Solved: Cisco Catalyst 3560G Switch no internet with ASUS router

basi809 · ‎09-01-2021

Hello All,

I am having some issues setting up a home network with an Asus Router (RT3100, Running Merlin) and a Cisco 3560G Switch. Going on three weeks trying different things. Knowledge level --enough to follow instructions and type commands in the CLI and understand the basics of what the commands are supposed to be doing. I want to know the best way to set up my network appliances, perhaps and not doing something right. I attached my config file and topology for reference, based on the image attached for my topology, what is the best way to setup the switch?

Goal is to have 2 Vlans:

Use switch on Layer 3
Vlan 7: for streaming devices/smart TVs
Vlan14: for security cameras
Vlans shouldn't talk to each other but VLAN 7 needs internet access.
I will access cameras via dual NIC on a desktop

Issue:

VLAN 7 - does not allow host access to the internet and hosts ONLY pull an APIPA address. Needles to say, i can't ping my Gateway from any host in this VLAN. Can ping Interface when consoled in.

VLAN 1 - Has internet access and interface pulls an IP via DHCP. But i keep reading that VLAN 1 should not be used for security reasons.

VLAN 14 - This VLAN is strictly for cameras, does not need internet since the computer will be the on accessing the internet. Can Ping interface when consoled into the switch.

Things I've tried-

I have tried trunking on ports 12 and 25 with no luck. Setup a gateway of last resort pointing to the routers IP, still no luck. Based on the many posts read here and SNBforums many prefer using switches at layer 3. I have tried IP routing command, built DHCP pools but still no internet access on VLAN 7. Is running my switch from an Asus router even possible?

Hosts can ping their gateway ONLY when i turn off switchport on the port and assign an IP to the port. However, i still cannot ping anything on the internet (ie. google). Any help will be appreciated, open to any suggestions.

Thank you

Georg Pauwen · ‎09-02-2021

Hello,

most of the configuration changes you need have to be done on the ASUS. You need to add the subnets belonging to your Vlans to the list of networks that are NATted on the ASUS (page 70, section 4.3 of the attached user guide. I cannot see if the GUI allows you to add additional networks to the NAT configuration. If not, everything unfortunately stops right away). You also need static routes on the ASUS pointing towards the Cisco switch, so the ASUS knows how to reach your Vlans.

https://www.bhphotovideo.com/lit_files/136115.pdf

On the switch, you need to make the changes marked in bold:

hostname SW
!
boot-start-marker
boot-end-marker
!
enable secret 5 pass
enable password 7 pass
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
no ip domain-lookup
!
ip dhcp excluded-address 10.193.24.2 10.193.24.5
ip dhcp excluded-address 10.193.190.221
ip dhcp excluded-address 10.193.191.1
!
ip dhcp pool Security
network 10.193.24.0 255.255.255.0
default-router 10.193.24.1
dns-server 8.8.8.8
!
ip dhcp pool Devices
network 10.193.191.0 255.255.255.0
default-router 10.193.191.1
dns-server 10.193.190.73
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01
[key deleted from txt file, took too much space]
quit
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/12
--> no switchport
--> ip address dhcp
!
interface GigabitEthernet0/13
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/15
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/18
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/19
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/20
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
switchport access vlan 95
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan7
description Devices
ip address 10.193.191.1 255.255.255.0
!
interface Vlan14
description Security
ip address 10.193.24.100 255.255.255.0
!
interface Vlan95
no ip address
!
ip http server
ip http secure-server
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/12 dhcp
!
no vstack
banner motd ^CUnathorized use is prohibited^C
!
line con 0
password 7 pass
login
line vty 0 4
password 7 pass
login
line vty 5 15
password 7 pass
login
!
end

View solution in original post

Georg Pauwen · ‎09-02-2021

Hello,

most of the configuration changes you need have to be done on the ASUS. You need to add the subnets belonging to your Vlans to the list of networks that are NATted on the ASUS (page 70, section 4.3 of the attached user guide. I cannot see if the GUI allows you to add additional networks to the NAT configuration. If not, everything unfortunately stops right away). You also need static routes on the ASUS pointing towards the Cisco switch, so the ASUS knows how to reach your Vlans.

https://www.bhphotovideo.com/lit_files/136115.pdf

On the switch, you need to make the changes marked in bold:

hostname SW
!
boot-start-marker
boot-end-marker
!
enable secret 5 pass
enable password 7 pass
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
no ip domain-lookup
!
ip dhcp excluded-address 10.193.24.2 10.193.24.5
ip dhcp excluded-address 10.193.190.221
ip dhcp excluded-address 10.193.191.1
!
ip dhcp pool Security
network 10.193.24.0 255.255.255.0
default-router 10.193.24.1
dns-server 8.8.8.8
!
ip dhcp pool Devices
network 10.193.191.0 255.255.255.0
default-router 10.193.191.1
dns-server 10.193.190.73
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01
[key deleted from txt file, took too much space]
quit
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/12
--> no switchport
--> ip address dhcp
!
interface GigabitEthernet0/13
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/15
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/18
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/19
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/20
switchport access vlan 14
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
switchport access vlan 95
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan7
description Devices
ip address 10.193.191.1 255.255.255.0
!
interface Vlan14
description Security
ip address 10.193.24.100 255.255.255.0
!
interface Vlan95
no ip address
!
ip http server
ip http secure-server
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/12 dhcp
!
no vstack
banner motd ^CUnathorized use is prohibited^C
!
line con 0
password 7 pass
login
line vty 0 4
password 7 pass
login
line vty 5 15
password 7 pass
login
!
end

basi809 · ‎09-05-2021

@Georg Pauwen thank you for taking the time to respond. I wasn't sure if it was a router or switch issue. However, instead of DHCP I assigned an IP to switchport Gi0/12. As soon as i changed it to "No Switchport" The hosts started getting IP and was able to ping the gateway. Now to troubleshoot and work with the router or maybe buy a managed one.

I also found some instructions on how to tag the VLAN on the router port. I will try a script until I find a good router. Looking for any router recommendations out there, I was thinking something small like an ASA or something in the RV line (are those any good, for what i need to do?). Other brand recommendations are welcomed.

I created a static route on the router as shown below:

Network/Host IP	Netmask	Gateway		Interface
10.193.191.0	255.255.255.0	10.193.191.1		LAN

Are the settings above correct based on my switch config?

I hope that many find this helpful, I may end up doing a step-by-step setup.