cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
243
Views
15
Helpful
9
Replies
Highlighted
Beginner

How to route traffic to another VLAN

Hello,

 

I need help with Catalyst configuration.

I am creating a separate VLAN in Cisco Catalyst for our guest so his access is limited to the Internet only and he won't be able to access our internal network.

 

Internal LAN: 10.1.1.0/24

Guest LAN: 10.1.123.0/24

 

The guest's computer IP address is 10.1.123.5 and he is connected to Catalyst interface GigabitEthernet0/2.

His default gateway is 10.1.123.14 (IP address of Catalyst)

My question is how to route his traffic to the default gateway (10.1.1.254)?

I have already set the default gateway to 10.1.1.254 but the traffic is not routed there.

Would really appreciate any advice.

 

Thank you.

===========================================

version 15.0
service config
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ABC-JKT-SW1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$F7WO$Dse3lPDvGjtLn8WWSyiKE0
!
username Admin privilege 15 secret 5 $1$Jeay$MJ/Gc/SwOISU6//.fRHh50
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization exec efault local
aaa accounting update periodic 5
!
!
!
!
!
aaa session-id common
clock timezone UTC 7 0
system mtu routing 1500
ip routing
ip domain-name abc.local
!
!
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint TP-self-signed-2550279040
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2550279040
revocation-check none
rsakeypair TP-self-signed-2550279040
!
!
crypto pki certificate chain TP-self-signed-2550279040
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353530 32373930 3430301E 170D3933 30333031 30303035
35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35353032
37393034 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B0F1 9F255950 BA56BD9E 8A710CFE 45DA0689 E14FE0F8 65AC39FC A7B4E70B
2923DECF 8054694A 58E2E6AC 4BDE6AFF 5AE5F87C 10B37388 01A36CAA 175AA5DB
A0AFD754 52937FD3 CFADE840 C12BD5AA 8D85C9F5 792474F6 DFDE7785 B8B45B63
09C04525 CB8E1636 FCABED28 02AD9289 6858A5CA 7F76ADF9 E18CA3CD 7E2B3B04
08610203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B424243 2D534E47 2D535731 301F0603 551D2304 18301680
14DE0802 67817D2A DD4822D9 4C185226 DC2C6735 19301D06 03551D0E 04160414
DE080267 817D2ADD 4822D94C 185226DC 2C673519 300D0609 2A864886 F70D0101
04050003 81810066 097F06E3 D9F7A297 D924B877 24FDF287 2738EA28 A08F70BC
D9852A80 85780D6D 4452E97A 66C992A7 841DFB78 A7AFFD68 218D7E92 C8E72798
4DFEB23F FFA1A36B C8489ABA 52449C4D 7F30307F 70486C55 CE098236 A48D3C50
9B48C552 608B421D F607E78B 2A4490F7 F3287652 A543D8A3 EC7906EF E37FA5E2
9A13BD7B 2B83DD
quit
auto qos srnd4
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
description Separate tenant
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
description Router WAN
switchport access vlan 10
!
interface GigabitEthernet0/46
switchport access vlan 10
!
interface GigabitEthernet0/47
description LAN1
switchport access vlan 10
!
interface GigabitEthernet0/48
description LAN2
switchport access vlan 10
!
interface GigabitEthernet0/49
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
macro description cisco-switch
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
ip address 10.1.1.252 255.255.255.0
!
interface Vlan2
ip address 10.1.123.14 255.255.255.240
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
logging esm config
snmp-server community public RO
snmp-server location Jakarta
snmp-server contact support@jakarta.com
!
!
!
!
line con 0
line vty 0 4
password 7 06821D234B41074B554742
length 0
transport input ssh
line vty 5 15
password 7 1546190D03272576789365
length 0
transport input ssh
!
end

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: How to route traffic to another VLAN

There are multiple things in this post to comment about. The config does show that ip routing is enabled, does show that there is a user vlan (vlan 1) and a guest vlan (vlan 2), that each vlan does have a layer 3 vlan interface with an appropriate address, and that there is a default route with 10.1.1.254 as the next hop. All of these seem appropriate and based on them I would expect that routing for the guest vlan should work. If it does not then we need to investigate several possibilities of what could be the issue.

1) does the switch see the upstream gateway and the downstream guest device? Do show arp on the switch and verify that there is an entry for the upstream gateway and an entry for the downstream guest device.

2) does the upstream gateway have a route for subnet 10.1.123.0 (and as a curiosity what mask is used for that route)?

3) can the upstream gateway ping both 10.1.1.252 and 10.1.123.14?

4) can the guest device ping its gateway 10.1.123.14? And can the guest device ping the switch interface for vlan 1 10.1.1.252? And can the guest device ping the gateway at 10.1.1.254?

 

It seems to me that this issue has at least 2 parts. The first part is what we are dealing with so far in terms of basic ip connectivity and basic ip routing. We need to get that straightened out and working then can consider the second part which is that the guest should access the Internet but not devices in the user vlan.

 

I will also comment on something that seems odd but is not directly related to the main issue of this post. There is another vlan configured, vlan 10. Depending on which comment is correct it is either for a WAN router or is for LAN2. There are switch ports assigned to this vlan but no SVI. So what this vlan is and how it might work is not clear.

 

HTH

 

Rick

9 REPLIES 9
VIP Advisor

Re: How to route traffic to another VLAN

Hi there,

I suspect the gateway device (10.1.1.254) does not have a route for 10.1.123.0/24 via 10.1.1.252  , ie:

 

!
ip route 10.1.123.0 255.255.255.0 10.1.1.252
!

 

Also, you state the guest VLAN is a /24, but the VLAN2 SVI is a /28 

 

cheers,

Seb .

Beginner

Re: How to route traffic to another VLAN

Hi Seb,

 

Thanks for highlighting the VLAN subnet, but I still unable to connect after making the changes and adding the ip route.

Any advice?

VIP Advisor

Re: How to route traffic to another VLAN

A few more questions.

From the host device can you ping the switch IP 10.1.1.252

 

From the switch can you ping the gateway IP 10.1.1.254

 

What is the gateway device? Can it ping both switch IP addresses (VLAN SVIs 1 and 2)?

 

Which switchport is the gateway device connected to?

 

cheers,

Seb.

Hall of Fame Master

Re: How to route traffic to another VLAN

There are multiple things in this post to comment about. The config does show that ip routing is enabled, does show that there is a user vlan (vlan 1) and a guest vlan (vlan 2), that each vlan does have a layer 3 vlan interface with an appropriate address, and that there is a default route with 10.1.1.254 as the next hop. All of these seem appropriate and based on them I would expect that routing for the guest vlan should work. If it does not then we need to investigate several possibilities of what could be the issue.

1) does the switch see the upstream gateway and the downstream guest device? Do show arp on the switch and verify that there is an entry for the upstream gateway and an entry for the downstream guest device.

2) does the upstream gateway have a route for subnet 10.1.123.0 (and as a curiosity what mask is used for that route)?

3) can the upstream gateway ping both 10.1.1.252 and 10.1.123.14?

4) can the guest device ping its gateway 10.1.123.14? And can the guest device ping the switch interface for vlan 1 10.1.1.252? And can the guest device ping the gateway at 10.1.1.254?

 

It seems to me that this issue has at least 2 parts. The first part is what we are dealing with so far in terms of basic ip connectivity and basic ip routing. We need to get that straightened out and working then can consider the second part which is that the guest should access the Internet but not devices in the user vlan.

 

I will also comment on something that seems odd but is not directly related to the main issue of this post. There is another vlan configured, vlan 10. Depending on which comment is correct it is either for a WAN router or is for LAN2. There are switch ports assigned to this vlan but no SVI. So what this vlan is and how it might work is not clear.

 

HTH

 

Rick

Beginner

Re: How to route traffic to another VLAN

Hi Rick,

Yes, the problem is with the gateway.
It's working now after I fix the gateway.
Thanks a lot for the advice!

Cheers!
Hall of Fame Master

Re: How to route traffic to another VLAN

Thanks for the update. Glad to know that it is working after you fixed the gateway. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

Beginner

Re: How to route traffic to another VLAN

Hi Seb,

 

Thanks for your advice.

The problem is with the gateway.

I configured the gateway and it is working fine now.

Thanks again for your help!

 

Cheers!

Participant

Re: How to route traffic to another VLAN


is it fixed now ?
Beginner

Re: How to route traffic to another VLAN

Hi MartinLo,

Yes, it is working now as the problem is with the gateway, not with the Catalyst.

Cheers!
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards