01-02-2014 08:27 AM - edited 03-07-2019 05:20 PM
Cisco amateur here. I am trying to configure two networks: VLAN 1 (native VLAN) for staff/private use and VLAN 10 for guest use. This is for a church and I wish to segregate guest access from staff access. I am using a Cisco 2801 running IOS 15.1 This router is connected to an AT&T residential gateway. The Cisco router is also serving as the DHCP server for the environment. We also have 3 SG200-26 switches and a handful of Cisco 121 WAPs. Correct me if I am wrong, but I think I need 2 DHCP pools - 1 for each VLAN. Please see the router config below. DHCP, routing, etc. is working fine for VLAN 1 - I assume this is because it is the native VLAN. VLAN 10 is not working as needed. I am hoping this is a simple fix and would like to get guidance on how to properly configure the VLANS, DHCP for each VLAN, and security to isolate the guest VLAN (10) from everything except Internet access through the AT&T gateway. The staff network (VLAN 1) also needs Internet access, of course. If you have other recommendations, they are welcome, as well. I realize the current security config is not right (permit any), but not sure how this should be set up. Thank you.
Router#sho run
Building configuration...
Current configuration : 1779 bytes
!
! Last configuration change at 18:47:06 UTC Tue Dec 31 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 20
ip source-route
!
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.255
ip dhcp excluded-address 172.16.4.1 172.16.4.20
!
ip dhcp pool staff
network 172.16.0.0 255.255.252.0
dns-server 192.168.1.1 68.94.156.1 68.94.157.1
domain-name staff.local
default-router 172.16.0.1
!
ip dhcp pool grace
network 172.16.0.0 255.255.248.0
dns-server 192.168.1.1 68.94.156.1 68.94.157.1
domain-name grace.local
default-router 172.16.4.1
!
!
ip cef
multilink bundle-name authenticated
!
!
interface FastEthernet0/0
description To ATT Gateway
ip address dhcp
ip nat outside
ip virtual-reassembly in
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
description To Switch
no ip address
ip virtual-reassembly in
speed auto
full-duplex
!
interface FastEthernet0/1.1
description Staff
encapsulation dot1Q 1 native
ip address 172.16.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.10
description Grace
encapsulation dot1Q 10
ip address 172.16.4.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
!
no ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
access-list 10 permit any
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
Router#
01-02-2014 08:56 AM
The first thing I noticed is that your network is incorrect in the dhcp pool:
ip dhcp pool grace
network 172.16.0.0 255.255.248.0
dns-server 192.168.1.1 68.94.156.1 68.94.157.1
domain-name grace.local
default-router 172.16.4.1
It should be "network 172.16.4.0 255.255.252.0". That should resolve the issue as long as all of the ports are correctly trunked on the switch.
HTH,
John
*** Please rate all useful posts ***
01-02-2014 09:29 AM
Hello
Looks like john has already explained -
I would also personally specify the actual network range relating to nat translations.
no access-list 1 permit any
no access-list 10 permit any
access-list 1 permit 172.168.0.0 0.0.7.255
ip dhcp pool grace
network 172.16.0.0 255.255.252.0
If the switches are manageable
int x/x
Description Link to Router
switchport trunk encapsulation dot1q
switchport mode trunk
interface Vlan1
ip address 172.16.0.x 255.255.252.0
ip default-gateway 172.16.0.1
or
interface Vlan10
ip address 172.16.4.x 255.255.252.0
ip default-gateway 172.16.4.1
vlan 10
exit
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
01-02-2014 09:32 AM
Hi,
ip dhcp pool grace
no network 172.16.0.0 255.255.248.0
network 172.16.4.0 255.255.252.0
no access-list 1 permit any
access-list 1 permit 172.16.0.0 0.0.3.255
access-list 1 permit 172.16.4.0 0.0.3.255
ip access-list extended FILTER-VLAN1
deny ip 172.16.0.0 0.0.3.255 172.168.4.0 0.0.3.255
permit ip 172.16.0.0 0.0.3.255 any
ip access-list extended FILTER-VLAN10
deny ip 172.16.4.0 0.0.3.255 172.168.0.0 0.0.3.255
permit ip 172.16.4.0 0.0.3.255 any
interface FastEthernet0/1.1
ip access-group FILTER-VLAN1 in
interface FastEthernet0/1.10
ip access-group FILTER-VLAN10 in
Regards
Alain
Don't forget to rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: