09-24-2021 08:26 AM
Hello all.
I am beginner on cisco configuration and networking. I managed a labs network and should include a Cisco C1111-8p inside.My management is limited to a Firewall and different switch below.
It 's seems that I have configure correctly the WAN access (configuration GUI ping and test OK from WAN interface to internet).
However I have not been able to configure the VLAN / Routing / bridging network of this router, to provide internet acces from VLAN ( default and other ones)
Below I provide a cleaning configuration of my router, and more informations.
Thanks by advance for all the help you can provide to me.
=====================================
REF : ROUTER CISCO C1111-8p
---------------------
Here my hardware config :
------------------------
+-----------------------------------------+
| GI0/0/0 : 192.168.107.2 |
---- 192.168.102.1 -------+--GI0/0/1 : 192.168.102.2 : WAN |
| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1
| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |
| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2
+-----------------------------------------+
Here my tests:
---------------
using the troubleshooting GUI :
test WAN connection Gui ==> test succes from GI/0/0/1 to any internet address(8.8.8.8,...)
ping and traceroute GUI ==> test succes from GI/0/0/1 to google.com,8.8.8.8,...
==> test failed from GI/0/1/x to google.com,8.8.8.8,...
From any computer 1 or 2, unable to ping any internet address (google.com,8.8.8.8,...) nor other VLAN or WAN interface
Any computer on 192.168.102.X network has acces to internet
I have not found any solution to give acces of VLAN to internet.
Here my questions:
------------------
1- How to do to allows computer 1 and 2 to acces internet with this router ?
2- How to allow Vlans interconections
Below my C1111-8P configuration
------------------------------------------
version 16.9
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CISCO-C1111-8P
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXX
enable password XXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 2 0
call-home xxxxx
!
ip name-server 1.1.1.1 8.8.8.8 4.4.4.4
ip dhcp excluded-address 192.168.140.201 192.168.140.255
ip dhcp excluded-address 192.168.41.201 192.168.41.255
ip dhcp excluded-address 192.168.140.201 192.168.140.255
!
ip dhcp pool 002
network 192.168.141.0 255.255.255.0
lease infinite
!
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
lease infinite
!
ip dhcp pool 001
network 192.168.140.0 255.255.255.0
lease infinite
!
ipv6 unicast-routing
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki XXXXX
YYYYYY
!
crypto pki xxxxx
yyyyy
!
crypto pki aaaaaa
!
crypto pki bbbbb
!
license llllllllll
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username xxx privilege xxxxx
username xxx privilege xxxx
!
redundancy
mode none
!
!vlan group all vlan-list 1,002,003
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description Backup admin port
ip address 192.168.107.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet acces interface
ip dhcp relay information trusted
ip address 192.168.102.2 255.255.255.0
ip nat outside
negotiation auto
spanning-tree portfast
!
interface GigabitEthernet0/1/0
description default Vlan port #0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
description Vlan 002 port #0
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/5
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/6
description Vlan 003 port #0
switchport access vlan 003
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 003
switchport mode access
!
interface Vlan1
description VLAN001
ip address pool 001
ip nat inside
!
interface Vlan2
description VLAN-2
ip address pool 002
ip nat inside
!
interface Vlan3
description VLAN-3
ip address pool 003
ip nat inside
!
ip default-gateway 192.168.102.1
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1
ip ssh version 2
!
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 3
password xxxx
length 0
transport input ssh
!
end
Solved! Go to Solution.
09-24-2021 08:52 AM - edited 09-24-2021 09:02 AM
Try below config : (mainly bold one_ test and advise
version 16.9
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CISCO-C1111-8P
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXX
enable password XXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 2 0
call-home xxxxx
!
ip name-server 1.1.1.1 8.8.8.8 4.4.4.4
ip dhcp excluded-address 192.168.140.201 192.168.140.254
ip dhcp excluded-address 192.168.141.201 192.168.141.254
ip dhcp excluded-address 192.168.142.201 192.168.142.254
!
ip dhcp pool 001
network 192.168.140.0 255.255.255.0
default-router 192.168.140.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 002
network 192.168.141.0 255.255.255.0
default-router 192.168.141.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
ipv6 unicast-routing
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki XXXXX
YYYYYY
!
crypto pki xxxxx
yyyyy
!
crypto pki aaaaaa
!
crypto pki bbbbb
!
license llllllllll
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username xxx privilege xxxxx
username xxx privilege xxxx
!
redundancy
mode none
!
!vlan group all vlan-list 1,002,003
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description Backup admin port
ip address 192.168.107.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet acces interface
ip dhcp relay information trusted
ip address 192.168.102.2 255.255.255.0
ip nat outside
negotiation auto
spanning-tree portfast
!
interface GigabitEthernet0/1/0
description default Vlan port #0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
description Vlan 002 port #0
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/5
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/6
description Vlan 003 port #0
switchport access vlan 003
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 003
switchport mode access
!
interface Vlan1
description VLAN001
ip address 192.168.140.254 255.255.255.0
ip nat inside
no shut
!
interface Vlan2
description VLAN-2
ip address 192.168.141.254 255.255.255.0
ip nat inside
no shut
!
interface Vlan3
description VLAN-3
ip address 192.168.142.254 255.255.255.0
ip nat inside
no shut
!
no ip default-gateway 192.168.102.1
!
access-list 1 permit 192.168.140.0 0.0.0.255
access-list 1 permit 192.168.141.0 0.0.0.255
access-list 1 permit 192.168.142.0 0.0.0.255
!
no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ip ssh version 2
!
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 3
password xxxx
length 0
transport input ssh
!
end
Note :
| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1 - i have changed from .1 to .254 (since it is excluded) - same case with others.
| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |
| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2
09-24-2021 09:44 AM - edited 09-24-2021 09:47 AM
Helllo @Laurent.fr ,
the config error is in the route-map used for NAT and also the SVI interfaces need to have an IP address in respective IP subnet to work.
>>
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
be aware that the route map needs to reference ACLs ACL 197 looks like not defined.
try to use configuration suggested by BB or reference an existing ACL like
access-list 125 remark for NAT
access-list 125 permit ip 192.168.140.0 0.0.0.255 any
access-list 125 permit ip 192.168.141.0 0.0.0.255 any
access-list 125 permit ip 192.168.142.0 0.0.0.255 any
! note route-maps used for NAT match on outgoing interface they do not use set command .
route-map track-primary-if permit 1
match address 125
match interface gi0/0/1
int vlan 1
ip address 192.168.140.1 255.255.255.0
ip nat inside
no shut
int vlan 2
ip address 192.168.141.1 255.255.255.0
ip nat inside
no shut
int vlan 3
ip address 192.168.142.1 255.255.255.0
ip nat inside
no shut
Hope to help
Giuseppe
09-24-2021 08:52 AM - edited 09-24-2021 09:02 AM
Try below config : (mainly bold one_ test and advise
version 16.9
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CISCO-C1111-8P
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXX
enable password XXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 2 0
call-home xxxxx
!
ip name-server 1.1.1.1 8.8.8.8 4.4.4.4
ip dhcp excluded-address 192.168.140.201 192.168.140.254
ip dhcp excluded-address 192.168.141.201 192.168.141.254
ip dhcp excluded-address 192.168.142.201 192.168.142.254
!
ip dhcp pool 001
network 192.168.140.0 255.255.255.0
default-router 192.168.140.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 002
network 192.168.141.0 255.255.255.0
default-router 192.168.141.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
ipv6 unicast-routing
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki XXXXX
YYYYYY
!
crypto pki xxxxx
yyyyy
!
crypto pki aaaaaa
!
crypto pki bbbbb
!
license llllllllll
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username xxx privilege xxxxx
username xxx privilege xxxx
!
redundancy
mode none
!
!vlan group all vlan-list 1,002,003
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description Backup admin port
ip address 192.168.107.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet acces interface
ip dhcp relay information trusted
ip address 192.168.102.2 255.255.255.0
ip nat outside
negotiation auto
spanning-tree portfast
!
interface GigabitEthernet0/1/0
description default Vlan port #0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
description Vlan 002 port #0
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/5
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/6
description Vlan 003 port #0
switchport access vlan 003
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 003
switchport mode access
!
interface Vlan1
description VLAN001
ip address 192.168.140.254 255.255.255.0
ip nat inside
no shut
!
interface Vlan2
description VLAN-2
ip address 192.168.141.254 255.255.255.0
ip nat inside
no shut
!
interface Vlan3
description VLAN-3
ip address 192.168.142.254 255.255.255.0
ip nat inside
no shut
!
no ip default-gateway 192.168.102.1
!
access-list 1 permit 192.168.140.0 0.0.0.255
access-list 1 permit 192.168.141.0 0.0.0.255
access-list 1 permit 192.168.142.0 0.0.0.255
!
no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ip ssh version 2
!
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 3
password xxxx
length 0
transport input ssh
!
end
Note :
| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1 - i have changed from .1 to .254 (since it is excluded) - same case with others.
| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |
| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2
09-24-2021 09:44 AM - edited 09-24-2021 09:47 AM
Helllo @Laurent.fr ,
the config error is in the route-map used for NAT and also the SVI interfaces need to have an IP address in respective IP subnet to work.
>>
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
be aware that the route map needs to reference ACLs ACL 197 looks like not defined.
try to use configuration suggested by BB or reference an existing ACL like
access-list 125 remark for NAT
access-list 125 permit ip 192.168.140.0 0.0.0.255 any
access-list 125 permit ip 192.168.141.0 0.0.0.255 any
access-list 125 permit ip 192.168.142.0 0.0.0.255 any
! note route-maps used for NAT match on outgoing interface they do not use set command .
route-map track-primary-if permit 1
match address 125
match interface gi0/0/1
int vlan 1
ip address 192.168.140.1 255.255.255.0
ip nat inside
no shut
int vlan 2
ip address 192.168.141.1 255.255.255.0
ip nat inside
no shut
int vlan 3
ip address 192.168.142.1 255.255.255.0
ip nat inside
no shut
Hope to help
Giuseppe
09-27-2021 02:35 AM - edited 09-29-2021 11:41 PM
Hi balaji.bandi and Giuseppe Larosa
Thanks a lot for your Answers.
First, modifications apply following balaji.bandi returns works fine.
Each Vlan have access to internet and each others.
I have keep the line ‘ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1’, otherwise the GUI can’t permit WAN test.
Secondary, I am not comfortable with NAT rules. So I have not previously understand default Nat rule over 197 value. But applying Giuseppe Larosa recommendation, updating according this the ‘access-list’ and ‘route-map track-primary-if’ information, i have keep only one ip nat rule :
‘ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload’
So evolution looks like this now (for futur reader), only one Vlan displayed
….
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
….
interface Vlan003
ip address 192.168.142.1 255.255.255.0
ip nat inside
….
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
….
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1
….
access-list 14 permit 192.168.141.0 0.0.0.255
access-list 14 permit 192.168.140.0 0.0.0.255
access-list 14 permit 192.168.142.0 0.0.0.255
….
route-map track-primary-if permit 1
match ip address 14
match interface GigabitEthernet0/0/1
….
--------------------------------------------------------------
Thanks again for your answers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: