Cisco 1921 & SG500 VLAN and DHCP problem

Similar Questions

• Several VLANS and DHCP relay on two stacked switch SGE2000-G5

  We were put to the task of securing a small desktop system managed that is currently set up with a standard switch for each of the offices (with different companies) to see each other and in some cases, access to each of the other documents on the network.

  Obviously, this is far from adequate set up and our goal is to isolate each office using VIRTUAL networks, but share a common internet connection provided by managed offices.  We have two switches for layer 3 Cisco SGE2000-G5, but we are new on Cisco equipment and VLAN, so we are not quite sure on how to implement this.  DHCP must be provided by a router, there is no server.  We are open to suggestions on the router as we still buy a.

  I hope that someone may be useful.

  Thank you very much

  Jim

  Hi Jim,.

  SGE2000 switches you are using must be able to handle this without issue. What type of router you are using? As long as you have a router that will take in charge VLAN / several subnets, it should be a simple configuration.

  Here's a quick run down of the measures to be implemented. (using vlan1 and vlan2)

  On the router, create a vlan / subnet 2 and set the port to connect to your shared resources with the two VLAN 1 and 2 switch. (it will be untagged, two will be marked)

  On the switch, create vlan2 and do the same for the port connected to the router. (vlan1 marked and tagged vlan2)

  Now for each switch port that you want to assign the port access and vlan1 and vlan2. (this vlan will be without a label)

  If your router allows, disable routing inter - vlan. If this isn't the case, you must create rules to block traffic from one network to the other.

  All this happens under the assumption that your router can support VLAN and can also make DHCP for this VLAN.

  Hope this information helps

• Wirless VLAN and DHCP

  I am trying to configure my Aironet 1121 G acess points with several VLANs, got the VLAN everything works great with wired devices, but wireless devices don't you DHCP.

  Basically I have the BVI on my virtual LAN management and two other vlans that cross, try to have the public WiFi on 1 vlan and the two VLAN corporate with separate wifi. Impossible to get IPs on any of them though.

  Vlnas are moved by a catlayst 3550 with addresses of assistance set up on all the VLAN interfaces.

  DHCP comes from 2 boxes of windows on another virtual local network Server 2003

  any ideas?

  Hello

  If I understand, you have plugged your access point to one of the L2 switch. I suggest you to set up your L3 (tandem switch) with pool dhcp to obtain the ip address for vlan respective first.

  To set the dhcp pool in your L3 192.168.2.1.

  create interface IVR and IP address assignment for the VLAN respective (which will act as a gateway of the vlan respective)

  Repeat the same for all the VLANS.

  Create the DHCP pool for the vlan respective and router by default with the ip address of L3.

  AccessPoint#configure terminal
  
      AccessPoint(config)#interface dot11radio 0
  
      AccessPoint(config-if)#ssid .......give the name of your ssid
  
      AccessPoint(config-if-ssid)#vlan ?
  
      AccessPoint(config-if-ssid)#authentication open
  
      AccessPoint(config-if-ssid)#end
  
      

  AccessPoint(config) interface fastethernet 0.30
  
      AccessPoint(config-subif) encapsulation dot1Q 30
  
      AccessPoint(config-subif) exit
  
      

  AccessPoint(config) interface dot11radio 0.30
  
      AccessPoint(config-subif) encapsulation dot1Q 30
  
      AccessPoint(config-subif) exit     

  Check if you have the ip address for the customers.

  In case await you get the IP address of your external dhcp server...

  try to give below command on each respective dot11Radio 0 subinterface "helper-... to give the dhcp server ip address here"

  Please let me know if it works...

  Thank you

  Vinod

• Using Cisco AP as router and DHCP server

  I'm a newbie in the technology of Cisco wireless. I have a lot of Cisco wireless access point. One of them (1142AG-K9 Cisco) I want to set them up as a DHCP server and will forward traffic to the public ip address as it will route the traffic to 203.82.203.50 (Ip provided by ISP) and will lease ip as associated devices 192.168.10.0 pool.

  Even though I know that it is possible using a router on the AP. But it is possible using a single access point?

  If so, how?

  Help, please.

  Hi, the AP cisco are just basic layer 2 devices such as a hub or Layer 2 switch, it does not any layer 3 as a wireless router.

  The Cisco access point supports to have a VLAN or subnet configured or more VLANS or subnets and will pass all traffic to a layer 3 devic so that traffic can be routed to the need.

  The Ap can't stand to have an addrees ip configured on the bvi1 for the management.

  Also the build in the ap dhcp option is very limited and will only know the ip address to wirless clints that connect to it on an ssid linked to its management interface in this case that the bvi1 and all them VLAN othe or subnets shall not use an external dhcp server.

  Sent by Cisco Support technique iPhone App

• configuration of VLAN and routing problem 6224 switch

  I, m having a problem accessing internet to vlan 10. I can ping everything of all the VLANS. My internet router/firewall is on ethernet 1/g11 and has an ip address of 192.168.5.254. I have no problem accessing internet to vlan 20. I add a static route to my router/firewall. What Miss me? This is my first configure a layer 3 switch.

  Configure
  database of VLAN
  VLAN 10.20
  output
  battery
  1 1 member
  output
  IP 10.10.10.1 255.255.255.0
  default IP gateway - 10.10.10.254
  IP routing
  IP route 0.0.0.0 0.0.0.0 192.168.5.254
  interface vlan 10
  Routing
  IP 192.168.100.1 address 255.255.255.0
  output
  interface vlan 20
  Routing

  192.168.5.1 IP address 255.255.255.0
  output

  !
  interface ethernet 1/g1
  switchport mode general
  pvid switchport General 10
  No switchport acceptable-framework-type general tag only
  VLAN allowed switchport General add 10
  output
  !
  interface ethernet 1/g2
  switchport mode general
  pvid switchport General 10
  No switchport acceptable-framework-type general tag only
  VLAN allowed switchport General add 10
  output
  !
  interface ethernet 1/g11
  switchport mode general
  switchport General pvid 20

  No switchport acceptable-framework-type general tag only
  VLAN allowed switchport General add 20
  output
  !
  interface ethernet 1/g12
  switchport mode general
  switchport General pvid 20
  No switchport acceptable-framework-type general tag only
  VLAN allowed switchport General add 20
  output
  !
  interface ethernet 1/g13
  switchport mode general
  switchport General pvid 20
  No switchport acceptable-framework-type general tag only
  VLAN allowed switchport General add 20
  output
  output

  Route ip console #show

  The traffic code: R - RIP derived, O - OSPF derived, C - connected, S - static
  B - BGP derived, IA - OSPF Inter zone
  E1 - OSPF external Type 1, E2 - OSPF external Type 2
  N1 - OSPF NSSA external Type 1, N2 - OSPF NSSA external Type 2

  S 0.0.0.0/0 [1/0] via 192.168.5.254, vlan 20
  C 192.168.5.0/24 [0/0], directly connected, vlan 20
  192.168.100.0/24 C [0/0], directly connected, vlan 10

  Console #.

  
  

• VLAN and VPN problem

  Madam, Sir, I have the following problem:

  ASA ClientVPN---Internet--ASA--VLAN1(192.168.1.0/24)

  | -VLAN2

  | -VLAN3

  VPN = 192.168.10.0/24

  When you create the VPN connection with the wizard, the list of networks to the tunnel,

  This does not connect and displays the following message:

  No group of translation not found for tcp src outside:192.168.10.2/48257 dst

  192.168.1.2/80

  This message is the same as it throws when trying to communicate a VLAN on the SAA,

  That's why create the following rules:

  static (outdoors, VLAN1) 192.168.10.0 192.168.10.0 255.255.255.0

  static (VLAN1, outside) 192.168.1.0 192.168.1.0 255.255.255.0

  which allows communication between the VPN and the VLAN1, but I lose internet

  access from VLAN1 please help

  Julio,

  You need to add nat are subtracted to your VLAN internal to your VPN address pool, something like this:

  access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  which will allow communication from inside 192.168.1.0/24 vpn client, you must add the remaining lines for the VLAN left and apply them on the required VLANs if they are on different interfaces, of course.

• problem with dhcp Cisco sg200 voice vlan

  I have cisco sg200 50 p connected to the switch cisco 3750. I just wanted to separate voice (vlan2) and data (vlan1) VLAN. I created vlan 2 as my voice VLAN and separate dhcp server for vlan 2 to give IPS for phones. However the phone ip connected to my voice vlan (vlan 2) does not receive the ip address of my dhcp server vlan 2.

  the dhcp server is connected to a switch with an access port (vlan2-voice) 3750

  two switches are connected through the trunk ports and allowed vlan 1 & 2

  IP phone is connected to sg200 via the access port (vlan 2).

  Note: there is a pc connected to the ip phone

  I'm really grateful if someone can help me with this problem

  Hi Ruchiran,

  To cover the base, ensure that VLAN 2 is added to the database VLAN on the 3750. Simple by using the command "show vlan id 2", if it is not found, you must first create the VLAN 2 on the 3750.

  Second, if you connect the same IP phone directly to the 3750 on an access port, vlan 2 unidentified, is the phone receives IP address as you hope?

  Then, on the trunk of 3750 connection to the SX200. Building the trunk when using a command like "switchport trunk allowed vlan remove 1-4094," then build the trunk more precisely with the VLAN ' trunk switchport allowed vlan add 2 "who will score 2 VLAN port." "

  On the SG200 switch, must be defined the trunk and VLAN Tag 2 on the port to connect to 3750 then the connection to the phone port should be 2 VLANS not identified as access port.

• VLAN voice N3048P and DHCP issues

  Hello

  I just received several switches for our N3048P and 2 x 4048 access layer - WE for our base layer. Are the N3048P VLT'd between two of 4048. There are 4 x N3048P of one on the other. The 4048 possess all gateways via VRRP.

  I have 802. 1 x works with my Windows client test, and I can get the phone (Cisco 7941) to acquire a DHCP address if I put it on a port "switchport mode access. However, if I change the port to a general port with vlan enabled voice and 802. 1 x, the phone does not have a DHCP address, but the PC attached to the phone Gets a DHCP address in the VLAN correct.

  I see CDP and LLDP messages exchanged via Wireshark, and it seems that the phone and the switch are to exchange the VLAN voice correctly.

  My question is, why the phone can't one address DHCP?

  Here's the relevant config of switch below. I know that some of the config can be duplicated for troubleshooting steps:

  VLAN 75
  the name 'Test '.
  output
  VLAN 76
  name "Test_Phones".
  output

  IP helper-address 1.1.1.3 dhcp
  IP helper-address 1.1.1.4 dhcp

  interface vlan 75
  IP 172.16.75.4 255.255.255.0
  IP helper 1.1.1.3
  IP helper 1.1.1.4
  output
  interface vlan 76
  IP 172.16.76.4 255.255.255.0
  IP helper 1.1.1.3
  IP helper 1.1.1.4

  AAA authentication local connection to "defaultList".
  radius of start-stop AAA accounting dot1x default
  control-dot1x system-auth
  radius AAA dot1x default authentication service
  AAA authorization network default RADIUS

  VLAN, VoIP

  source-ip 172.16.75.4 RADIUS server
  Server RADIUS 'key' key
  RADIUS-server host 1.1.1.1 auth
  primary
  name "rad1.
  use of 802. 1 x
  key 'key '.
  output
  RADIUS-server host 1.1.1.2 auth
  name "rad2.
  use of 802. 1 x
  key 'key '.
  output
  Server RADIUS acct 1.1.1.1 host
  name "rad1.
  output
  host server RADIUS acct 1.1.1.2
  name "rad2.
  output

  Gi2/0/1 interface

  Description '802. 1 x client port.
  spanning tree portfast
  spanning tree guard root
  switchport mode general
  switchport general allowed vlan add 75-76 the tag
  dot1x re-authentication
  dot1x quiet-period 5
  dot1x tx-period 5
  dot1x comments - vlan 20
  dot1x Informati-vlan 20
  LLDP transmit tlv ESCR-sys sys - cap
  LLDP transmit-mgmt
  notification of LLDP
  LLDP-med confignotification
  VLAN voice 76
  disable voice vlan auth
  output

  Thanks for any input you may have. I would like to know if there is any other information, I can provide.

  -Jason

  That ends up being the correct port configuration:

  Gi2/0/1 interface

  Description '802. 1 x client port.

  spanning tree portfast

  switchport mode general

  switchport General pvid 75

  VLAN allowed switchport General add 75

  switchport general allowed vlan add 76 tag

  dot1x port-control on mac

  dot1x re-authentication

  dot1x quiet-period 5

  dot1x timeout supp-timeout 15

  dot1x tx-period 5

  dot1x comments-vlan-deadline 15

  dot1x comments - vlan 20

  dot1x Informati-vlan 20

  VLAN voice 76

  disable voice vlan auth

  The most important line here is «the dot1x port-control on mac» I got 'auto control by port dot1x' configured, but it does not work as expected. In addition, defining the comments-vlan-period and supp-timeout were necessary. If the port was shot, the switch would not necessarily reauth port.

• Cisco AP 561 - DHCP problems

  Hello

  We have a customer with a number of AP561, there are 2 configured SSID, IP are provided for each network via dhcp, it is managed by a switch of small business and the other is managed by a windows client server.

  The issiue is that IP address are not always given to the devices, it will work for a while then just stop, until the AP is reset, this seems to be the same for several good AP so I don't think we have any physical AP questions, it can be solved in rest normally the AP.

  I see there are other discussions with people with the same problem, we have upgraded to the latest firmware 1.1.2.3 and the problem is still happening, force wireless is not a problem because the task bar displays full strength.

  Thank you...

  Hello Sir, I am sorry that you are having this problem. The latest firmware is actually 1.2.0.2

  Please download and update your Access Points. In the release notes, it is no indication that this new firmware solves the problem:

  CSCus23303: wireless client cannot get the IP address of the DHCP server after a period of time

  Eric Moyers
  .:|:.:|:. CISCO | Pre-sale technical support of Cisco | Expert on wireless

• Cisco Layer 3, singing and VLAN

  I have a 5.5 vSphere install and am currently an upgrade of the network for implementation of VOIP.  Switching equipment that I use is a stack of switches Cisco 3850 layer 3 and I go round and round on getting traffic vlan to work properly.  I hope someone can point me in the right direction.

  I have a NETWORK adapter that is connected to the switch (10GB fiber) which handles all the traffic for the esxi host (with the exception of management).  VLAN ID is set to zero (0) and the load balancing is set to the original function of virtual port route.

  I have 2 subnets, 10.1.0.0/16 (management, VLAN 1 and data) and 10.10.1.0/24 (voice, VLAN 10)

  On the host, I Win 2012 R2 server which will host a VOIP PBX.  It must be able to communicate with (VLAN 10) IP phones and other servers (vlan1).

  The switches will be intervlan routing.

  Finally can my question - anyone give me some advice on how to configure the interface on the Cisco for connecting fiber 10GB of my host?  The actual port settings would be extremely useful.  Everything I do at the end of vmware I should do differently?

  In case someone falls on this in a search, here's what I ended up with, 1 Cisco switch:

  switchport trunk allowed vlan 1.10

  switchport mode trunk

  switchport nonegotiate

  switchport voice vlan 10

  Cisco-switch macro description

  spanning tree portfast

  point to point spanning tree-type of link

  The virtual switch, I set all the vlan id and route from the originating virtual port.

• function of guard of source IP and dhcp DHCP scope of exhaustion (customer parodies other customers)

  Hello world.

  A dhcp server assigns ip address based on the mac address by equipment of the customer field in the dhcp packets.

  A potential attack is when a crowd of thugs mimics different mac addresses and causes the dhcp server to assign ip addresses until no ip address is left for legitimate host.

  For example, a host with mac1 h1 is designated by the ip address of the dhcp server as:

  199.199.199.1 mac1

  DHCP server has this entry in its database.

  Using hacking tools such as Yersinia or Gobbler can create a DHCP discover messages every time that create another mac for material scope of the client to the dhcp server, thereby causing a dhcp server to assign ip addresses because they are of legitimate dhcp to dhcp server discover messages with matching each another Mac in hardware of client addresses.

  You could use dhcp snooping and it will avoid that (exhaustion of dhcp scope) and configure the switch to check if the CBC mac fits the hardware address of the client in the dhcp message. But when even we can creat spoofed discover messages where mac src in the ethernet header will match the client hardware address in dhcp discovery message. It did not always overcome the problem.

  You might say use IP source guard characteristic but it really will prevent this problem from happening?

  Let me illustrate:

  H1 - f1/1SW - DHCP server

  Let's say that we have configured dhcp snooping on sw1 and f1/1 is untrusted port.  Switch a suite dhcp binding

  199.199.199.1 mac1 vlan1 f1/1

  Then, we configure source ip guard in order to validate the mac src and src ip against the dhcp bindings. When you configure keep source ip first, it will allow dhcp only if a host can request ip address and dhcp binding can be built. After that IP keep source will validate ip or mac src src or both against the binding.depending dhcp on how configure us source ip guard.

  In our case, we have configured source ip guard in order to validate the mac src and src ip against the dhcp binding.

  A dhcp connection is already created as:

  199.199.199.1 mac1 vlan 1 f1/1

  Now, using hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discovery message where mac src = mac2 ethernet header and client harware address = mac2 in dhcp discovery message. As the switch is configured with the function of guard of source ip and therefore allows dhcp discover message to pass through. DHCP server after you receive the message dhcp assigns another IP from the pool. The dhcp server has now after the entries:

  199.199.199.1 mac1

  199.199.199.2 mac2.

  We continue to spoofed dhcp to craft discover messages as described above and are dhcp server keep ip address assignment until exhausts the entire pool.

  So my question is how ip source guard in conjunction with dhcp snooping doesn't stop this attack does not happen? (IE DHCP scope exhaustion)

  I really appreciate your comments.

  Thank you and have a week.

  Hi Sara,.

  Ask was quite interesting. As far as I know that whatever it is port snooping untrusted won't let your fake dhcp server.

  You can take this query in the Sub forum of experts mentioned that is specific for dhcp snooping and source of guard.

  https://supportforums.Cisco.com/message/3689811#3689811

  Please assess whether the information provided is useful.

  By

  Knockaert

• Cisco RV120W settings VLAN

  Hey,.

  I have problems to configure my router vpn cisco RV120w.

  I' soul a new network installation. On port 1, my modem is connected to my provider ISS. Port 2 on an HP proliant SBS 2011 to connected. Port 3 on the same server for building specific applications. the 4th port I mede existing connection with the network.

  Everywone requires access to port 1 for internet and port 2, because it's the server active directory. Some people need also have access to the 3. Ditto for port 4.

  Belonging to a Vlan is configured like this:

  VLAN:

  Enable

  Create VLANs and assign the outgoing frame Type.

  Up to four new VLANS can be created. VLAN ID must be in the order (2.4094)

  Table of members of VLAN

  	VLAN ID	Description	Inter routing VLAN	Device management	Port 1	2 port	Port 3	Port 4
  	1	By default	Activated	Activated	Not tagged	Not tagged	Not tagged	Not tagged
  	2	SBS2011	Activated	Activated	The tag	The tag	The tag	The tag
  	3	SBS2011B	People with disabilities	Activated	The tag	The tag	The tag	The tag
  	4	Interdio	People with disabilities	People with disabilities	The tag	The tag	The tag	The tag
  1 - 4 of 4

  Several subnets VLAN

  Table of multiple subnet VLANS

  	VLAN ID	IP address	Subnet mask	DHCP mode	Status of DNS Proxy
  	1	192.9.212.1	255.255.255.0	DHCP no	Activated
  	2	192.9.222.1	255.255.255.0	DHCP relay	Activated
  	3	192.9.232.1	255.255.255.0	DHCP no	Activated
  	4	192.168.124.1	255.255.255.0	DHCP no	Activated

  Can anywone help my to configure this correct.

  Thank you

  To get the LAN communication to work a few things look like they need a change.

  Port 1 must be untagged vlan 1

  2 port should be untagged vlan 2

  Port 3 should be untagged vlan 3

  Port 4 is expected to be untagged vlan 4

  In addition, routing inter - vlan must be activated for your vlan 3 and vlan 4.

  -Tom
  Please evaluate the useful messages

• Cisco 1921 router default password invalid

  Hi all

  I am facing a weird problem where after the reset of the router Cisco 1921, I am trying to connect using the default name "cisco" and the password "cisco".

  and I get the error message no valid password.

  I hard reset the router using the key in the back.

  Can someone help me solve this error. Its frustrating when you can't even connect on a new router

  Thank you!!

  Some devices are configured with the old password. If you log on to these credentials and save the configuration, the default password is cleared. If you have set a new password, you'll end up with an inaccessible area. This avoids the production of devices with the default manufacture password and being exposed.

  You need to do a password recovery procedure.

  (1) connect the console to the device
  (2) turn on the device
  3) press ctrl + break until you are in rommon mode

  Type confreg 0 x 2142 to the rommon 1 > fast to boot from Flash.

  This step allows you to bypass the startup configuration where passwords are stored.

  Type of reset to the rommon 2 > prompt.

  The router restarts, but does not take into account the stored configuration.

  Type no after each Setup question, or press Ctrl-C to skip the initial configuration process.

  Type for the router > prompt.

  You are in enable mode and should see the Router prompt #.

  Because this is a new router without previous configuration is not really necessary to restore the last saved configuration. But if you'd: copy start run

  WARNING: Do not enter the copy running-config startup-config or write. These commands erase your startup configuration.

  Type configure terminal.

  The hostname (config) # prompt is displayed.

  Type enable secret in order to change the enable secret password. For example:

  hostname (config) secret #enable YourPassword

  Restore the previous value of the conf-reg:
  hostname (config) #config - register 0 x 2102

  If you did a copy start run, you must also configure a new user:

  Youruser yourpassword username secret

  And of course: save your configuration

  Do not forget to rate helpful messages ;)

  Sent by Cisco Support technique iPad App

• L3 - SG300 - 28 p and DHCP

  Hi all

  I'm having a bit of difficulty up a SG300 - 28 p to L3 and DHCP. I will attach a basic network diagram and a very short list of my needs.

  I'm building a temporary network for a company event 1 day that I can't make it work in our office "Lab".

  L3 - SG300 - 28 p connects to our provider using a connection of the SFP.

  I have to be able to address IP DHCP 300 + using the SG300 - 28 p

  My problem is that I can ping my 2 machines test (manually configured IP) about 172.16.0.3 and 172.16.0.4, but cannot ping after the (internet) referral. Also DHCP distributes no intellectual property for the range 172.16.0.10 - 172.16.1.200

  VLAN 1 is set to 10.2.2.20 access port (to the provider through a connection on port 28 FPS)

  VLAN 100 is 172.16.0.2 access port (ports 1-26)

  I have the WLC and WAP tri...

  Is the set of even possible? I know that the EQ network is a bit budget for users, but for a one day business event I just do not have a budget for the purchase of switches better.

  Please excuse the gross chart.

  Thank you in advance.

  -RJ

  Thanks for the reply.

  With the information that you have provided, it seems the only part missing is the way return the unit for service providers. Unfortunately there is no way around that, and no, you will not be able to put anything between the two, because the device doing the NATting is unity of suppliers.

  I think that what is happening is that traffic is actually the side provider, but there is no way to do so as soon as the provider is not a route for the subnet in 172.16.x.x.

  Out of curiosity, why do you use a VLAN for the devices connected to the SG300? Could you use the 10 subnet Ip addresses? If you do this, you will not need to have a route back from the supplier, as all devices will be on the same subnet.

• Configuration Cisco 1921

  I am configuring a Cisco 1921 router to connect with my cable modem.  The router gets an IP address from the DHCP server and I can ping resources on the internet on the router.   The router distributes DHCP addresses to clients, but clients are unable to access the internet.  I'm missing something simple.  Here is my config:
  
  R1-1921 #sh run
  Building configuration...
  Current configuration: 6236 bytes
  !
  ! 19:11:22 EST configuration was last modified Thursday, November 5, 2015 by *.
  version 15.3
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname R1-1921
  !
  boot-start-marker
  boot system flash: c1900-universalk9-mz. Spa. 153 - 3.M6.bin
  boot-end-marker
  !
  !
  logging buffered 51200 warnings
  enable secret 5 $1$ F3oi$ EtowSjpBITAVsWVxr4EDM.
  activate the password *.
  !
  No aaa new-model
  No process cpu extended history
  No pork process autoprofile cpu
  iomem 10 memory size
  clock timezone IS - 5 0
  clock to summer time EDT recurring
  !
  !
  !
  !
  DHCP excluded-address 192.168.1.1 IP 192.168.1.100
  DHCP excluded-address IP 192.168.1.201 192.168.1.254
  DHCP excluded-address 192.168.2.1 IP 192.168.2.100
  DHCP excluded-address 192.168.2.201 IP 192.168.2.254
  DHCP excluded-address IP 10.10.10.1 10.10.10.100
  DHCP excluded-address IP 10.10.10.201 10.10.10.254
  DHCP excluded-address IP 192.168.20.1 192.168.20.100
  DHCP excluded-address IP 192.168.20.201 192.168.20.254
  !
  IP dhcp pool vlan2_Home_DHCP
  network 192.168.2.0 255.255.255.0
  F104.0a0a.140b hexagonal option 43
  domain name *.
  Server DNS 8.8.8.8 8.8.4.4
  default router 192.168.2.254
  Rental 7
  !
  IP dhcp pool vlan10_Home_DHCP
  Network 10.10.0.0 255.255.0.0
  F104.0a0a.140b hexagonal option 43
  domain name *.
  default router 10.10.10.1
  Server DNS 8.8.8.8 8.8.4.4
  Rental 7
  !
  IP dhcp pool vlan20_Home_DHCP
  network 192.168.20.0 255.255.255.0
  F104.0a0a.140b hexagonal option 43
  domain name *.
  Server DNS 8.8.8.8 8.8.4.4
  default router 192.168.2.254
  Rental 7
  !
  IP dhcp pool vlan1_Home_DHCP
  network 192.168.1.0 255.255.255.0
  F104.0a0a.140b hexagonal option 43
  domain name *.
  Server DNS 8.8.8.8 8.8.4.4
  by default-router 192.168.1.254
  Rental 7
  !
  !
  !
  IP domain name *.
  IP cef
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  Crypto pki trustpoint TP-self-signed-2424561219
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 2424561219
  revocation checking no
  rsakeypair TP-self-signed-2424561219
  !
  !
  TP-self-signed-2424561219 crypto pki certificate chain
  certificate self-signed 01
  3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 32343234 35363132 6174652D 3139301E 170 3135 31313032 31383034
  35395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 34323435 65642D
  36313231 3930819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  81008E99 C46CD1DA 4626A4A1 614268 HAS 4 FC70E1B0 66E4D691 6F1DDA9E EE15D3D6
  44469CAF D9EB6EAF B155D164 5E75CD1E B0541204 98C7BC8A E973A18A 852F7BC3
  09B33BDB C4C63C75 4C8B7A60 BA3BB4E7 C980BDFA 35F50803 C92973F4 19A 90217
  48E993E3 BFC1EE4D C9A8ABE7 C094E89B 9629195A 0763605 A D577278C B8C39AB9
  010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355 0CEF0203
  551 2304 18301680 14B9ECCC A5378EAC C33EA600 3A11948F 56021544 74301 06
  03551D0E 04160414 B9ECCCA5 378EACC3 3EA6003A 11948F56 02154474 300 D 0609
  2A 864886 05050003 81810046 FC666C70 E65C191B 951D69CC BE68D6D1 F70D0101
  B5EC7175 ED432B26 7C44E882 1 C 04F30A7C 006392 E782CB04 CC898FD4 2B5F9085
  A84DB5BA 0996408A 46D36AE7 20A4BADA D418EC0D F7A94E46 08782215 C7EEF16F
  998E78F0 17026E9A 0705D4F7 FCEEED19 AB467E35 6A8E2CED A35BD0C3 236CF87D
  76F3BF78 45D940EF DF0A8934 D411F3
  quit smoking
  
  udi pid CISCO1921/K9 sn license *.
  !
  !
  !
  redundancy
  !
  !
  !
  !
  !
  property intellectual ssh time 60
  !
  !
  !
  !
  !
  !
  !
  !
  !
  interface Loopback0
  172.40.59.1 the IP 255.255.255.255
  !
  the Embedded-Service-Engine0/0 interface
  no ip address
  Shutdown
  No cdp enable
  !
  interface GigabitEthernet0/0
  no ip address
  automatic duplex
  automatic speed
  No cdp enable
  No mop enabled
  !
  interface GigabitEthernet0/0.1
  encapsulation dot1Q 1 native
  IP 192.168.1.253 255.255.255.0
  No cdp enable
  !
  interface GigabitEthernet0/0.2
  encapsulation dot1Q 2
  192.168.2.253 IP address 255.255.255.0
  No cdp enable
  !
  interface GigabitEthernet0/0.10
  encapsulation dot1Q 10
  IP 10.10.10.1 255.255.0.0
  No cdp enable
  !
  interface GigabitEthernet0/0.20
  encapsulation dot1Q 20
  address 192.168.20.1 255.255.255.0
  No cdp enable
  !
  interface GigabitEthernet0/1
  DHCP IP address
  no ip redirection
  no ip proxy-arp
  NAT outside IP
  IP virtual-reassembly in
  automatic duplex
  automatic speed
  No cdp enable
  !
  IP forward-Protocol ND
  !
  no ip address of the http server
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  !
  IP nat inside source list 1 interface GigabitEthernet0/1 overload
  IP default-network 192.168.1.0
  IP route 0.0.0.0 0.0.0.0 dhcp 20
  !
  no routing capabilities-Manager service
  not run cdp
  !
  !
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 2 allow to 192.168.10.0 0.0.0.255
  access-list 2 allow 192.168.20.0 0.0.0.255
  access-list 2 allow 192.168.30.0 0.0.0.255
  access-list 2 permit 192.168.40.0 0.0.0.255
  access-list 2 allow to 192.168.1.0 0.0.0.255
  access-list 2 allow 10.10.20.0 0.0.0.255
  access-list 3 Let 192.168.10.0 0.0.0.255
  access-list 3 allow 192.168.20.0 0.0.0.255
  access-list 3 allow 192.168.30.0 0.0.0.255
  access-list 3 permit 192.168.40.0 0.0.0.255
  access-list 3 Let 192.168.1.0 0.0.0.255
  access-list 23 allow 10.10.10.0 0.0.0.7
  !
  control plan
  !
  !
  !
  Line con 0
  exec-timeout 0 0
  local connection
  line to 0
  line 2
  no activation-character
  No exec
  preferred no transport
  transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
  StopBits 1
  line vty 0 4
  privilege level 15
  local connection
  transport of entry all
  line vty 5 15
  privilege level 15
  local connection
  transport of entry all
  !
  Scheduler allocate 20000 1000
  !
  end

  Your modem might need routes to subnets and the NAT configuration for these subnets.

  However, another way to do it is NAT CBC all IP addresses to the IP of the interface gi0/1 looks you can try to do.

  If you don't then.

  (1) you must add 'ip nat inside' to every subinterface

  (2) the ACL for your NAT made reference only 192.168.1.x customers while your other ACL refers all subnets.

  If you want to have all subnets access the internet turn it into NAT reference one another ACLs

  (3) don't know what you're doing with the statement "ip default-network 192.168.1.0.

  Just remove it and use the default route you have in your configuration and you don't need to add an ad at the end.

  Jon