Solved: Re: C1111-8P how to asses to WAN from VLAN

Laurent.fr · ‎09-24-2021

Hello all.

I am beginner on cisco configuration and networking. I managed a labs network and should include a Cisco C1111-8p inside.My management is limited to a Firewall and different switch below.

It 's seems that I have configure correctly the WAN access (configuration GUI ping and test OK from WAN interface to internet).

However I have not been able to configure the VLAN / Routing / bridging network of this router, to provide internet acces from VLAN ( default and other ones)

Below I provide a cleaning configuration of my router, and more informations.

Thanks by advance for all the help you can provide to me.

=====================================

REF : ROUTER CISCO C1111-8p

---------------------

Here my hardware config :

------------------------

+-----------------------------------------+

| GI0/0/0 : 192.168.107.2 |

---- 192.168.102.1 -------+--GI0/0/1 : 192.168.102.2 : WAN |

| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1

| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |

| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2

+-----------------------------------------+

Here my tests:

---------------

using the troubleshooting GUI :

test WAN connection Gui ==> test succes from GI/0/0/1 to any internet address(8.8.8.8,...)

ping and traceroute GUI ==> test succes from GI/0/0/1 to google.com,8.8.8.8,...

==> test failed from GI/0/1/x to google.com,8.8.8.8,...

From any computer 1 or 2, unable to ping any internet address (google.com,8.8.8.8,...) nor other VLAN or WAN interface

Any computer on 192.168.102.X network has acces to internet

I have not found any solution to give acces of VLAN to internet.

Here my questions:

------------------

1- How to do to allows computer 1 and 2 to acces internet with this router ?

2- How to allow Vlans interconections

Below my C1111-8P configuration

------------------------------------------

version 16.9

service config

service timestamps debug datetime msec

service timestamps log datetime msec

service internal

service call-home

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

platform hardware throughput crypto 50000

!

hostname CISCO-C1111-8P

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXXX

enable password XXXXX

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

clock timezone UTC 2 0

call-home xxxxx

!

ip name-server 1.1.1.1 8.8.8.8 4.4.4.4

ip dhcp excluded-address 192.168.140.201 192.168.140.255

ip dhcp excluded-address 192.168.41.201 192.168.41.255

ip dhcp excluded-address 192.168.140.201 192.168.140.255

!

ip dhcp pool 002

network 192.168.141.0 255.255.255.0

lease infinite

!

ip dhcp pool 003

network 192.168.142.0 255.255.255.0

lease infinite

!

ip dhcp pool 001

network 192.168.140.0 255.255.255.0

lease infinite

!

ipv6 unicast-routing

!

subscriber templating

!

multilink bundle-name authenticated

!

crypto pki XXXXX

YYYYYY

!

crypto pki xxxxx

yyyyy

!

crypto pki aaaaaa

!
crypto pki bbbbb

!

license llllllllll

!

diagnostic bootup level minimal

!

spanning-tree extend system-id

!

username xxx privilege xxxxx

username xxx privilege xxxx

!

redundancy

mode none

!

!vlan group all vlan-list 1,002,003

vlan internal allocation policy ascending

!

interface GigabitEthernet0/0/0

description Backup admin port

ip address 192.168.107.2 255.255.255.0

negotiation auto

!

interface GigabitEthernet0/0/1

description Internet acces interface

ip dhcp relay information trusted

ip address 192.168.102.2 255.255.255.0

ip nat outside

negotiation auto

spanning-tree portfast

!

interface GigabitEthernet0/1/0

description default Vlan port #0

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/1/1

!

interface GigabitEthernet0/1/2

!

interface GigabitEthernet0/1/3

!

interface GigabitEthernet0/1/4

description Vlan 002 port #0

switchport access vlan 002

switchport mode access

!

interface GigabitEthernet0/1/5

switchport access vlan 002

switchport mode access

!

interface GigabitEthernet0/1/6

description Vlan 003 port #0

switchport access vlan 003

switchport mode access

!

interface GigabitEthernet0/1/7

switchport access vlan 003

switchport mode access

!

interface Vlan1

description VLAN001

ip address pool 001

ip nat inside

!

interface Vlan2

description VLAN-2

ip address pool 002

ip nat inside

!

interface Vlan3

description VLAN-3

ip address pool 003

ip nat inside

!

ip default-gateway 192.168.102.1

ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http client source-interface GigabitEthernet0/0/1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1

ip ssh version 2

!

route-map track-primary-if permit 1

match ip address any 197

set interface GigabitEthernet0/0/1

!

control-plane

!

line con 0

transport input none

stopbits 1

line vty 0 3

password xxxx

length 0

transport input ssh

!

end

balaji.bandi · ‎09-24-2021

Try below config : (mainly bold one_ test and advise

version 16.9

service config

service timestamps debug datetime msec

service timestamps log datetime msec

service internal

service call-home

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

platform hardware throughput crypto 50000

!

hostname CISCO-C1111-8P

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXXX

enable password XXXXX

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

clock timezone UTC 2 0

call-home xxxxx

!

ip name-server 1.1.1.1 8.8.8.8 4.4.4.4

ip dhcp excluded-address 192.168.140.201 192.168.140.254
ip dhcp excluded-address 192.168.141.201 192.168.141.254
ip dhcp excluded-address 192.168.142.201 192.168.142.254

!

ip dhcp pool 001
network 192.168.140.0 255.255.255.0
default-router 192.168.140.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 002
network 192.168.141.0 255.255.255.0
default-router 192.168.141.254
dns-server 8.8.8.8 8.8.4.4
lease infinite

!
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.254
dns-server 8.8.8.8 8.8.4.4
lease infinite

!

ipv6 unicast-routing

!

subscriber templating

!

multilink bundle-name authenticated

!

crypto pki XXXXX

YYYYYY

!

crypto pki xxxxx

yyyyy

!

crypto pki aaaaaa

!
crypto pki bbbbb

!

license llllllllll

!

diagnostic bootup level minimal

!

spanning-tree extend system-id

!

username xxx privilege xxxxx

username xxx privilege xxxx

!

redundancy

mode none

!

!vlan group all vlan-list 1,002,003

vlan internal allocation policy ascending

!

interface GigabitEthernet0/0/0

description Backup admin port

ip address 192.168.107.2 255.255.255.0

negotiation auto

!

interface GigabitEthernet0/0/1

description Internet acces interface

ip dhcp relay information trusted

ip address 192.168.102.2 255.255.255.0

ip nat outside

negotiation auto

spanning-tree portfast

!

interface GigabitEthernet0/1/0

description default Vlan port #0

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/1/1

!

interface GigabitEthernet0/1/2

!

interface GigabitEthernet0/1/3

!

interface GigabitEthernet0/1/4

description Vlan 002 port #0

switchport access vlan 002

switchport mode access

!

interface GigabitEthernet0/1/5

switchport access vlan 002

switchport mode access

!

interface GigabitEthernet0/1/6

description Vlan 003 port #0

switchport access vlan 003

switchport mode access

!

interface GigabitEthernet0/1/7

switchport access vlan 003

switchport mode access

!

interface Vlan1
description VLAN001
ip address 192.168.140.254 255.255.255.0
ip nat inside
no shut
!

interface Vlan2
description VLAN-2
ip address 192.168.141.254 255.255.255.0
ip nat inside
no shut

!

interface Vlan3
description VLAN-3
ip address 192.168.142.254 255.255.255.0
ip nat inside
no shut
!

no ip default-gateway 192.168.102.1

!

access-list 1 permit 192.168.140.0 0.0.0.255
access-list 1 permit 192.168.141.0 0.0.0.255
access-list 1 permit 192.168.142.0 0.0.0.255
!
no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http client source-interface GigabitEthernet0/0/1

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ip ssh version 2

!

route-map track-primary-if permit 1

match ip address any 197

set interface GigabitEthernet0/0/1

!

control-plane

!

line con 0

transport input none

stopbits 1

line vty 0 3

password xxxx

length 0

transport input ssh

!

end

Note :

| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1 - i have changed from .1 to .254 (since it is excluded) - same case with others.

| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |

| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Giuseppe Larosa · ‎09-24-2021

Helllo @Laurent.fr ,

the config error is in the route-map used for NAT and also the SVI interfaces need to have an IP address in respective IP subnet to work.

>>

route-map track-primary-if permit 1

match ip address any 197

set interface GigabitEthernet0/0/1

!

be aware that the route map needs to reference ACLs ACL 197 looks like not defined.

try to use configuration suggested by BB or reference an existing ACL like

access-list 125 remark for NAT

access-list 125 permit ip 192.168.140.0 0.0.0.255 any

access-list 125 permit ip 192.168.141.0 0.0.0.255 any

access-list 125 permit ip 192.168.142.0 0.0.0.255 any

! note route-maps used for NAT match on outgoing interface they do not use set command .

route-map track-primary-if permit 1

match address 125

match interface gi0/0/1

int vlan 1

ip address 192.168.140.1 255.255.255.0

ip nat inside

no shut

int vlan 2

ip address 192.168.141.1 255.255.255.0

ip nat inside

no shut

int vlan 3

ip address 192.168.142.1 255.255.255.0

ip nat inside

no shut

Hope to help

Giuseppe

View solution in original post

balaji.bandi · ‎09-24-2021

Try below config : (mainly bold one_ test and advise

version 16.9

service config

service timestamps debug datetime msec

service timestamps log datetime msec

service internal

service call-home

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

platform hardware throughput crypto 50000

!

hostname CISCO-C1111-8P

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXXX

enable password XXXXX

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

clock timezone UTC 2 0

call-home xxxxx

!

ip name-server 1.1.1.1 8.8.8.8 4.4.4.4

ip dhcp excluded-address 192.168.140.201 192.168.140.254
ip dhcp excluded-address 192.168.141.201 192.168.141.254
ip dhcp excluded-address 192.168.142.201 192.168.142.254

!

ip dhcp pool 001
network 192.168.140.0 255.255.255.0
default-router 192.168.140.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 002
network 192.168.141.0 255.255.255.0
default-router 192.168.141.254
dns-server 8.8.8.8 8.8.4.4
lease infinite

!
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.254
dns-server 8.8.8.8 8.8.4.4
lease infinite

!

ipv6 unicast-routing

!

subscriber templating

!

multilink bundle-name authenticated

!

crypto pki XXXXX

YYYYYY

!

crypto pki xxxxx

yyyyy

!

crypto pki aaaaaa

!
crypto pki bbbbb

!

license llllllllll

!

diagnostic bootup level minimal

!

spanning-tree extend system-id

!

username xxx privilege xxxxx

username xxx privilege xxxx

!

redundancy

mode none

!

!vlan group all vlan-list 1,002,003

vlan internal allocation policy ascending

!

interface GigabitEthernet0/0/0

description Backup admin port

ip address 192.168.107.2 255.255.255.0

negotiation auto

!

interface GigabitEthernet0/0/1

description Internet acces interface

ip dhcp relay information trusted

ip address 192.168.102.2 255.255.255.0

ip nat outside

negotiation auto

spanning-tree portfast

!

interface GigabitEthernet0/1/0

description default Vlan port #0

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/1/1

!

interface GigabitEthernet0/1/2

!

interface GigabitEthernet0/1/3

!

interface GigabitEthernet0/1/4

description Vlan 002 port #0

switchport access vlan 002

switchport mode access

!

interface GigabitEthernet0/1/5

switchport access vlan 002

switchport mode access

!

interface GigabitEthernet0/1/6

description Vlan 003 port #0

switchport access vlan 003

switchport mode access

!

interface GigabitEthernet0/1/7

switchport access vlan 003

switchport mode access

!

interface Vlan1
description VLAN001
ip address 192.168.140.254 255.255.255.0
ip nat inside
no shut
!

interface Vlan2
description VLAN-2
ip address 192.168.141.254 255.255.255.0
ip nat inside
no shut

!

interface Vlan3
description VLAN-3
ip address 192.168.142.254 255.255.255.0
ip nat inside
no shut
!

no ip default-gateway 192.168.102.1

!

access-list 1 permit 192.168.140.0 0.0.0.255
access-list 1 permit 192.168.141.0 0.0.0.255
access-list 1 permit 192.168.142.0 0.0.0.255
!
no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http client source-interface GigabitEthernet0/0/1

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1

ip route 0.0.0.0 0.0.0.0 192.168.102.1

ip ssh version 2

!

route-map track-primary-if permit 1

match ip address any 197

set interface GigabitEthernet0/0/1

!

control-plane

!

line con 0

transport input none

stopbits 1

line vty 0 3

password xxxx

length 0

transport input ssh

!

end

Note :

| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1 - i have changed from .1 to .254 (since it is excluded) - same case with others.

| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |

| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa · ‎09-24-2021

Helllo @Laurent.fr ,

the config error is in the route-map used for NAT and also the SVI interfaces need to have an IP address in respective IP subnet to work.

>>

route-map track-primary-if permit 1

match ip address any 197

set interface GigabitEthernet0/0/1

!

be aware that the route map needs to reference ACLs ACL 197 looks like not defined.

try to use configuration suggested by BB or reference an existing ACL like

access-list 125 remark for NAT

access-list 125 permit ip 192.168.140.0 0.0.0.255 any

access-list 125 permit ip 192.168.141.0 0.0.0.255 any

access-list 125 permit ip 192.168.142.0 0.0.0.255 any

! note route-maps used for NAT match on outgoing interface they do not use set command .

route-map track-primary-if permit 1

match address 125

match interface gi0/0/1

int vlan 1

ip address 192.168.140.1 255.255.255.0

ip nat inside

no shut

int vlan 2

ip address 192.168.141.1 255.255.255.0

ip nat inside

no shut

int vlan 3

ip address 192.168.142.1 255.255.255.0

ip nat inside

no shut

Hope to help

Giuseppe

Laurent.fr · ‎09-27-2021

Hi balaji.bandi and Giuseppe Larosa

Thanks a lot for your Answers.

First, modifications apply following balaji.bandi returns works fine.

Each Vlan have access to internet and each others.

I have keep the line ‘ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1’, otherwise the GUI can’t permit WAN test.

Secondary, I am not comfortable with NAT rules. So I have not previously understand default Nat rule over 197 value. But applying Giuseppe Larosa recommendation, updating according this the ‘access-list’ and ‘route-map track-primary-if’ information, i have keep only one ip nat rule :

‘ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload’

So evolution looks like this now (for futur reader), only one Vlan displayed

….

ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.1
dns-server 8.8.8.8 8.8.4.4
lease infinite

….

interface Vlan003

ip address 192.168.142.1 255.255.255.0

ip nat inside

….

ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload

….

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1

….

access-list 14 permit 192.168.141.0 0.0.0.255

access-list 14 permit 192.168.140.0 0.0.0.255

access-list 14 permit 192.168.142.0 0.0.0.255

….

route-map track-primary-if permit 1

match ip address 14

match interface GigabitEthernet0/0/1

….

--------------------------------------------------------------

Thanks again for your answers