Solved: Re: Created a new Vlan Can't get it to get internet access

chueymtz · ‎10-10-2022

I created a new vlan and named it VLan300 in our config Vlan100 is the only vlan that currently has access to internet vlan200 does not by and we don't want it to. Vlan 300 will be on a 192.168.x.x network vlan100 is on a 10.76.x.x and vlan200 172.16.x.x. I can ping each network from the 192.168 address when connected to the ports on the switch but I can't get online. I don't know what else I have to change but I am posting the current config below.


ip dhcp excluded-address 172.16.2.0 172.16.2.129
ip dhcp excluded-address 172.16.2.161 172.16.3.255
ip dhcp excluded-address 10.76.2.0 10.76.2.159
ip dhcp excluded-address 10.76.2.221 10.76.2.255
ip dhcp excluded-address 192.168.2.0 192.168.2.20
!
ip dhcp pool Controls
network 172.16.2.0 255.255.254.0
bootfile undionly.kpxe
default-router 172.16.2.1
dns-server 172.16.2.23 172.16.2.24
lease 0 8
!
ip dhcp pool Admin
network 10.76.2.0 255.255.255.0
bootfile ipxe.efi
next-server 10.76.2.29
default-router 10.76.2.1
dns-server 10.110.0.228 10.110.0.229
lease 0 8
!
ip dhcp pool Wifi
network 192.168.2.0 255.255.255.0
bootfile undionly.kpxe
default-router 192.168.2.1
dns-server 10.76.2.53 10.76.2.54

!
!
!
!
!
!
!
!
!
!
interface Loopback0
description Management
no ip address
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
no switchport
no ip address
!
interface GigabitEthernet1/0/2
description To_5510
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description "To_3200GW01"
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/4
description Comcast
spanning-tree portfast
!
interface GigabitEthernet1/0/5
description management
spanning-tree portfast
!
interface GigabitEthernet1/0/6
description Managment
spanning-tree portfast
!
interface GigabitEthernet1/0/7
description Management
spanning-tree portfast
!
interface GigabitEthernet1/0/8
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/9
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/10
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/11
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/12
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/13
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/14
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/15
description controls-To_ASA
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/16
description controls-To_ASA
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/17
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/18
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/19
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/20
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/21
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/22
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/23
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/24
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/25
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/26
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/27
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/28
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/29
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/30
description controls
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/31
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/32
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/33
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/34
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/35
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/36
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/37
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/38
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/39
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/40
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/41
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/42
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/43
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/44
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/45
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/46
description Admin
switchport access vlan 100
spanning-tree portfast
!
interface GigabitEthernet1/0/47
description Admin
switchport access vlan 300
spanning-tree portfast
!
interface GigabitEthernet1/0/48
description Wifi
switchport access vlan 300
spanning-tree portfast
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
description
no switchport
ip address 10.76.200.2 255.255.255.0
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/5
!
interface TenGigabitEthernet1/1/6
!
interface TenGigabitEthernet1/1/7
!
interface TenGigabitEthernet1/1/8
!
interface FortyGigabitEthernet1/1/1
!
interface FortyGigabitEthernet1/1/2
!
interface TwentyFiveGigE1/1/1
!
interface TwentyFiveGigE1/1/2
!
interface AppGigabitEthernet1/0/1
!
interface Vlan1
description management
no ip address
!
interface Vlan100
description Admin
ip address 10.76.2.1 255.255.255.0
!
interface Vlan200
description Controls
ip address 172.16.2.1 255.255.254.0
!
interface Vlan300
description Wifi
ip address 192.168.2.1 255.255.255.0
!
!
router eigrp 99
network 10.76.0.0 0.0.0.255
network 10.76.2.0 0.0.0.255
network 10.76.200.0 0.0.0.255
network 172.16.0.0
network 192.168.0.0
network 192.168.2.0
redistribute static metric 1000000 1 100 1 1
!
ip forward-protocol nd
ip telnet source-interface Vlan1
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.76.2.10
ip route 192.168.2.0 255.255.255.0 10.76.2.0
!
!
!
ip access-list standard 50
10 permit 192.168.0.0 0.0.0.255
20 permit 10.76.0.0 0.0.0.255
ip access-list extended 101
10 deny ip any 172.16.0.0 0.0.1.255
20 permit ip any any
ip access-list extended 102
10 permit ip any 172.16.0.0 0.0.1.255

MHM Cisco World · ‎10-11-2022

""" Vlan 300 will be on a 192.168.x.x network vlan100 is on a 10.76.x.x"""
this issue is routing issue and NAT
first do
traceroute to 8.8.8.8 from SW using one time SVI VLAN 100 and other time SVI VLAN 300 as source
see when the traceroute is stop,
go to that L3 device and check route and also NAT (overload) if it also include new VLAN or not

View solution in original post

MHM Cisco World · ‎10-11-2022

""" Vlan 300 will be on a 192.168.x.x network vlan100 is on a 10.76.x.x"""
this issue is routing issue and NAT
first do
traceroute to 8.8.8.8 from SW using one time SVI VLAN 100 and other time SVI VLAN 300 as source
see when the traceroute is stop,
go to that L3 device and check route and also NAT (overload) if it also include new VLAN or not

Richard Burts · ‎10-11-2022

MHM mentions that there may be routing issues. For the most part the routing looks pretty much ok. I would comment on this routing statement

ip route 192.168.2.0 255.255.255.0 10.76.2.0

I am not clear why you have a static route for 192.168.2.0. This is a locally connected subnet and so this static route will be ignored. And if it were to try to be used the

 next hop address

is not a valid

next hop

(it is the subnet address and not a host address).

MHM also mentions issues with NAT and I believe that he is exactly correct. The config suggests that vlan 100 forwards its traffic to 10.76.2.10, which appears to be an ASA. I am guessing that the ASA is doing address translation for vlan 100, and has security policies that deny Internet for vlan 200. You need to make sure that the security policies of the ASA will permit Internet access for vlan 300 and will do address translation for vlan 300.

HTH

Rick

chueymtz · ‎10-12-2022

Thank you for the reply. I used that route based on one of the posts here in the community but I took it out and like you said it still works.

chueymtz · ‎10-12-2022

Thank you it was the NAT and I had to add a

next hop

into the firewall static route.