Re: C4331 ISR with L2 switch module: inter vlan routing doesn't work - Page 2

blasemarzo · ‎12-08-2024

Hi All!

I wanted to replace my ISP router in my home to a Cisco 4331 ISR with 4-Port Layer 2 Gigabit EtherSwitch Network Interface Module to improve stability and speed. Is there any trick I missed to setup this interface module? Whatever I try the inter-vlan routing seems not to work, the devices connected to the L2 ports never reach the internet. This router previously was setuped with an extra switch and sub-interfaces to provide the same functionality and that setuped worked.

Here is my config:

C4331-1(config)#do sh run
Building configuration...

Current configuration : 9642 bytes
!
! Last configuration change at 05:29:49 UTC Sun Dec 8 2024
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput level boost
!
hostname C4331-1
!
boot-start-marker
boot system bootflash:isr4300-universalk9.17.12.02.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
!
ip name-server 188.215.74.252 8.8.8.8 2A02:6B60::53:1 2001:4860:4860::8888
ip domain name blasemarzo.com
!
!
!
!
!
!
ip dhcp-server 20.20.20.4
ip dhcp-server 93.113.26.8
ip dhcp smart-relay
ip dhcp relay information trust-all
ip dhcp snooping vlan 1,20,30
ip dhcp snooping information option allow-untrusted
ip dhcp snooping information option format remote-id hostname
ip dhcp snooping wireless bootp-broadcast enable
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 172.16.10.1 172.16.10.5
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
next-server 93.113.26.8
default-router 192.168.1.1
domain-name LAN.blasemarzo.com
dns-server 188.215.74.252 8.8.8.8
netbios-name-server 188.215.74.252 8.8.8.8
!
ip dhcp pool WIFI
import all
network 172.16.10.0 255.255.255.0
next-server 93.113.26.8
default-router 172.16.10.1
domain-name WIFI.blasemarzo.com
dns-server 188.215.74.252 8.8.8.8
netbios-name-server 188.215.74.252 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
ipv6 unicast-routing
ipv6 dhcp pool LAN6
address prefix 2A02:6B60:0:E5::/120
dns-server 2001:4860:4860::8888
domain-name LAN6.blasemarzo.com
!
ipv6 dhcp pool WIFI6
address prefix 2001:2222:2222:2222::2/64
dns-server 2001:4860:4860::8888
domain-name WIFI6.blasemarzo.com
!
!
!
subscriber templating
!
!
!
!
!
vtp version 1
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
hash sha256
!
crypto pki trustpoint TP-self-signed-2463053052
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2463053052
revocation-check none
rsakeypair TP-self-signed-2463053052
hash sha256
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-2463053052
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
31312F30 2D060355 04030C26 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343633 30353330 3532301E 170D3234 31323037 31363238
34365A17 0D333431 32303731 36323834 365A3031 312F302D 06035504 030C2649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34363330
35333035 32308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100923F 2F0E3E09 EC877295 04594E7B 04E66FAF C3A32EB6 96A2AF78
0F5298E6 2CEA4A2F E58A49AD B10BA476 65FCC4B8 82B8400E 99424A14 D974C753
57454865 340D28FC C4C846A7 42C3CD64 026990A8 6860A2D9 01D958D5 1291971B
90B6FE2A D7227086 B7A67284 16ECF56A AE6BD22F EC997997 17B2A657 1D6ABC2F
627B034D 6B3C92CA A47AAF75 B01B394D D263EA7A 956560B6 72F14897 94A67B06
1C0F7286 E1F2A86D 252748F5 7C6EDA29 487627AA 746EA863 1B7F31F9 7A344132
D8A23921 3B5FF5C4 6AFEC626 BDA6C539 F6B3DA7E 5F26313F B34FDBB6 5877C38B
F3581A67 60C38636 2F64D9CA F53A9A6A 2CDEDC18 26139B07 543F89DB 7AA72AE5
F023B2D7 06770203 010001A3 53305130 1D060355 1D0E0416 0414E75F 9DF5A368
FC1D416B C8C50049 DA2B34B2 BCCE301F 0603551D 23041830 168014E7 5F9DF5A3
68FC1D41 6BC8C500 49DA2B34 B2BCCE30 0F060355 1D130101 FF040530 030101FF
300D0609 2A864886 F70D0101 0B050003 82010100 3E4E6BE6 CF2B3EBE 73EE4859
7F9DA13F B4202791 734E996F 21D5EB29 C028B64A A51FE6F1 44388D27 B0D6CC4E
43815651 2A0FCE95 B60FCAEB E57CD231 E1E39743 CAFDEF02 2CCFE613 AECF3AB1
A97B14EE BBDF08A7 80EE81C5 346FCB9C 161DC8A4 243AF31C 965A3837 754B2C6B
EFAC6EA2 6269DA1C 65FD628E 185FC954 ECAF6842 12179307 AF65CB86 12818C5A
166D635C E0B63402 FA5E23B3 96B156C9 3E129C42 8F5151D1 6E20DBC2 2DDCE274
B89F53A0 FA1BF540 BB586BC1 A464A165 4274A1B6 78FEE69D 537D25B0 C5CF9F3B
C22DC473 81B02317 B4F3CAA1 4104E3D4 660930D5 7A0D2E0A 9331AFFA 0F36BDB8
9A7FB56A 9862A3E7 B2C6BC84 5C415DBF 26248494
quit
!
!
!
!
!
!
!
!
!
diagnostic bootup level minimal
!
license feature hseck9
license udi pid ISR4331/K9 sn FDO213336F7
license boot suite AdvUCSuiteK9
license boot level appxk9
license boot level securityk9
memory free low-watermark processor 61470
!
spanning-tree mode pvst
spanning-tree extend system-id
!
enable secret 9 $9$K2y5pd7U4PbEak$iBjMLEQhNMF5zKFYNaMR/rDTZEivT/0cvyG1Xeg98QA
!
username admin privilege 15 password 0 admin
!
redundancy
mode none
!
!
!
!
controller Cellular 0/1/0
!
!
vlan internal allocation policy ascending
!
lldp run

cdp run
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback20
ip address 20.20.20.4 255.255.255.255
ipv6 address 2A02:6B60:0:E6::200/128
ipv6 enable
ipv6 dhcp relay destination 2A02:6B60:0:E7::221
ipv6 dhcp relay source-interface Loopback20
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1
description WAN
ip address dhcp
ip helper-address 93.113.26.8
ip helper-address 192.168.1.10
negotiation auto
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface Cellular0/1/0
no ip address
!
interface Cellular0/1/1
no ip address
!
interface GigabitEthernet0/2/0
description LAN
switchport access vlan 20
switchport mode access
ip dhcp relay information trusted
spanning-tree portfast
!
interface GigabitEthernet0/2/1
description LAN
switchport access vlan 20
switchport mode access
ip dhcp relay information trusted
spanning-tree portfast
!
interface GigabitEthernet0/2/2
description WIFI
switchport access vlan 30
switchport mode access
ip dhcp relay information trusted
spanning-tree portfast
!
interface GigabitEthernet0/2/3
description spare
switchport mode access
ip dhcp relay information trusted
spanning-tree portfast
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
ip address 192.0.2.1 255.255.255.0
!
interface Vlan20
ip address 192.168.1.10 255.255.255.0
ip helper-address 20.20.20.4
ip helper-address 93.113.26.8
ip helper-address 149.86.11.1
ip mask-reply
ip information-reply
no ip redirects
no ip proxy-arp
ipv6 address 2A02:6B60:0:E5::150/120
ipv6 enable
ipv6 nd prefix 2A02:6B60:0:E5::/120 14400 14400 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server LAN6
!
interface Vlan30
ip address 172.16.10.10 255.255.255.0
ip helper-address 20.20.20.4
ip mask-reply
ip information-reply
no ip redirects
no ip proxy-arp
ipv6 address 2001:2222:2222:2222::2/64
ipv6 enable
ipv6 nd prefix 2001:2222:2222:2222::/64 14400 14400 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server WIFI6
!
ip default-gateway 149.86.11.1
ip forward-protocol nd
ip http server
ip http secure-server
!
ip ssh bulk-mode 131072
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 149.86.11.1
ipv6 route ::/0 GigabitEthernet0/0/1 FE80::96AE:F0FF:FE5E:ACDB
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
login local
length 0
transport input none
line vty 5 14
login
transport input none
!
!
!
!
!
!
!
end

All interfaces I need are in working condition and up.

Any help would be grateful. Thanks

blasemarzo · ‎12-13-2024

Sorry, during the week I didn't have too much time for experimental studying. Today I had time to get a headache. I tried all variant from the configuration guides and CCNA / CCNP cert books, without success. Later on I had the idea it may have got some trick as the previous devices that have webgui. So I restored the original homelab config with L3 switch and OSPF routing with the ISP router and started to setup the vlans by webgui. When I made the SVIs in one menu then pair them up with the same vlans and interfaces it started to work without any hassle.

Here are the extra commands that the gui insert into my config:

ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name

ip dhcp pool LAN - address 172.16.10.5 client-id "Gi0/2/0" ascii

ip dhcp pool WIFI - address 172.16.20.5 client-id "Gi0/2/2" ascii

interface GigabitEthernet0/2/0 - 0/2/2

ip dhcp relay information option server-id-override
ip dhcp server use subscriber-id client-id

interface Vlan 20 / 30

ip dhcp relay source-interface Vlan20 / Vlan30

And that's all, everything else remained the same.

C4331-1#
C4331-1#
C4331-1#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2/3
20 LAN active Gi0/2/0, Gi0/2/1
30 WIFI active Gi0/2/2

C4331-1#show vlans

No Virtual LANs configured.

C4331-1#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/2 192.0.2.50 YES NVRAM up up
Cellular0/1/0 unassigned YES NVRAM down down
Cellular0/1/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2/0 unassigned YES unset up up
GigabitEthernet0/2/1 unassigned YES unset up up
GigabitEthernet0/2/2 unassigned YES unset up up
GigabitEthernet0/2/3 unassigned YES unset down down
GigabitEthernet0 unassigned YES NVRAM administratively down down
Loopback20 20.20.20.4 YES NVRAM up up
Vlan1 unassigned YES unset up down
Vlan20 172.16.10.1 YES NVRAM up up
Vlan30 172.16.20.1 YES NVRAM up up
C4331-1#show ip route
Gateway of last resort is 192.0.2.49 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/110] via 192.0.2.49, 02:05:05, GigabitEthernet0/0/2
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.10.10.0 [110/20] via 192.0.2.49, 02:05:05, GigabitEthernet0/0/2
20.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 20.20.20.0/24 is directly connected, Loopback20
O 20.20.20.1/32 [110/2] via 192.0.2.49, 02:05:05, GigabitEthernet0/0/2
L 20.20.20.4/32 is directly connected, Loopback20
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.20.0/24 is directly connected, Vlan30
L 172.16.20.1/32 is directly connected, Vlan30
192.0.2.0/24 is variably subnetted, 3 subnets, 3 masks
O 192.0.2.0/29 [110/2] via 192.0.2.49, 02:05:05, GigabitEthernet0/0/2
C 192.0.2.48/28 is directly connected, GigabitEthernet0/0/2
L 192.0.2.50/32 is directly connected, GigabitEthernet0/0/2
O 192.168.1.0/24 [110/2] via 192.0.2.49, 02:05:05, GigabitEthernet0/0/2
192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
O E2 192.168.30.0/24
[110/20] via 192.0.2.49, 02:05:05, GigabitEthernet0/0/2
O E2 192.168.30.1/32
[110/20] via 192.0.2.49, 02:05:05, GigabitEthernet0/0/2
C4331-1#

C4331-1#sh int status

Port Name Status Vlan Duplex Speed Type
Gi0/2/0 connected 20 auto auto 10/100/1000BaseTX
Gi0/2/1 connected 20 auto auto 10/100/1000BaseTX
Gi0/2/2 connected 30 a-full a-1000 10/100/1000BaseTX
Gi0/2/3 notconnect 1 auto auto 10/100/1000BaseTX

So it is as usual, following the configuration guide led to instant fail. Now I go to sleep and tomorrow I will find out what these command are as I have never seen them before either my studies or the customers' configs.