Re: Cisco IOS issues.

TopGlobalIndia · ‎03-25-2019

I currently have a Cisco Catalyst 3750G and a Cisco 2911.

They are both connected via Gig-E connection to the public internet.

When we use the commands:

ip routing
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX (where XX.XX.XX.XX is the default gateway)

We can not connect to the device via HTTP, HTTPS, Telnet, SSH.

However, if we:

no ip routing

ip default-gateway XX.XX.XX.XX

then we can access the switch and router perfectly fine on HTTP, HTTPS, Telnet, and SSH.

Any suggestions how to diagnose this?

balaji.bandi · ‎03-25-2019

can you tell us how these device connected ?

user---switch--router (internet)?

They are both connected via Gig-E connection to the public internet.

when you say both are ? explain the topology to understand.

Can you also post the show run config, explain where the users are connected ? what is the users IP address range ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TopGlobalIndia · ‎03-25-2019

Hi,

Let's deal with the Cisco Catalyst 3750G switch first.

nigeria01#show config
Using 4528 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nigeria01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$1Q23$Ox1H/oWxGa6a/JetvZZhb1
enable password 7 0334521B13037014
!
username test privilege 15 password 7 010703174F5B5658011E1E5840
username officeuser privilege 15 password 7 14271B1B19087B7265
!
!
no aaa new-model
switch 3 provision ws-c3750g-48ts
system mtu routing 1500
no ip domain-lookup
ip domain-name pipul.com
!
!
!
!
crypto pki trustpoint TP-self-signed-1671490176
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1671490176
revocation-check none
rsakeypair TP-self-signed-1671490176
!
!
crypto pki certificate chain TP-self-signed-1671490176
certificate self-signed 01 nvram:IOS-Self-Sig#3637.cer
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
vlan dot1q tag native
!
ip ssh source-interface Vlan1
ip ssh version 2
!
!
!
interface GigabitEthernet3/0/1
!
interface GigabitEthernet3/0/2
!
interface GigabitEthernet3/0/3
!
interface GigabitEthernet3/0/4
!
interface GigabitEthernet3/0/5
!
interface GigabitEthernet3/0/6
!
interface GigabitEthernet3/0/7
!
interface GigabitEthernet3/0/8
!
interface GigabitEthernet3/0/9
!
interface GigabitEthernet3/0/10
!
interface GigabitEthernet3/0/11
!
interface GigabitEthernet3/0/12
!
interface GigabitEthernet3/0/13
!
interface GigabitEthernet3/0/14
!
interface GigabitEthernet3/0/15
!
interface GigabitEthernet3/0/16
!
interface GigabitEthernet3/0/17
!
interface GigabitEthernet3/0/18
!
interface GigabitEthernet3/0/19
!
interface GigabitEthernet3/0/20
!
interface GigabitEthernet3/0/21
!
interface GigabitEthernet3/0/22
!
interface GigabitEthernet3/0/23
!
interface GigabitEthernet3/0/24
!
interface GigabitEthernet3/0/25
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/26
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/27
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/28
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/29
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/30
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/31
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/32
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/33
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/34
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/35
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/36
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/37
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/38
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/39
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/40
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/41
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/42
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/43
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/44
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/45
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/46
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/47
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/48
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet3/0/49
!
interface GigabitEthernet3/0/50
!
interface GigabitEthernet3/0/51
!
interface GigabitEthernet3/0/52
!
interface Vlan1
ip address XXX.XXX.XXX.XXX 255.255.255.240
no ip redirects
no ip route-cache
!
interface Vlan100
no ip address
no ip route-cache
no ip mroute-cache
!
ip default-gateway XXX.XXX.XXX.XXX.XXX
ip classless
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
!
snmp-server community public RO
!
!
line con 0
exec-timeout 0 0
line vty 0 4
logging synchronous
login local
transport input ssh
line vty 5 15
logging synchronous
login local
transport input ssh
!
end

The internet connection is on Port 49 connected directly to the ISP modem. The above setup works fine. I am able to access the switch perfectly fine from an outside network.
Now if I change the configuration from ip default-gateway to ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX, I am unable to access the switch from any outside network, but I am still able to access the network from within the same subnet.

One point to make with the ip route command I am able to ping the switch from an outside network.

luis_cordova · ‎03-25-2019

Hi @TopGlobalIndia ,

The ip routing command enables the layer 3 functions of a multilayer switch, so if you enable it, you should check that the IP parameters are well configured.
Without this command (no ip routing), the multilayer switch works only in layer 2.

On the static route by default, I suggest you try changing:

ip route 0.0.0.0 0.0.0.0 <internet exit interface>

Anyway, if you provide us with more information, we could try to help you better.

Regards

TopGlobalIndia · ‎03-25-2019

@luis_cordova

That is my entire problem, when I get rid of default-gateway and go to ip route, then I am unable to access the switch from an outside network. While I remain as a layer 2 switch I am able to access the switch from the outside network.

luis_cordova · ‎03-25-2019

Hi @TopGlobalIndia ,

In your case, when enabling layer 3 functions, you should assign a network to route vlan 100 (interface vlan 100) and leave the interface that connects to the modem in trunk mode.

In addition, you should configure a default route so that your packages could go to the internet and NAT so that the packages could return:

ip route 0.0.0.0 0.0.0.0 <exit interface>

access-list 1 permit <vlan 100 network> <wildcard>

ip nat inside source list 1 interface <exit interface> overload

interface <exit inetrface>

ip nat outside

inetrface vlan 100

ip nat inside

The biggest problem is that, as far as I know, the 3700 series devices do not support NAT

https://community.cisco.com/t5/other-network-architecture/ws-c3750g-24ts-e-nat-function/td-p/2696614

For this, you should get another layer 3 device that supports NAT and put it between your switch and the modem.

Regards