10-30-2022 04:46 AM
Hello I have a 3560 switch with ip routing enabled.
On VLAN 1 network is 192.168.4.0/24 with ip at 192.168.4.1 and there's a WAN gateway at 192.168.4.2.
I've set `ip route 0.0.0.0 0.0.0.0 192.168.4.2` and so I can use that gateway if hosts on 192.168.4.0/24 network are set to use router at 192.168.4.1
On VLAN 10 network is 40.0.0.0/25 and ip is 40.0.0.1
I can ping from hosts in 192.168.4.0/24 to hosts on 40.0.0.0/25 and vice versa.
The problem is I cannot get internet access from hosts within 40.0.0.0/25 through the gateway at 40.0.0.1 which should redirect to the gateway at 192.168.4.2 from the ip route wildcard command above.
What am I missing?
One thing I'll mention is that originally I couldn't ping from 40.0.0.0/25 to 192.168.4.2, but in the gateway settings I added 192.168.4.1 as a cascaded router with the 40.0.0.0/25 address space behind it and only then I received the ping replies. So I'm wondering if the gateway is the cause.
My plan B is to setup a NAT across the two networks, but I think this should be possible, surely I'm missing something basic?
10-30-2022 05:07 AM
40.0.0.0/25 is public routable IP, is this given by your ISP?
what WAN Router do you have, and what config ACL and NAT that was configured on that router?
suggest to post-show run config from both router and switch to guide correctly.
10-30-2022 05:22 AM - edited 10-30-2022 06:33 AM
Shoot maybe that's why. No I confused with private address space, not assigned. The WAN gateway is Nokia BGW320-505, NATs from a static ip to 192.168.4.0/24 with the 3560 assigning DHCP for both subnets. Any suggestions on improving the config welcome! **Actually I tested changing to 172.16.0.0/25, no change accessing through the WAN on 192.168.4.2/24
Current configuration : 4404 bytes
!
! Last configuration change at 21:17:14 PDT Sat Oct 29 2022
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname cascade
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 informational
no logging console
no logging monitor
enable secret 8 XXX
!
username XXX privilege 15 secret 8 XXX
no aaa new-model
clock timezone PST -8 0
clock summer-time PDT recurring
system mtu routing 1500
!
!
!
!
ip routing
ip options drop
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.4.1 192.168.4.20
ip dhcp excluded-address 192.168.4.100 192.168.4.254
ip dhcp excluded-address 40.0.0.1 40.0.0.20
ip dhcp excluded-address 40.0.0.120 40.0.0.126
!
ip dhcp pool development
network 192.168.4.0 255.255.255.0
default-router 192.168.4.2
domain-name XXX
dns-server 1.1.1.1 8.8.8.8
option 42 ip 216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12
lease 0 1
!
default-router 192.168.4.2
domain-name XXX
dns-server 1.1.1.1 8.8.8.8
option 42 ip 216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12
!
!
ip dhcp pool layover
network 40.0.0.0 255.255.255.128
default-router 40.0.0.1
domain-name XXX
dns-server 1.1.1.1 8.8.8.8
option 42 ip 216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12
lease 0 1
!
!
ip domain-name XXX
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
no cdp run
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
!
interface GigabitEthernet0/10
switchport access vlan 10
switchport mode access
!
interface Vlan1
ip address 192.168.4.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan10
ip address 40.0.0.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip default-gateway 192.168.4.2
ip forward-protocol nd
!
ip http server
ip http banner
ip http access-class 1
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.4.2
ip ssh time-out 60
ip ssh authentication-retries 4
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-512
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex diffie-hellman-group14-sha1
ip ssh server algorithm hostkey ssh-rsa
ip ssh server algorithm authentication password
ip ssh server algorithm publickey ssh-rsa
ip scp server enable
!
!
access-list 1 permit 0.0.0.10 255.255.255.0
access-list 1 permit 0.0.0.11 255.255.255.0
!
!
configuration mode exclusive
!
line con 0
line vty 0 4
access-class 1 in
access-class 1 in
login local
transport input ssh
line vty 5 15
access-class 1 in
login local
transport input ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
ntp server time1.google.com
ntp server time3.google.com
ntp server time4.google.com
ntp server time2.google.com
!
end
10-30-2022 07:00 AM
I dont get, you have LAN and WAN,
why the default route use LAN not WAN IP (public IP)
10-30-2022 06:17 AM - edited 10-30-2022 06:35 AM
.
10-30-2022 06:41 AM
if this switch acting as layer3, then you can remove below
no ip default-gateway 192.168.4.2 (since you already have routing towards your (Nokia BGW320-505)
Also you need static route back from Nokia BGW320-505 to 192.168.4.1 for the subnet 40.0.0.0/25 ( if this is not allocated to you, i suggest to replace with 172.16.x.x Private address space as you mentioned)
interface Vlan10
ip address 172.16.x.x 255.255.255.128
Nokia BGW320-505 - not familiar with this router, so check NAT for the 172.16.x.x IP NATted.
10-30-2022 07:12 AM
The dhcp pool specifies the default router as 192.168.4.2 which is the router. While this works I suggest that it would be better if the default router was the switch ip of 192.168.4.1.
There are several other parts of the config that need some attention, such as the access list 1 used in access-class. But they do not affect your issue about Internet access for vlan 10 so will not spend time on them.
Other than some confusion about what is the IP subnet used for vlan 10 I do not see issues in the switch config that would impact Internet access for vlan 10. I suspect that the issue is on the router. And my best guess (since we have very little detail about the router) is that the router is set up with NAT for 192.168.4.0 and is not set up with NAT for the vlan 10 subnet (which ever subnet that turns out to be).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide