Re: C4331 ISR with L2 switch module: inter vlan routing doesn't work

blasemarzo · ‎12-08-2024

Hi All!

I wanted to replace my ISP router in my home to a Cisco 4331 ISR with 4-Port Layer 2 Gigabit EtherSwitch Network Interface Module to improve stability and speed. Is there any trick I missed to setup this interface module? Whatever I try the inter-vlan routing seems not to work, the devices connected to the L2 ports never reach the internet. This router previously was setuped with an extra switch and sub-interfaces to provide the same functionality and that setuped worked.

Here is my config:

C4331-1(config)#do sh run
Building configuration...

Current configuration : 9642 bytes
!
! Last configuration change at 05:29:49 UTC Sun Dec 8 2024
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput level boost
!
hostname C4331-1
!
boot-start-marker
boot system bootflash:isr4300-universalk9.17.12.02.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
!
ip name-server 188.215.74.252 8.8.8.8 2A02:6B60::53:1 2001:4860:4860::8888
ip domain name blasemarzo.com
!
!
!
!
!
!
ip dhcp-server 20.20.20.4
ip dhcp-server 93.113.26.8
ip dhcp smart-relay
ip dhcp relay information trust-all
ip dhcp snooping vlan 1,20,30
ip dhcp snooping information option allow-untrusted
ip dhcp snooping information option format remote-id hostname
ip dhcp snooping wireless bootp-broadcast enable
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 172.16.10.1 172.16.10.5
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
next-server 93.113.26.8
default-router 192.168.1.1
domain-name LAN.blasemarzo.com
dns-server 188.215.74.252 8.8.8.8
netbios-name-server 188.215.74.252 8.8.8.8
!
ip dhcp pool WIFI
import all
network 172.16.10.0 255.255.255.0
next-server 93.113.26.8
default-router 172.16.10.1
domain-name WIFI.blasemarzo.com
dns-server 188.215.74.252 8.8.8.8
netbios-name-server 188.215.74.252 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
ipv6 unicast-routing
ipv6 dhcp pool LAN6
address prefix 2A02:6B60:0:E5::/120
dns-server 2001:4860:4860::8888
domain-name LAN6.blasemarzo.com
!
ipv6 dhcp pool WIFI6
address prefix 2001:2222:2222:2222::2/64
dns-server 2001:4860:4860::8888
domain-name WIFI6.blasemarzo.com
!
!
!
subscriber templating
!
!
!
!
!
vtp version 1
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
hash sha256
!
crypto pki trustpoint TP-self-signed-2463053052
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2463053052
revocation-check none
rsakeypair TP-self-signed-2463053052
hash sha256
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-2463053052
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
31312F30 2D060355 04030C26 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343633 30353330 3532301E 170D3234 31323037 31363238
34365A17 0D333431 32303731 36323834 365A3031 312F302D 06035504 030C2649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34363330
35333035 32308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100923F 2F0E3E09 EC877295 04594E7B 04E66FAF C3A32EB6 96A2AF78
0F5298E6 2CEA4A2F E58A49AD B10BA476 65FCC4B8 82B8400E 99424A14 D974C753
57454865 340D28FC C4C846A7 42C3CD64 026990A8 6860A2D9 01D958D5 1291971B
90B6FE2A D7227086 B7A67284 16ECF56A AE6BD22F EC997997 17B2A657 1D6ABC2F
627B034D 6B3C92CA A47AAF75 B01B394D D263EA7A 956560B6 72F14897 94A67B06
1C0F7286 E1F2A86D 252748F5 7C6EDA29 487627AA 746EA863 1B7F31F9 7A344132
D8A23921 3B5FF5C4 6AFEC626 BDA6C539 F6B3DA7E 5F26313F B34FDBB6 5877C38B
F3581A67 60C38636 2F64D9CA F53A9A6A 2CDEDC18 26139B07 543F89DB 7AA72AE5
F023B2D7 06770203 010001A3 53305130 1D060355 1D0E0416 0414E75F 9DF5A368
FC1D416B C8C50049 DA2B34B2 BCCE301F 0603551D 23041830 168014E7 5F9DF5A3
68FC1D41 6BC8C500 49DA2B34 B2BCCE30 0F060355 1D130101 FF040530 030101FF
300D0609 2A864886 F70D0101 0B050003 82010100 3E4E6BE6 CF2B3EBE 73EE4859
7F9DA13F B4202791 734E996F 21D5EB29 C028B64A A51FE6F1 44388D27 B0D6CC4E
43815651 2A0FCE95 B60FCAEB E57CD231 E1E39743 CAFDEF02 2CCFE613 AECF3AB1
A97B14EE BBDF08A7 80EE81C5 346FCB9C 161DC8A4 243AF31C 965A3837 754B2C6B
EFAC6EA2 6269DA1C 65FD628E 185FC954 ECAF6842 12179307 AF65CB86 12818C5A
166D635C E0B63402 FA5E23B3 96B156C9 3E129C42 8F5151D1 6E20DBC2 2DDCE274
B89F53A0 FA1BF540 BB586BC1 A464A165 4274A1B6 78FEE69D 537D25B0 C5CF9F3B
C22DC473 81B02317 B4F3CAA1 4104E3D4 660930D5 7A0D2E0A 9331AFFA 0F36BDB8
9A7FB56A 9862A3E7 B2C6BC84 5C415DBF 26248494
quit
!
!
!
!
!
!
!
!
!
diagnostic bootup level minimal
!
license feature hseck9
license udi pid ISR4331/K9 sn FDO213336F7
license boot suite AdvUCSuiteK9
license boot level appxk9
license boot level securityk9
memory free low-watermark processor 61470
!
spanning-tree mode pvst
spanning-tree extend system-id
!
enable secret 9 $9$K2y5pd7U4PbEak$iBjMLEQhNMF5zKFYNaMR/rDTZEivT/0cvyG1Xeg98QA
!
username admin privilege 15 password 0 admin
!
redundancy
mode none
!
!
!
!
controller Cellular 0/1/0
!
!
vlan internal allocation policy ascending
!
lldp run

cdp run
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback20
ip address 20.20.20.4 255.255.255.255
ipv6 address 2A02:6B60:0:E6::200/128
ipv6 enable
ipv6 dhcp relay destination 2A02:6B60:0:E7::221
ipv6 dhcp relay source-interface Loopback20
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1
description WAN
ip address dhcp
ip helper-address 93.113.26.8
ip helper-address 192.168.1.10
negotiation auto
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface Cellular0/1/0
no ip address
!
interface Cellular0/1/1
no ip address
!
interface GigabitEthernet0/2/0
description LAN
switchport access vlan 20
switchport mode access
ip dhcp relay information trusted
spanning-tree portfast
!
interface GigabitEthernet0/2/1
description LAN
switchport access vlan 20
switchport mode access
ip dhcp relay information trusted
spanning-tree portfast
!
interface GigabitEthernet0/2/2
description WIFI
switchport access vlan 30
switchport mode access
ip dhcp relay information trusted
spanning-tree portfast
!
interface GigabitEthernet0/2/3
description spare
switchport mode access
ip dhcp relay information trusted
spanning-tree portfast
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
ip address 192.0.2.1 255.255.255.0
!
interface Vlan20
ip address 192.168.1.10 255.255.255.0
ip helper-address 20.20.20.4
ip helper-address 93.113.26.8
ip helper-address 149.86.11.1
ip mask-reply
ip information-reply
no ip redirects
no ip proxy-arp
ipv6 address 2A02:6B60:0:E5::150/120
ipv6 enable
ipv6 nd prefix 2A02:6B60:0:E5::/120 14400 14400 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server LAN6
!
interface Vlan30
ip address 172.16.10.10 255.255.255.0
ip helper-address 20.20.20.4
ip mask-reply
ip information-reply
no ip redirects
no ip proxy-arp
ipv6 address 2001:2222:2222:2222::2/64
ipv6 enable
ipv6 nd prefix 2001:2222:2222:2222::/64 14400 14400 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server WIFI6
!
ip default-gateway 149.86.11.1
ip forward-protocol nd
ip http server
ip http secure-server
!
ip ssh bulk-mode 131072
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 149.86.11.1
ipv6 route ::/0 GigabitEthernet0/0/1 FE80::96AE:F0FF:FE5E:ACDB
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
login local
length 0
transport input none
line vty 5 14
login
transport input none
!
!
!
!
!
!
!
end

All interfaces I need are in working condition and up.

Any help would be grateful. Thanks

MHM Cisco World · ‎12-08-2024

Did you check vlan if it add correctly to router db.

MHM

blasemarzo · ‎12-08-2024

Hi,

Yes.

C4331-1(config)#do sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2/3
20 LAN active Gi0/2/0, Gi0/2/1
30 WIFI active Gi0/2/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------

C4331-1(config-if)#do sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM down down
GigabitEthernet0/0/1 unassigned YES DHCP up up
GigabitEthernet0/0/2 unassigned YES NVRAM down down
Cellular0/1/0 unassigned YES NVRAM down down
Cellular0/1/1 unassigned YES NVRAM down down
GigabitEthernet0/2/0 unassigned YES unset up up
GigabitEthernet0/2/1 unassigned YES unset down down
GigabitEthernet0/2/2 unassigned YES unset down down
GigabitEthernet0/2/3 unassigned YES unset down down
GigabitEthernet0 unassigned YES NVRAM administratively down down
Loopback20 20.20.20.4 YES NVRAM up up
Vlan1 192.0.2.1 YES manual up down
Vlan20 192.168.1.10 YES NVRAM up up
Vlan30 172.16.10.10 YES NVRAM up down

Gateway of last resort is 149.86.11.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 149.86.11.1, GigabitEthernet0/0/1
20.0.0.0/32 is subnetted, 1 subnets
C 20.20.20.4 is directly connected, Loopback20
93.0.0.0/32 is subnetted, 1 subnets
S 93.113.26.8 [254/0] via 149.86.11.1, GigabitEthernet0/0/1
149.86.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 149.86.11.0/24 is directly connected, GigabitEthernet0/0/1
L 149.86.11.194/32 is directly connected, GigabitEthernet0/0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan20
L 192.168.1.10/32 is directly connected, Vlan20

MHM Cisco World · ‎12-08-2024

Only vlan20 is up!!

MHM

blasemarzo · ‎12-08-2024

Only 1 port is connected to the interface card yet, the lan (GigabitEthernet0/2/0).

Richard Burts · ‎12-08-2024

If you have one active port at this point then we should focus on that port, which is in vlan 20. From the posted configuration for vlan 20 we see ip address 192.168.1.10 255.255.255.0. In looking at the DHCP pool for vlan 20 we see default-router 192.168.1.1.

I would expect the default router to be the interface address of the router. But it is not. Where is/what is 192.168.1.1?

HTH

Rick

blasemarzo · ‎12-08-2024

Hi Richard.

It must be a typo as it was late night 10th configuration. Originally the vlan 20 ip address was 192.168.1.1, but unfortunatelly it was the same:

ping 8.8.8.8 succesful

ping 8.8.8.8 source vlan 20 unsuccesful

I have just startted to learn ccnp and checked the book about the inter vlan routing, it is a few lines only. Can't be wrong, but still not working. Previously I setuped a router on the stick setup on this router with a L2 switch and that worked smoothlessly. So I'm a little bit confused, the card may be faulty. I will give a try to it tomorrow, correct this typo and let's see.

Richard Burts · ‎12-08-2024

Perhaps it is a typo. And it needs to be corrected. But your comment that ping to 8.8.8.8 works but that ping sourced from vlan 20 does not work led me to look more closely at the config. And I do not see any Network Address Translation in the config. Without nat anything sourced from a "private" IP will not be able to access Internet addresses. So your problem is not so much about "routing" but is about processing of private addressing when accessing Internet resources. Add address translation to the config and let us know how things work.

HTH

Rick

blasemarzo · ‎12-08-2024

Sorry, forgot to mention that the ISP use carrier grade NAT. On they router the NAT function doesn't even exist.

They use IPV6 and stacking. At the moment I'm not very familiar with IPV6 subnetting and services that's why I try with IPV4. Tomorrow I will try the config with NAT and we will see what will happen.

Richard Burts · ‎12-09-2024

Thanks for your response. I do not understand your mention of "carrier grade NAT". Can you provide clarification? And I am puzzled by your statement "On they router the NAT function doesn't even exist.". How is NAT being done?

For packets from your network (using Private IP addresses) to get to destinations in the Internet NAT must be done. Can you clarify whether that is done by the ISP, or do they expect that you will do that?

HTH

Rick

blasemarzo · ‎12-09-2024

Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of network address translation (NAT) used by ISPs in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end users. This essentially repeats the traditional customer-premise NAT function at the ISP level.

I think the ISP makes it with ASR or CRS series routers, if they use Cisco:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-10/nat-xe-16-10-book/iadnat-cgn.html

But if I setup NAT it works as well, on my C1117 I setuped and practiced it a lot.

MHM Cisco World · ‎12-09-2024

How router do inter-vlan if vlan is down?

You need to make it UP.

Remember do

No shutdown <<- under SVI

MHM

blasemarzo · ‎12-09-2024

Vlan1 192.0.2.1 YES manual up down
Vlan20 192.168.1.10 YES NVRAM up up
Vlan30 172.16.10.10 YES NVRAM up down

Status is up, just the protocol is down as no connected ports to the vlans

MHM Cisco World · ‎12-09-2024

Friend

Interface is healthy when both is UP.

If protocol is down that meaning that vlan SVI don't have l2 access port or not allow in any trunk port

And hence it not work.

I see vlan30 assign to wifi port why it down? Did you no shut the vlan SVI?

MHM

Richard Burts · ‎12-10-2024

What is the current status of this? Have you corrected the IP address of the interface? Have you confirmed with ISP that they are translating your traffic?

HTH

Rick