Whirlpool

Hi everyone. I've been tasked with setting up a new Cisco 871. It actually turning out to be very difficult. I hope someone can help. I've been searching for an answer for days now.

I've set up 4 VLANs on my 871, with each VLAN assigned to an individual switchport on the 871. Each VLAN can successfully NAT out to the Internet via a small pool of 2 ip addresses given to me by my ISP. The VLANs are:

VLAN1 192.168.40.0 Router interface 192.168.40.1 Interface FastEthernet0
VLAN10 192.168.10.0 Router interface 192.168.10.1 Interface FastEthernet1
VLAN20 192.168.20.0 Router interface 192.168.20.1 Interface FastEthernet2
VLAN30 192.168.30.0 Router interface 192.168.30.1 Interface FastEthernet3

I can ping the router interface of any of the VLANs from any other VLAN. For example from VLAN10 I can ping 192.168.20.1 (the router interface of VLAN20). I can ping any external public IP address from any VLAN. But I cannot contact any host from one VLAN to another. For example I can't ping host 192.168.20.2 from VLAN1, 10, or 30.

I've read I need to make a bridge but as soon as I set one up and tie a VLAN to it, my connection from that VLAN to the Internet dies. I've tried setting up an ACL but once again once I do, my connection to the Internet gets cut the minute I assign it to a VLAN. Maybe I'm not using these correctly.

I hope some one can point me in the right direction. I mean the 871 is a great little router switch combo but it's driving me mad with this final problem. I have looked at George Ou's solution on TechRepulic but unfortunately it didn't help. I've heard SVI could work but I thought I had already set that up. I set up BVIs but they cut my connection to the Internet as well.

Thanks in advance for any advice you can provide. Please be detailed in your solutions. I'm still a bit new to Cisco. It's a fairly steep learning curve. Fairly steep indeed.

Rob

Rob

Once you setup a vlan, the intervlan routing should work automatically.

If you can post your current config (ex. confidential stuff) then I can better see where things are going wrong.

But from the outset, are all your internal VLAN's having "ip nat inside" on them?

Make sure none of the ACLs are blocking the traffic between vlans.

You can also check routing by doing "sho ip route". You should have all VLAN interfaces in the routing table.

Geniesis, I've heard it's supposed to start working right away so no doubt I've done something silly to prevent it from doing so.

The VLAN do have ip nat inside on them. I'm not sure if the ACLs are blocking traffic between vlans.

I've checked show ip route and the VLANs are in the routing table. Currently on static routes are configured. I have not turned on RIP or any other dynamic routing protocol. I've tried turning on RIP but my router remains unconvinced by this trick and the VLANs don't want to talk to each other.

My ISP has provided me with two ip addresses. In the example I'll post them as 123.123.123.19, 123.123.123.20 with the ISP gateway at 123.123.123.1
Subnet provided by ISP is 255.255.255.0

My setup (I've cut out a lot of extraneous info)

!This is the running config of the router: 192.168.40.1
!----------------------------------------------------------------------------
!version 12.4
dot11 syslog
no ip source-route
ip cef
!

!
no ip dhcp use vrf connected
!

ip dhcp pool sdm-pool1
import all
network 192.168.40.0 255.255.255.248
dns-server 168.126.63.1
default-router 192.168.40.1
domain-name MyDomain.net
lease 7
!

ip dhcp pool InternalLAN
import all
network 192.168.10.0 255.255.255.240
domain-name MyDomain.net
dns-server 168.126.63.1
default-router 192.168.10.1
lease 7
!

ip dhcp pool GuestLAN
import all
network 192.168.30.0 255.255.255.248
domain-name MyDomain.net
dns-server 168.126.63.1
default-router 192.168.30.1
!

ip dhcp pool VideoLAN
import all
network 192.168.20.0 255.255.255.248
domain-name MyDomain.net
dns-server 168.126.63.1
default-router 192.168.20.1
lease 7
!

ip dhcp pool VCUnit
host 192.168.20.4 255.255.255.248
client-identifier 0100.16d3.3d14.10
client-name Polycomv7000
default-router 192.168.20.1
dns-server 168.126.63.1
lease infinite
!

!
no ip bootp server
no ip domain lookup
ip domain name VCUnit.net
ip name-server 168.126.63.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!

multilink bundle-name authenticated
!

!
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-vdolive-1
match access-group 101
match protocol vdolive
!

!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-vdolive-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
!

zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!

!
!

interface FastEthernet0
description Maintenance LAN Interface
duplex full
speed 100
!

interface FastEthernet1
description Office LAN Interface
switchport access vlan 10
duplex full
speed 100
!

interface FastEthernet2
description Video LAN Interface
switchport access vlan 20
switchport trunk native vlan 20
duplex full
speed 100
!

interface FastEthernet3
description Guest LAN Interface
switchport access vlan 30
!

interface FastEthernet4
description WAN Interface
ip address 218.152.49.19 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!

interface Vlan1
description Maintenance VLAN
ip address 192.168.40.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!

interface Vlan10
description Office VLAN
ip address 192.168.10.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!

interface Vlan20
description Video VLAN
ip address 192.168.20.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!

interface Vlan30
description Guest VLAN
ip address 192.168.30.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 123.123.123.1
!

!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool isp_pool 123.123.123.19 123.123.123.20 netmask 255.255.255.0
ip nat inside source list 1 pool isp_pool overload
ip nat inside source static 192.168.20.4 123.123.123.20
!

logging trap debugging
access-list 1 remark Internal Networks to Outside 19
access-list 1 remark SDM_ACL Category=2
access-list 1 remark Default VLAN Access to Internet
access-list 1 permit 192.168.40.0 0.0.0.7
access-list 1 remark Guest VLAN Access to Internet
access-list 1 permit 192.168.30.0 0.0.0.7
access-list 1 remark Internal VLAN access to Internet
access-list 1 permit 192.168.10.0 0.0.0.15
access-list 1 remark Video VLAN access to Internet
access-list 1 permit 192.168.20.0 0.0.0.7
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 123.123.123.0 0.0.0.255 any
no cdp run
!

end

Are the IP interfaces up and up? If not, add the VLAN to the VLAN database.

Why not take the zone security off the vlan interfaces then if it works you know that is the cause of the problem.

vlan and svi are configured separately even though they interoperate. you must define vlans separately.

so

router(config)#vlan 10
name blah blah

vlan 20

and so on for other vlans. following this u create vlan interfaces

u must do a no shut on vlan interfaces too..

that should do i beleieve

I believe you still need to use the VLAN database with 870s

>Are the IP interfaces up and up? If not, add the VLAN to the VLAN database.

Yes, IP interfaces are up and running.

>vlan and svi are configured separately even though they interoperate.
> you must define vlans separately.

> so

> router(config)#vlan 10
> name blah blah

> vlan 20

> and so on for other vlans. following this u create vlan interfaces

> u must do a no shut on vlan interfaces too..

You mean something like

interface Vlan10
description Office LAN
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled

no shut vlan10

interface BVI10
description Bridge to Internal Network
ip address 192.168.10.1 255.255.255.240
ip nat inside
ip virtual-reassembly
bridge 1 route ip

no shut BVI10

So instead of the VLAN do I include the BVIs in my NAT translation? I tried this before and lost my connection to the Internet.

>Why not take the zone security off the vlan
>interfaces then if it works you know that is
>the cause of the problem.

I had thought about that but I couldn't figure out how to take off the zone security using the SDM. I should try the cli. Maybe something like:

config term
interface Vlan10
no zone-member security in-zone

But if the zone security is the problem, how do I fix it?

enter the commands.

ip classless
ip routing *shouldn't need it* but try it if it still fails.

then try again.

can you provide the output from "show ip int brief" & "sh vlan-sw" just to confirm l1 & l2 is up on the router.

You don't need to be faffing around with bridge groups, completely wrong path there.

Failing that.
(config)#access-list 199 permit icmp any any
#term mon
#debug ip packet 199
#debug ip routing

generate some icmp traffic from hosts attached to each port and show the output here.

a sh ver would be nice as well :)

10doubler writes...

You mean something like

no

just goto config mode and give following commands

vlan 10
vlan 20
vlan 30

and whatever vlan no. is present as an svi interface on router.

Good tips on debug. Thanks. For this router (the 871) both ip classless and ip routing are on by default. Interestingly enough if I type

no ip routing
ip routing

I lose complete connectivity to the Internet. I understand the no ip routing turning off what I need but it's alarming when ip routing fails to turn it on again. I have to turn off the router to get internet connectivity back again.

First things first, the version:

MyRouter#sh ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T5,
RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright © 1986-2008 by Cisco Systems, Inc.
Compiled Thu 01-May-08 02:31 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

MyRouter uptime is 15 hours, 35 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk9-mz.124-15.T5.bin"

blah blah yada yada

Cisco 871 (MPC8272) processor (revision 0x300) with 118784K/12288K bytes of memory.
Processor board ID FHK122820F3
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
28672K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Next, the interface status

MyRouter#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 123.123.123.19 YES NVRAM up up
Vlan1 192.168.40.1 YES NVRAM up up
NVI0 123.123.123.19 YES unset up up
Vlan10 192.168.10.1 YES NVRAM up up
Vlan20 192.168.20.1 YES NVRAM up up
Vlan30 192.168.30.1 YES NVRAM up up

Then vlan-sw

MyRouter#sh vlan-sw

VLAN Name Status Ports

1 default active Fa0
10 VLAN0010 active Fa1
20 VLAN0020 active Fa2
30 VLAN0030 active Fa3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 – – – – – 1002 1003
10 enet 100010 1500 – – – – – 0 0
20 enet 100020 1500 – – – – – 0 0
30 enet 100030 1500 – – – – – 0 0
1002 fddi 101002 1500 – – – – – 1 1003
1003 tr 101003 1500 1005 0 – – srb 1 1002
1004 fdnet 101004 1500 – – 1 ibm – 0 0
1005 trnet 101005 1500 – – 1 ibm – 0 0

I thought for sure debug would tell me something but alas no. When I attempt to ping between hosts I get the following:

July 30 09:37:06.579: NET-RED 0.0.0.0/0

repeated for each time I try.

>Why not take the zone security off
>the vlan interfaces then if it works
>you know that is the cause of the problem.

Nice try but that doesn't work either. Taking off the zone security on any of the vlans means a) hosts on any vlan still can't talk to each other and b) can't communicate with the internet.

I really hope the zone security isn't the issue. That looks like one scary feature to configure.

edited for correctness

10doubler writes...

I can ping the router interface of any of the VLANs from any other VLAN. For example from VLAN10 I can ping 192.168.20.1 (the router interface of VLAN20). I can ping any external public IP address from any VLAN. But I cannot contact any host from one VLAN to another. For example I can't ping host 192.168.20.2 from VLAN1, 10, or 30.

Sorry I may have been looking at this the wrong way..

you say you can ping the router interfaces from any other vlan. So the machine that is plugged into vlan 10, can ping the interface of vlan20/30/40? but it can't ping anything else plugged into vlan 20/30/40?

If so the problem isn't routing. You have disabled any software firewalls on the devices? and made sure that dhcp is working correctly

Mr2jzgte writes...

If so the problem isn't routing. You have disabled any software firewalls on the devices? and made sure that dhcp is working correctly

Oh Mother Mary! That's it. I feel like a total idiot. I'm beating my 871 to death when it was working all along. The individual firewalls on each machine were turned on and configureded to block ICMP. Turn off the firewall and sure enough ping-go! Everything works as expected

SUPER thanks. I should have figured this out when I could ping the interfaces of each VLAN.

Okay, I have another question. The VLANs can all talk to each other but I'd like to make sure the Guest VLAN (VLAN 30) can't see any other VLANs yet still access the Internet and the other VLANS should be able to see hosts on VLAN30. Can I do this with a single ACL like this:

access-list extended Guest-ACL
deny ip any 192.168.10.0 0.0.0.15
deny ip any 192.168.20.0 0.0.0.7
deny ip any 192.168.40.0 0.0.0.7
permit ip any any

interface vlan30
ip access-group Guest-ACL in

or do I use
ip access-group Guest-ACL out

The other VLANs should be able to see hosts on the Guest VLAN but not the other way around. Guest VLAN shouldn't see other host on other VLANs.

Finally, I have one last question. My router has a static route to the ISP via an ADSL line. It sounds like a basic question but should I turn on dynamic routing? I only received training a few months ago so I'm still new to the router config stuff. I learned about EIGRP, RIP, etc. But since my router has no other route to the Internet, and static routes are the quickest, should I simply leave well enough alone and forego dynamic routing?

Thanks again. Your help has been invaluable in saving my sanity!

10doubler writes...

Okay, I have another question. The VLANs can all talk to each other but I'd like to make sure the Guest VLAN

Yup. Basically create a DMZ via the SDM. or by using ip access-group Guest-ACL out – depends on if you want to lock down the wireless at a later stage and add inspection to it etc

When I first replied, I didn't read the OP properly and missed the part where you were able to ping the other ip address of the vlans.

But since my router has no other route to the Internet, and static routes are the quickest, should I simply leave well enough alone and forego dynamic routing?

Correct. No point using dynamic routing with a small network (single router) & single site.

10doubler writes...

Oh Mother Mary! That's it. I feel like a total idiot. I'm beating my 871 to death when it was working all along. The individual firewalls on each machine were turned on and configureded to block ICMP. Turn off the firewall and sure enough ping-go! Everything works as expected

hehehe
We've all done that one. If it makes you feel better I lost 4 hours the other day because some cables were labelled incorrectly and I'd patched the switch back into itself. Everything would be fine until a broadcast packet sent the thing into oblivion.....

Mr2jzgte writes...

Yup. Basically create a DMZ via the SDM. or by using ip access-group Guest-ACL out – depends on if you want to lock down the wireless at a later stage and add inspection to it etc

Well, I thought it was pretty basic but I guess I've got more to learn. This is what I have:

interface Vlan30
description Guest LAN
ip address 192.168.30.1 255.255.255.248
ip access-group Guest-ACL out
ip nat inside
ip virtual-reassembly
zone-member security in-zone

ip access-list extended Guest-ACL
remark Deny Guest LAN access to other LANs
remark Office VLAN Access
deny ip any 192.168.10.0 0.0.0.15
remark Video VLAN Access
deny ip any 192.168.20.0 0.0.0.7
remark Maintenance VLAN Access
deny ip any 192.168.40.0 0.0.0.7
permit ip any any

I thought this would prevent access to the other VLANs but it does not. I can still ping others hosts from Vlan30. If I change

ip access-group Guest-ACL out

to

ip access-group Guest-ACL in

None of the hosts on Vlan30 can ping hosts on other Vlans (good) but none of the other hosts on other vlans can ping hosts on Vlan30 (bad). Is there a way for other Vlans to access Vlan30 but Vlan30 not to access other hosts?

Thanks.

Rob

Yup. replace the above with.

access-list 199 deny 192.168.30.0 0.0.0.7
access-list 199 permit any any

int vlan 10
ip access-group 199 in

int vlan 20
ip access-group 199 in

Mr2jzgte writes...

Yup. replace the above with.

access-list 199 deny 192.168.30.0 0.0.0.7

access-list 199 permit any any

int vlan 10

ip access-group 199 in

int vlan 20

ip access-group 199 in

Believe or not, this fails as well. Despite restricting packets out from VLAN30 or denying packets from VLAN30 on the other LANs, hosts from VLAN30 can still reach hosts on other VLANs. Is this a bug?

A quick review:

The following applied to VLAN30 keeps VLAN30 from reaching other lans but other lans can't reach vlan30

vlan30 out

Action Source Destination Service
Deny 192.168.10.0/0.0.0.15 Any ip
Deny 192.168.20.0/0.0.0.7 Any ip
Deny 192.168.40.0/0.0.0.7 Any ip
Permit any Any ip

If I try
deny 192.168.30.0/0.0.0.7 Any ip
permit any any

on VLAN10, it is completely ineffective. VLAN10 can still be reached by VLAN30.

I don't get it. How? Are VLANs somehow different that other types of traffic.

10doubler writes...

Is this a bug?

Nope

I don't get it. How? Are VLANs somehow different that other types of traffic.

It's the SDM firewall. It's being applied before the ACL's

Save your current working config (sh ru to text file)

add in the following commands – create a dmz

zone security dmz-zone
zone security out-zone
zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect sdm-permit
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-dmz-out source dmz-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply

int vlan 30
zone-member security dmz-zone

You owe me beer !

*edit*
Get rid of the acl's and the interface statements that you put in previously to test. I haven't had anything to do with the SDM firewall for this exact reason and the image on the lab router that is on is just ip base.

If required you can add rules to allow certain types of DMZ traffic into the LAN (dns/smtp etc)

reference: http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/24/software/user/guide/ZPF.html

Mr2jzgte writes...

You owe me beer !

Definitely!

Thanks again.

I love this line by Cisco on Zone based firewalls:

Zone-based policy firewall (also known as "Zone-Policy Firewall" or "ZPF") changes the firewall from the older interface-based model to a more flexible, more easily understood zone-based configuration model.

I guess I'm lucky I'm not dealing with the less easily understood whatever was before. Although I get the impression that while old Cisco gear had flaws the newer stuff has new 'challenges'. One of the hardest things about getting help with Cisco are the changes between what was and what is.

10doubler writes...

Thanks again.

So that worked fine?
Gives me something to add to the lab ;)

Mr2jzgte writes...

So that worked fine?

Gives me something to add to the lab ;)10doubler writes...Thanks again.

So that worked fine?

Gives me something to add to the lab ;)Show quoted

Insert Quote with byline

Sorry for the late reply. On vacation.

Yes, it did indeed work. I basically put the Guest LAN in it's own Zone and then defined how other zones could interact with it and how it could interact with other zones.

By default any vlans that are within the same zone trust each other. This is why the ACLs that normally would work in non-Zone-based Firewall system failed. As mentioned, the firewall takes priority.

Thanks again.

Rob