- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2021 08:26 AM
Hello all.
I am beginner on cisco configuration and networking. I managed a labs network and should include a Cisco C1111-8p inside.My management is limited to a Firewall and different switch below.
It 's seems that I have configure correctly the WAN access (configuration GUI ping and test OK from WAN interface to internet).
However I have not been able to configure the VLAN / Routing / bridging network of this router, to provide internet acces from VLAN ( default and other ones)
Below I provide a cleaning configuration of my router, and more informations.
Thanks by advance for all the help you can provide to me.
=====================================
REF : ROUTER CISCO C1111-8p
---------------------
Here my hardware config :
------------------------
+-----------------------------------------+
| GI0/0/0 : 192.168.107.2 |
---- 192.168.102.1 -------+--GI0/0/1 : 192.168.102.2 : WAN |
| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1
| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |
| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2
+-----------------------------------------+
Here my tests:
---------------
using the troubleshooting GUI :
test WAN connection Gui ==> test succes from GI/0/0/1 to any internet address(8.8.8.8,...)
ping and traceroute GUI ==> test succes from GI/0/0/1 to google.com,8.8.8.8,...
==> test failed from GI/0/1/x to google.com,8.8.8.8,...
From any computer 1 or 2, unable to ping any internet address (google.com,8.8.8.8,...) nor other VLAN or WAN interface
Any computer on 192.168.102.X network has acces to internet
I have not found any solution to give acces of VLAN to internet.
Here my questions:
------------------
1- How to do to allows computer 1 and 2 to acces internet with this router ?
2- How to allow Vlans interconections
Below my C1111-8P configuration
------------------------------------------
version 16.9
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CISCO-C1111-8P
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXX
enable password XXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 2 0
call-home xxxxx
!
ip name-server 1.1.1.1 8.8.8.8 4.4.4.4
ip dhcp excluded-address 192.168.140.201 192.168.140.255
ip dhcp excluded-address 192.168.41.201 192.168.41.255
ip dhcp excluded-address 192.168.140.201 192.168.140.255
!
ip dhcp pool 002
network 192.168.141.0 255.255.255.0
lease infinite
!
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
lease infinite
!
ip dhcp pool 001
network 192.168.140.0 255.255.255.0
lease infinite
!
ipv6 unicast-routing
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki XXXXX
YYYYYY
!
crypto pki xxxxx
yyyyy
!
crypto pki aaaaaa
!
crypto pki bbbbb
!
license llllllllll
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username xxx privilege xxxxx
username xxx privilege xxxx
!
redundancy
mode none
!
!vlan group all vlan-list 1,002,003
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description Backup admin port
ip address 192.168.107.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet acces interface
ip dhcp relay information trusted
ip address 192.168.102.2 255.255.255.0
ip nat outside
negotiation auto
spanning-tree portfast
!
interface GigabitEthernet0/1/0
description default Vlan port #0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
description Vlan 002 port #0
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/5
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/6
description Vlan 003 port #0
switchport access vlan 003
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 003
switchport mode access
!
interface Vlan1
description VLAN001
ip address pool 001
ip nat inside
!
interface Vlan2
description VLAN-2
ip address pool 002
ip nat inside
!
interface Vlan3
description VLAN-3
ip address pool 003
ip nat inside
!
ip default-gateway 192.168.102.1
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1
ip ssh version 2
!
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 3
password xxxx
length 0
transport input ssh
!
end
Solved! Go to Solution.
- Labels:
-
ISR 1000 Series
-
WAN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2021 08:52 AM - edited 09-24-2021 09:02 AM
Try below config : (mainly bold one_ test and advise
version 16.9
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CISCO-C1111-8P
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXX
enable password XXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 2 0
call-home xxxxx
!
ip name-server 1.1.1.1 8.8.8.8 4.4.4.4
ip dhcp excluded-address 192.168.140.201 192.168.140.254
ip dhcp excluded-address 192.168.141.201 192.168.141.254
ip dhcp excluded-address 192.168.142.201 192.168.142.254
!
ip dhcp pool 001
network 192.168.140.0 255.255.255.0
default-router 192.168.140.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 002
network 192.168.141.0 255.255.255.0
default-router 192.168.141.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
ipv6 unicast-routing
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki XXXXX
YYYYYY
!
crypto pki xxxxx
yyyyy
!
crypto pki aaaaaa
!
crypto pki bbbbb
!
license llllllllll
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username xxx privilege xxxxx
username xxx privilege xxxx
!
redundancy
mode none
!
!vlan group all vlan-list 1,002,003
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description Backup admin port
ip address 192.168.107.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet acces interface
ip dhcp relay information trusted
ip address 192.168.102.2 255.255.255.0
ip nat outside
negotiation auto
spanning-tree portfast
!
interface GigabitEthernet0/1/0
description default Vlan port #0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
description Vlan 002 port #0
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/5
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/6
description Vlan 003 port #0
switchport access vlan 003
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 003
switchport mode access
!
interface Vlan1
description VLAN001
ip address 192.168.140.254 255.255.255.0
ip nat inside
no shut
!
interface Vlan2
description VLAN-2
ip address 192.168.141.254 255.255.255.0
ip nat inside
no shut
!
interface Vlan3
description VLAN-3
ip address 192.168.142.254 255.255.255.0
ip nat inside
no shut
!
no ip default-gateway 192.168.102.1
!
access-list 1 permit 192.168.140.0 0.0.0.255
access-list 1 permit 192.168.141.0 0.0.0.255
access-list 1 permit 192.168.142.0 0.0.0.255
!
no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ip ssh version 2
!
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 3
password xxxx
length 0
transport input ssh
!
end
Note :
| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1 - i have changed from .1 to .254 (since it is excluded) - same case with others.
| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |
| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2021 09:44 AM - edited 09-24-2021 09:47 AM
Helllo @Laurent.fr ,
the config error is in the route-map used for NAT and also the SVI interfaces need to have an IP address in respective IP subnet to work.
>>
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
be aware that the route map needs to reference ACLs ACL 197 looks like not defined.
try to use configuration suggested by BB or reference an existing ACL like
access-list 125 remark for NAT
access-list 125 permit ip 192.168.140.0 0.0.0.255 any
access-list 125 permit ip 192.168.141.0 0.0.0.255 any
access-list 125 permit ip 192.168.142.0 0.0.0.255 any
! note route-maps used for NAT match on outgoing interface they do not use set command .
route-map track-primary-if permit 1
match address 125
match interface gi0/0/1
int vlan 1
ip address 192.168.140.1 255.255.255.0
ip nat inside
no shut
int vlan 2
ip address 192.168.141.1 255.255.255.0
ip nat inside
no shut
int vlan 3
ip address 192.168.142.1 255.255.255.0
ip nat inside
no shut
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2021 08:52 AM - edited 09-24-2021 09:02 AM
Try below config : (mainly bold one_ test and advise
version 16.9
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CISCO-C1111-8P
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXX
enable password XXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 2 0
call-home xxxxx
!
ip name-server 1.1.1.1 8.8.8.8 4.4.4.4
ip dhcp excluded-address 192.168.140.201 192.168.140.254
ip dhcp excluded-address 192.168.141.201 192.168.141.254
ip dhcp excluded-address 192.168.142.201 192.168.142.254
!
ip dhcp pool 001
network 192.168.140.0 255.255.255.0
default-router 192.168.140.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 002
network 192.168.141.0 255.255.255.0
default-router 192.168.141.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.254
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
ipv6 unicast-routing
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki XXXXX
YYYYYY
!
crypto pki xxxxx
yyyyy
!
crypto pki aaaaaa
!
crypto pki bbbbb
!
license llllllllll
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username xxx privilege xxxxx
username xxx privilege xxxx
!
redundancy
mode none
!
!vlan group all vlan-list 1,002,003
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description Backup admin port
ip address 192.168.107.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet acces interface
ip dhcp relay information trusted
ip address 192.168.102.2 255.255.255.0
ip nat outside
negotiation auto
spanning-tree portfast
!
interface GigabitEthernet0/1/0
description default Vlan port #0
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
description Vlan 002 port #0
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/5
switchport access vlan 002
switchport mode access
!
interface GigabitEthernet0/1/6
description Vlan 003 port #0
switchport access vlan 003
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 003
switchport mode access
!
interface Vlan1
description VLAN001
ip address 192.168.140.254 255.255.255.0
ip nat inside
no shut
!
interface Vlan2
description VLAN-2
ip address 192.168.141.254 255.255.255.0
ip nat inside
no shut
!
interface Vlan3
description VLAN-3
ip address 192.168.142.254 255.255.255.0
ip nat inside
no shut
!
no ip default-gateway 192.168.102.1
!
access-list 1 permit 192.168.140.0 0.0.0.255
access-list 1 permit 192.168.141.0 0.0.0.255
access-list 1 permit 192.168.142.0 0.0.0.255
!
no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1
ip route 0.0.0.0 0.0.0.0 192.168.102.1
ip ssh version 2
!
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 3
password xxxx
length 0
transport input ssh
!
end
Note :
| GI0/1/0 : 192.168.140.1 : Default Vlan 1 ------+---------- 192.168.140.2 : computer 1 - i have changed from .1 to .254 (since it is excluded) - same case with others.
| GI0/1/4 : 192.168.141.1 : Default Vlan 2 |
| GI0/1/6 : 192.168.142.1 : Default Vlan 3 ------+---------- 192.168.142.2 : computer 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2021 09:44 AM - edited 09-24-2021 09:47 AM
Helllo @Laurent.fr ,
the config error is in the route-map used for NAT and also the SVI interfaces need to have an IP address in respective IP subnet to work.
>>
route-map track-primary-if permit 1
match ip address any 197
set interface GigabitEthernet0/0/1
!
be aware that the route map needs to reference ACLs ACL 197 looks like not defined.
try to use configuration suggested by BB or reference an existing ACL like
access-list 125 remark for NAT
access-list 125 permit ip 192.168.140.0 0.0.0.255 any
access-list 125 permit ip 192.168.141.0 0.0.0.255 any
access-list 125 permit ip 192.168.142.0 0.0.0.255 any
! note route-maps used for NAT match on outgoing interface they do not use set command .
route-map track-primary-if permit 1
match address 125
match interface gi0/0/1
int vlan 1
ip address 192.168.140.1 255.255.255.0
ip nat inside
no shut
int vlan 2
ip address 192.168.141.1 255.255.255.0
ip nat inside
no shut
int vlan 3
ip address 192.168.142.1 255.255.255.0
ip nat inside
no shut
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2021 02:35 AM - edited 09-29-2021 11:41 PM
Hi balaji.bandi and Giuseppe Larosa
Thanks a lot for your Answers.
First, modifications apply following balaji.bandi returns works fine.
Each Vlan have access to internet and each others.
I have keep the line ‘ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1’, otherwise the GUI can’t permit WAN test.
Secondary, I am not comfortable with NAT rules. So I have not previously understand default Nat rule over 197 value. But applying Giuseppe Larosa recommendation, updating according this the ‘access-list’ and ‘route-map track-primary-if’ information, i have keep only one ip nat rule :
‘ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload’
So evolution looks like this now (for futur reader), only one Vlan displayed
….
ip dhcp pool 003
network 192.168.142.0 255.255.255.0
default-router 192.168.142.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
….
interface Vlan003
ip address 192.168.142.1 255.255.255.0
ip nat inside
….
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/1 overload
….
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 192.168.102.1
….
access-list 14 permit 192.168.141.0 0.0.0.255
access-list 14 permit 192.168.140.0 0.0.0.255
access-list 14 permit 192.168.142.0 0.0.0.255
….
route-map track-primary-if permit 1
match ip address 14
match interface GigabitEthernet0/0/1
….
--------------------------------------------------------------
Thanks again for your answers
