP address. Then enter the router (same page as above), and in "Filter IP address range" just enter his IP address, for example 192.168.1.12 (or whatever fixed LAN IP address you gave him). Then click on "Save settings".
Note that if he is computer savvy, it may not take him long to figure out how to bypass these roadblocks. IP addresses can be easily changed. MAC addresses can be faked.
The problem that you are having is similar to the "my teen is running wild on the Internet" problem. Many parents have found that router settings only work to control young children, who don't know much about computers. Older kids are better controlled using software products installed on the offending computer (I assume you own his work computer.) There are several parental control products on the market. I am not personally familiar with them, but when I did a search, "Safe Eyes" and "ContentWatch ContentProtect" were rated well. These programs can be used to limit the web sites visited, or stop Internet access entirely, or on a schedule.

1921 and EHWIC-4G-LTE-V Failures On Connecting LAN

I am running into an issue regarding usage of a 1921 (15.3(2)T) and EHWIC-4G-LTE-V (firmware SWI9600M_03.05.10.06).
With the EHWIC installed in the router, I am able to establish a data connection on the Verizon LTE network. RSSI approx -64 consistently.
However, the oddities begin when I connect the LAN (or a laptop, for troubleshooting purposes) to the internal interface (Gig 0/1).
Output when no other devices connected to the router
===============================================
arch-eng-router1#ping 4.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/80/224 ms
Profile Information
====================
Profile 1 = ACTIVE*
PDP Type = IPv4
PDP address = 10.172.240.7
Access Point Name (APN) = VZWINTERNET
Authentication = None
Username:
Password:
Primary DNS address = 198.224.169.135
Secondary DNS address = 198.224.170.135
* - Default profile
Output when another device is connected to the router
================================================
[Note: 'debug dialer' and 'debug chat' enabled for output]
*Jul 10 03:34:04.643: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Jul 10 03:34:05.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
*Jul 10 03:34:09.779: %LINK-5-CHANGED: Interface Cellular0/0/0, changed state to reset
*Jul 10 03:34:09.779: Ce0/0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
*Jul 10 03:34:09.779: %DIALER-6-UNBIND: Interface Ce0/0/0 unbound from profile Di1
*Jul 10 03:34:09.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:10.207: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:10.207: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:10.211: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:10.211: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:10.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to down
*Jul 10 03:34:10.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:11.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:11.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:11.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:11.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:12.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:12.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:12.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:12.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:13.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:14.207: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:14.211: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:14.211: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:14.211: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:14.779: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to down
*Jul 10 03:34:14.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:15.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:15.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:15.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:15.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:15.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:15.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:15.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:15.795: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:15.799: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:16.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:16.795: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:16.799: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:17.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:17.795: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:17.799: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:18.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:19.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.551: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:19.795: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.795: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.799: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:19.799: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:20.771: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:20.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:21.775: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:21.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:22.775: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:22.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:23.783: Di1 DDR: No free dialer - starting fast idle timer
*Jul 10 03:34:23.795: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:23.795: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:23.799: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:23.799: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:24.775: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:24.775: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:24.779: Ce0/0/0 DDR: re-enable timeout
*Jul 10 03:34:24.783: Ce0/0/0 DDR: rotor dialout [best] least recent failure is also most recent failure
*Jul 10 03:34:24.783: Ce0/0/0 DDR: rotor dialout [best] also has most recent failure
*Jul 10 03:34:24.783: Ce0/0/0 DDR: rotor dialout [best]
*Jul 10 03:34:24.783: Di1 DDR: Nailing up the Dialer profile [attempt 16]
*Jul 10 03:34:24.783: Di1 DDR: Dialer dialing - persistent dialer profile
*Jul 10 03:34:24.783: Ce0/0/0 DDR: Dialing cause Persistent Dialer Profile
*Jul 10 03:34:24.783: Ce0/0/0 DDR: Attempting to dial lte
*Jul 10 03:34:24.783: CHAT0/0/0: Attempting async line dialer script
*Jul 10 03:34:24.783: CHAT0/0/0: Dialing using Modem script: lte & System script: none
*Jul 10 03:34:24.783: CHAT0/0/0: process started
*Jul 10 03:34:24.783: CHAT0/0/0: Asserting DTR
*Jul 10 03:34:24.783: CHAT0/0/0: Chat script lte started
*Jul 10 03:34:24.783: CHAT0/0/0: Sending string: AT!CALL1
*Jul 10 03:34:24.783: CHAT0/0/0: Expecting string: OK
*Jul 10 03:34:25.571: CHAT0/0/0: Completed match for expect: OK
*Jul 10 03:34:25.571: CHAT0/0/0: Chat script lte finished, status = Success
*Jul 10 03:34:26.583: Ce0/0/0 DDR: disconnecting call
*Jul 10 03:34:28.775: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:28.775: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:33.999: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:34.999: Di1: No free dialer - starting fast idle timer
*Jul 10 03:34:37.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
*Jul 10 03:34:38.643: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Jul 10 03:34:41.583: Ce0/0/0 DDR: re-enable timeout
*Jul 10 03:34:42.583: Ce0/0/0 DDR: rotor dialout [best] least recent failure is also most recent failure
*Jul 10 03:34:42.583: Ce0/0/0 DDR: rotor dialout [best] also has most recent failure
*Jul 10 03:34:42.583: Ce0/0/0 DDR: rotor dialout [best]
*Jul 10 03:34:42.583: Di1 DDR: Nailing up the Dialer profile [attempt 17]
*Jul 10 03:34:42.583: Di1 DDR: Dialer dialing - persistent dialer profile
*Jul 10 03:34:42.583: Ce0/0/0 DDR: Dialing cause Persistent Dialer Profile
*Jul 10 03:34:42.583: Ce0/0/0 DDR: Attempting to dial lte
*Jul 10 03:34:42.583: CHAT0/0/0: Attempting async line dialer script
*Jul 10 03:34:42.583: CHAT0/0/0: Dialing using Modem script: lte & System script: none
*Jul 10 03:34:42.583: CHAT0/0/0: process started
*Jul 10 03:34:42.583: CHAT0/0/0: Asserting DTR
*Jul 10 03:34:42.583: CHAT0/0/0: Chat script lte started
*Jul 10 03:34:42.583: CHAT0/0/0: Sending string: AT!CALL1
*Jul 10 03:34:42.583: CHAT0/0/0: Expecting string: OK
*Jul 10 03:34:43.671: CHAT0/0/0: Completed match for expect: OK
*Jul 10 03:34:43.671: CHAT0/0/0: Chat script lte finished, status = Success
*Jul 10 03:34:45.671: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
*Jul 10 03:34:45.671: Ce0/0/0 DDR: Dialer statechange to up
*Jul 10 03:34:45.671: %DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di1
*Jul 10 03:34:45.671: Ce0/0/0 DDR: Dialer call has been placed
*Jul 10 03:34:45.671: Ce0/0/0 DDR: dialer protocol up
*Jul 10 03:34:45.671: Di1 DDR: Persistent Dialer Profile nailed up successfully
*Jul 10 03:34:46.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
Profile Information
====================
Profile 1 = INACTIVE*
PDP Type = IPv4
Access Point Name (APN) = VZWINTERNET
Authentication = None
Username:
Password:
* - Default profile
arch-eng-router1#ping 4.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Ultimately... once the Ethernet cable is attached, the Cellular 0/0/0 interface resets, attempts to connect, connects, resets, etc... Once the Ethernet cable is disconnected, the Cellular 0/0/0 interface successfully reconnects.
I am not really sure how to further troubleshoot this and was hoping someone in the community would have some additional thoughts on how to proceed.
Thanks so much for your time!

I have recently dealt with a similar issue and it was due to NAT not being configured correctly causing the cell card to flop. You really have to NAT all inside traffic regardless of whether is it allowed out or not otherwise Verizon detects it as invalid traffic and drops your cell connection. The blocking of outside traffic to the outside interface should be handled as a "in" ACL on the LAN interface. See some of my config below with some other lines of code I found helpful, tailor to your needs. Let me know how it goes.
ip access-list extended NAT_Traffic
!This is denying any VPN traffic that is outbound on the external interface. If this traffic allows will flop the cell interface.
deny ip any 10.254.254.0 0.0.0.15
!You can modify this to only be the LAN subnets you are actually using but try "any any" just to test.
permit ip any any
ip access-list extended Limited_Internet
!This allows my LAN to communicate with my 10.x.x.x VPN subnets.
permit ip 169.254.0.0 0.0.255.255 10.254.254.0 0.0.0.15
!This allows the one ip address to access the internet and denies all other LAN traffic.
permit ip host 169.254.231.201 any
deny ip 169.254.0.0 0.0.255.255 any
!restrict all traffic except listed below for cell port.
ip access-list extended Secure_Access_In
!I specify the Static IP used but you will have to suit a dynamic IP.
permit tcp any host A.B.C.D eq 22
!Confugure NAT
ip nat inside source list NAT_Traffic interface Cellular0 overload
!Apply ACLs to interfaces
interface Vlan1
!Restricts internet to a limited set of IPs and allows VPN traffic to flow.
ip access-group Limited_Internet in
interface Cellular0
ip access-group Secure_Access_In in
!To allow internet access out from LAN hosts if you have a ACL blocking traffic in on the Cell interface. Always a good idea.
!What to inspect for contect based access control.
ip inspect name INSPECT-IN-OUT tcp
ip inspect name INSPECT-IN-OUT udp
ip inspect name INSPECT-IN-OUT icmp
!where to apply the outgoing CBAC inspection
interface Cellular0
ip inspect INSPECT-IN-OUT out
Hopefully you haven't pulled too much hair out and this helps to fix.

Bandwidth Restriction

Hi,
i have got internet router cisco 1700 series, my fastethernet has got 1 public IP address eg. 10.10.10.1 connected to LAN& S0/0 as got public IP address eg. 1.1.1.1 which is connected to ISP(1 Mbps lease line). i have been using few public IP address to my LAN for FTP,Webserver,Mail Server etc... now is there any option in the router where i can restrict only 128 Kbps alone for my FTP server. where FTP server IP is 10.10.10.2, since FTP alone is occupying almost entire bandwidth, users on my LAN trying to access internet is become very very slow.

Hello,
unfortunately the config above will not work, because it does not describe FTP traffic properly.
TCP port 21 is only the control session, whereas the data transfer with active FTP is done through TCP port 20. Data transfer in general will cause your congestion problems. With passive FTP you will have dynamically assigned port numbers and then an access-list is NOT able to grab the majority of FTP transfer at all.
So you need to use NBAR for your case. The config would look like this:
ip cef
class-map match-all FTPserver
match ip address 100
match protocol ftp
policy-map Output1
class FTPserver
shape average 128000
interface Serial0
description 1Mbps to ISP
ip address 1.1.1.1 255.255.255.252
bandwidth 1024
service-policy output Output1
access-list 100 permit host 10.10.10.2 any
The class-map FTP describes traffic, which is from host 10.10.10.2 AND is FTP. This includes active and passive FTP control session and data session.
In the policy this traffic is limited to 128 kbps through shaping, i.e. there is never more than 128 kbps utilization from FTP traffic on your WAN link.
In case you would like to limit FTP only in case there is other traffic please use the following policy:
class-map match-all FTPserver
match ip address 100
match protocol ftp
class-map match-all NonFTPserver
match not class FTPserver
policy-map Output1
class NonFTPserver
bandwidth percent 75%
This will guarantee 75% of the bandwidth to traffic not being FTP from your server. This will only restrict FTP traffic when thre is no other traffic.
Cisco does recommend not to plan for more than 75% percent of interface bandwidth, because of L2 keepalives, and system messages in general.
Hope this helps! Please rate all posts.
Regards, Martin

Vlan on SRW2048 web switch

I would like to set up a VLan on a SRW2048 Web Managed Switch to accomplish the following:
Use two ports on the SRW2048 to pass traffic directly between two other switches located at different locations on our LAN. Although I have no experience with VLans, I assume that a Vlan offers a chance to accomplish this goal.

Since you did not specifically mentioned on what goal do you want to achieve, please create your VLAN and see if VLAN will work for your network.
To understand more of these, you may visit the link below:
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=15746&p_created=1196...

SRW2048 - Restrict LAN Traffic

Similar Messages

Maybe you are looking for