Re: 3650 can access the internet but not anyhting local. Help please!

dgrant88 · ‎02-01-2025

Scenario. Home lab with a RoaS setup.

Now, the trunked setup gets me to the internet but I cannot access anything local? Heck, I cant even ping devices in the same vlan let alone anything outside of the vlan. The un-trunked setup I can access everything internal but I cannot access the internet. Logical setup is a 3560 48 port (fa0/48 trunked) connected to 3560 fa0/1 with fa0/0 connected to a Fortigate 60D which is my edge router w/ wan1 connected to my isp. I've spent weeks (for the troubleshooting experience) trying to figure this out. I have perused dozens of videos and have traversed what seem like a thousand cisco articles covering egrp, ospf, intervlan routing, trunking, tagged vs untagged, CDP, broadcast domains, ACL's, the OSI model (to figure how data is moving in the network), network cmds, fortigate training (spent a bunch of time on that) and the list goes on. Through it all, I've learned alot...just not enough to resolve this problem though haha:] I tried it all and now I pressed because I really need to get this lab done in entirety so that I can begin studying. Attached are the runnng-configs for the switch and router. If you need more info, and I'm sure you will, just let me know and I really want to thank everyone for the time and assistant in finding an answer to this problem

Flavio Miranda · ‎02-01-2025

@dgrant88

interface FastEthernet0/48
 switchport trunk encapsulation dot1q
 switchport mode trunk
 duplex full
 spanning-tree portfast

Encapsulation dot1q you need on the Router side

Spanning-tree Port fast should not be added in trunk Port, only in access port

dgrant88 · ‎02-01-2025

Apologies. I shouldv'e been a little more thorough. So, I have sub-interfaces that are encapsuated on the switch.

router1(config)# int fa0/1.10 (for vlan10 sub-interface)

router1(config)# encapsulation dot1q 10

router1(config)# ip address 10.10.10.1 255.255.255.0

router1(config)# no shutdown

router1(config)# exit

Flavio Miranda · ‎02-01-2025

I meant the switch side. The router side seems to be fine

dgrant88 · ‎02-01-2025

so here's where I'm stumped. MY ACL is configured permitting the sub-interfaces access on the router so why would I need to define another one on the swicth? This is what the message eludes to right?
Switch1(config-if)#do sh ip int fa0/48
FastEthernet0/48 is up, line protocol is up
Inbound access list is not set

...and here's the trunk output

Switch1#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa0/48 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/48 1-4094

Port Vlans allowed and active in management domain
Fa0/48 1,10,20,30,40,50,60

Port Vlans in spanning tree forwarding state and not pruned
Fa0/48 1,10,20,30,40,50,60

As you can see dot1q is assigned to 0/48. SInce the switch is configured to function as a layer 2 device (no routing) that's done on layer 3, it seems when I do cdp neighbors check, port fa0/1 shows as the next hop as it should. I can't seem to traverse the trunk port. I tried trunking fa0/1 on th router but it forbids me to and I assuming it's because the frames are already tagged when they're forwarded to fa0/48. Inter vlan routing is already implemented right per the sub-interfaces? I'm new to all of this so again...thanks a ton!

dgrant88 · ‎02-01-2025

Router1#sh access-list
Standard IP access list Local
10 permit 10.10.10.0, wildcard bits 0.0.0.255 (23547 matches)
20 permit 10.10.20.0, wildcard bits 0.0.0.255 (10864 matches)
30 permit 172.16.10.0, wildcard bits 0.0.0.255
40 permit 192.168.10.0, wildcard bits 0.0.0.255
50 permit 194.72.10.0, wildcard bits 0.0.0.255
60 permit 116.32.10.0, wildcard bits 0.0.0.255

Flavio Miranda · ‎02-01-2025

You need access list on the Router only due the NAT. You dont need access list on switch

On the switch side you dont need encapsulation dot1q. Only in the switch side

dgrant88 · ‎02-02-2025

Thanks Flavio. Though I was under the impression that a trunk on one side needs to talk to a trunk on the other side no? It would be why the sub-interfaces on the router have dot1q attached on that side and the switch on fa0/48. Am I off base with this?

Richard Burts · ‎02-02-2025

I have found one significant error. On the router the DHCP pool for vlan 30 specifies 172.16.0.0/16. The vlan subinterface for vlan 30 is 172.16.10.1/24. So DHCP is assigning addresses to clients that are not in the subnet of the interface. So any attempt to communicate with vlan 30 is source or is destination will fail.

Fix that and let us know the results. If things are still not working please post the output of these commands on the router:

show cdp neighbor

show ip interface brief

show arp

And of these commands on the switch

show cdp neighbor

show interface trunk

HTH

Rick

Joshqun Ismayilov · ‎02-02-2025

Hello,

interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 172.16.10.1 255.255.255.0 ( there must be 255.255.0.0 - as DHCP is configured /16 subnet)

For ACL :
ip access-list standard Local
permit 10.10.10.0 0.0.0.255
permit 10.10.20.0 0.0.0.255
permit 172.16.10.0 0.0.0.255 - as there also it is /24 state - need change it /16

Thanks !