Solved: Re: Cisco ISR 1100 basic configuration

bition · ‎08-17-2019

I'm trying to setup my new home network with some cisco devices. I am new with configuration of business network devices, but I want to learn to work with them get more of this devices in my home. But I have basic problems with my Cisco C1111-8P since more than 2 weeks and I get no solution for it.

The Cisco Router is connected with the ETH 0/0/0 port (configured as WAN) to the router of my ISP. I get an IP address (192.168.1.11) from the ISP router and I think the router has access to the internet. When I connect my notebook to one of the LAN ports (ETH 1/0/6) my notebook gets an IP address (e.g. 10.19.14.10) of the defined DHCP pool from the Cisco router. But I cannot get internet access with my notebook.

This is my actual Cisco router configuration.

!
! Last configuration change at 22:37:58 UTC Mon Aug 12 2019
!
version 16.9
service config
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname NEXUS-1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXXXXX
enable password XXXXXXXX
!
no aaa new-model
!
ip name-server 192.168.1.1
ip dhcp excluded-address 10.14.14.1 10.14.14.9
ip dhcp excluded-address 10.14.14.250 10.14.14.254
ip dhcp excluded-address 10.19.14.1 10.19.14.9
ip dhcp excluded-address 10.19.14.250 10.19.14.254
ip dhcp excluded-address 10.2.14.1 10.2.14.9
ip dhcp excluded-address 10.2.14.250 10.2.14.254
!
ip dhcp pool NEXNET
 network 10.14.14.0 255.255.255.0
 default-router 10.14.14.1 
 dns-server 10.14.14.1 
!
ip dhcp pool SkyNET
 network 10.19.14.0 255.255.255.0
 default-router 10.19.14.1 
 dns-server 10.19.14.1 
!
ip dhcp pool bitNET
 network 10.2.14.0 255.255.255.0
 default-router 10.2.14.1 
 dns-server 10.2.14.1 
!
!
!
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2759056948
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2759056948
 revocation-check none
 rsakeypair TP-self-signed-2759056948
!
!
crypto pki certificate chain TP-self-signed-2759056948
 certificate self-signed 01 nvram:IOS-Self-Sig#5.cer
!
license udi pid C1111-8P sn XXXXXXXX
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username YYYYYYYY privilege 15 password 0 XXXXXXXX
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description Internet
 ip address dhcp
 negotiation auto
 ipv6 enable
 ipv6 nd autoconfig default-route
 ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/1
 description Intranet
 ip address dhcp
 negotiation auto
!
interface GigabitEthernet0/1/0
 description SkyNET
 switchport access vlan 200
!
interface GigabitEthernet0/1/1
 description bitNET
 switchport access vlan 400
!
interface GigabitEthernet0/1/2
 description SkyNET
 switchport access vlan 200
!
interface GigabitEthernet0/1/3
 description bitNET
 switchport access vlan 400
!
interface GigabitEthernet0/1/4
 description SkyNET
 switchport access vlan 200
!
interface GigabitEthernet0/1/5
 description bitNET
 switchport access vlan 400
!
interface GigabitEthernet0/1/6
 description SkyNET
 switchport access vlan 200
!
interface GigabitEthernet0/1/7
 description bitNET
 switchport access vlan 400
!
interface Vlan1
 no ip address
!
interface Vlan100
 description NEXNET
 ip address 10.14.14.1 255.255.255.0
!
interface Vlan200
 description SkyNET
 ip address 10.19.14.1 255.255.255.0
!
interface Vlan400
 description bitNET
 ip address 10.2.14.1 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 192.168.1.1 GigabitEthernet0/0/0
!
!
!
!
snmp-server community XXXXXXXX RO
!
!
control-plane
!
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password XXXXXXXX
 login
!
ntp server ip 0.de.pool.ntp.org prefer source GigabitEthernet0/0/0
ntp server 1.de.pool.ntp.org source GigabitEthernet0/0/0
ntp server 1.ciscosb.pool.ntp.org source GigabitEthernet0/0/0
ntp server ip 0.ciscosb.pool.ntp.org source GigabitEthernet0/0/0
!
!
!
!
!
end

Is there something wrong in my configuration Could anyone help me what is missing in my configuration to get it work?

Giuseppe Larosa · ‎08-17-2019

Hello bition,

you are missing the configuration of NAT = Network Address Translation

Your internal IP addresses like 10.14.14.X are private IP addresses per RFC 1918 and you need to map them to the external interface IP address.

You need the following:

int gi0/0/0

ip nat outside

int vlan 100

ip nat inside

int vlan 200

ip nat inside

int vlan 400

ip nat inside

ip nat inside source list 11 interface gi0/0/0 overload

access-list 11 remark define internal networks

access-list 11 permit 10.14.14.0 0.0.0.255

access-list 11 permit 10.2.14.0 0.0.0.255

access-list 11 permit 10.19.14.0 0.0.0.255

Routing is not enough to provide internet access you need NAT.

Your default static route is fine and you don't need to change it.

>>

ip route 0.0.0.0 0.0.0.0 192.168.1.1 GigabitEthernet0/0/0

This is fine.

You need also to associate one L2 access interface to vlan 100 to be able to use SVI vlan 100.

To be noted also the ISP assigned is a private IP address and the ISP will perform NAT on its device too.

(unless you changed your public IP to this 192.168.1.1 for security reasons).

NAT is triggered when a packet needs to go from a NAT inside interface to a NAT outside interface.

Inter Vlan routing should still work correctly because all SVIs are configured with ip nat inside.

Hope to help

Giuseppe

View solution in original post

manish.sharma@cjpl.in · ‎08-17-2019

delete your default IP Route command

>Conf t
#no ip route 0.0.0.0 0.0.0.0 192.168.1.1 GigabitEthernet0/0/0

and try following command

#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

if this is also not working, then you should ask your ISP provider about the next hope IP address and replace the interface with next hope IP address

bition · ‎08-17-2019

Hi Manish,

thank you for you quick response.

When I define the next hop with the address of the router fro my ISP, the Cisco router gets access to the internet. With your suggested configuration of the IP route without the next hop address, the Cisco router itself gets no connection to the internet.

To explain my current configuration I have createsome pictures for better understanding

Picture "network - OLD configuration.JPG" shows my old network setup which is working for me
Picture "network - NEW configuration.JPG" shows the new desired network setup which will not work at the moment

I want to replace all the ASUS devices (green devices) behind the Telekom router (router rented from my ISP) and replace it with Cisco devices (blue devices).

I hope this helps to get a better understanding of my actual issue.

Greetings, bition

Giuseppe Larosa · ‎08-17-2019

Hello Manish,

NAT is required as explained by Luis and me in other posts in this thread.

Your suggested change to the static default route requires that Proxy ARP is enabled on the the telekom router and would make an excessive use of ARP.

With a specified next-hop a router makes a single ARP request for the next-hop addess

Wth a static route ponting to a LA interface the router needs to make an ARP request for each destination on the internet !!!

This can cause the ARP table to grow too much.

Hope to help

Giuseppe

luis_cordova · ‎08-17-2019

Hi @bition ,

In addition to the change indicated by manish.sharma@cjpl.in , I think you should configure NAT on your router:

int g0/0/0

ip nat outside

int vlan 100

ip nat inside

int vlan 200

ip nat inside

int vlan 400

ip nat inside

access-list 1 permit 10.2.14.0 0.0.0.255

access-list 1 permit 10.14.14.0 0.0.0.255

access-list 1 permit 10.19.14.0 0.0.0.255

ip nat inside source list 1 interface g0/0/0 overload

Regards

Giuseppe Larosa · ‎08-17-2019

Hello bition,

you are missing the configuration of NAT = Network Address Translation

Your internal IP addresses like 10.14.14.X are private IP addresses per RFC 1918 and you need to map them to the external interface IP address.

You need the following:

int gi0/0/0

ip nat outside

int vlan 100

ip nat inside

int vlan 200

ip nat inside

int vlan 400

ip nat inside

ip nat inside source list 11 interface gi0/0/0 overload

access-list 11 remark define internal networks

access-list 11 permit 10.14.14.0 0.0.0.255

access-list 11 permit 10.2.14.0 0.0.0.255

access-list 11 permit 10.19.14.0 0.0.0.255

Routing is not enough to provide internet access you need NAT.

Your default static route is fine and you don't need to change it.

>>

ip route 0.0.0.0 0.0.0.0 192.168.1.1 GigabitEthernet0/0/0

This is fine.

You need also to associate one L2 access interface to vlan 100 to be able to use SVI vlan 100.

To be noted also the ISP assigned is a private IP address and the ISP will perform NAT on its device too.

(unless you changed your public IP to this 192.168.1.1 for security reasons).

NAT is triggered when a packet needs to go from a NAT inside interface to a NAT outside interface.

Inter Vlan routing should still work correctly because all SVIs are configured with ip nat inside.

Hope to help

Giuseppe

bition · ‎08-17-2019

Thank you Guiseppe and thank you Lius!

This is the solution I am looking for more than two weeks. Now my configuration works.

Now I can understand the required configuration and try some more setting without any pressure of time.

Greetings, bition

Giuseppe Larosa · ‎08-17-2019

Hello bition,

you are wellcome and we are glad to be of help

Best Regards

Giuseppe

manish.sharma@cjpl.in · ‎08-17-2019

apologize that I missed pointing the Nat commands which is essential as already stated.

However, I do not think that you need interface number after you have already defined next hope iP address

IP route 0.0.0.0 0.0.0.0 <next hope IP address>

After that I think we can define metric etc but not the interface number, if yes what is the use as above statement as it tells that if you wanted to go anywhere except local landing go to next hope device IP address, we do not define next HOPe IP address as well as next HOPE interface number as generally that is not available to us in case of ADSL is being as bridge mode.

Correct if I am wrong.

Giuseppe Larosa · ‎08-17-2019

Hello Manish,

no problem I just wanted to point out that a static route referring only a LAN interface is not a good idea for the need of Proxy ARP enabled on the other device and for the increased ARP activity.

Yes the configuration of an ip route with a next-hop is enough to avoid described issues with Proxy ARP.

The use of both an IP next-hop and an outgoing interface has been added in the context of VRFs, where it is used.

The command with both options should be accepted even if the outgoing interface in this case is a redundant not necessary parameter.

An ADSL router acting as a bridge does not perform IP routing so no need to configure a default static route in this case

Hope to help

Giuseppe