Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3134
Views
10
Helpful
16
Replies

Internet not reaching Core/Access Switch

Go to solution
maisiba
Level 1
Level 1

‎11-25-2021 11:55 PM - last edited on ‎11-27-2021 11:49 PM by Community Manager

Router has internet but Core Switch not picking, what i'm i missing?

Router and Switch can ping each other

 

Router Configs

 

Router#sh run
Building configuration...


Current configuration : 2966 bytes
!
! Last configuration change at 06:51:08 UTC Fri Nov 26 2021
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$De./$aFvTeKMWxh6GZbBORCt/I.
!
no aaa new-model
!
ip name-server 8.8.8.8
ip domain name xxxxx
!
subscriber templating
!
!
multilink bundle-name authenticated
!
license udi pid ISR4331/K9 sn FDO2434015D
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username xxxxxx secret 5 $1$Wt2e$OQBtmvjwMxVtdmfGHSWoi/
username yyyyyy secret 5 $1$qM3u$KeoRpdz.GQkdUDnrajzrz/
!
redundancy
mode none
!
!
interface GigabitEthernet0/0/0
description WAN
ip address xx.xx.244.126 255.255.255.254
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
ip nat inside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2.200
description LAN
encapsulation dot1Q 200
ip address 172.30.235.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
router eigrp 1
network 0.0.0.0
network 10.64.101.0 0.0.0.255
network 172.30.235.0 0.0.0.255
!
ip nat inside source list 101 interface GigabitEthernet0/0/2 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 xx.xx.244.127 10
!
ip ssh version 2
!
access-list 101 permit ip 192.168.235.0 0.0.0.255 any
access-list 101 permit ip 10.64.101.0 0.0.0.255 any
access-list 101 permit ip 172.22.171.0 0.0.0.255 any
access-list 101 permit ip 172.30.235.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
login local
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4

Router#


Core Switch Configs

CORE_SWITCH#sh run
Building configuration...

% VRF table-id 0 not active
Current configuration : 3708 bytes
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname CORE_SWITCH
!
boot-start-marker
boot system flash bootflash:cat4500e-universalk9.SPA.03.03.00.SG.151-1.SG.bin
boot-end-marker
!
!
enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
!
username xxxxx secret 5 $1$Wt2e$OQBtmvjwMxVtdmfGHSWoi/
no aaa new-model
hw-module uplink select tengigabitethernet
!
ip vrf mgmtVrf
!
ip dhcp excluded-address 10.64.101.1 10.64.101.10
ip dhcp excluded-address 172.22.171.1 172.22.171.10
ip dhcp excluded-address 10.64.101.240 10.64.101.254
ip dhcp excluded-address 172.22.171.240 172.22.171.254
ip dhcp excluded-address 192.168.235.1 192.168.235.10
!
ip dhcp pool grnd_FLR_DATA
network 10.64.101.0 255.255.255.0
default-router 10.64.101.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
ip dhcp pool GRND_FLR_VOICE
network 172.22.171.0 255.255.255.0
default-router 172.22.171.1
option 150 ip 10.66.112.2 10.66.112.3
dns-server 8.8.8.8 4.2.2.2
lease 7
!
ip dhcp pool cctv
network 192.168.235.0 255.255.255.0
default-router 192.168.235.1
dns-server 10.66.112.10 196.201.225.19 196.201.225.18
lease 7
!
!
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
vlan internal allocation policy ascending
!
vlan 10
name VOICE
!
vlan 100
name AUDIO_VISUAL
!
vlan 110
name DATA
!
vlan 120
name SERVERS
!
vlan 128
name CCTV
!
vlan 200
name managemnt
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface TenGigabitEthernet1/1
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/2
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/3
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/4
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/5
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/6
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/7
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/8
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/9
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/10
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/11
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/12
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet3/1
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet3/2
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/3
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/4
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/5
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/6
switchport mode trunk
switchport nonegotiate
!
interface Vlan1
no ip address
!
interface Vlan10
description voice
ip address 172.22.171.1 255.255.255.0
!
interface Vlan110
description data
ip address 10.64.101.1 255.255.255.0
!
interface Vlan128
ip address 192.168.235.1 255.255.255.0
!
interface Vlan200
ip address 172.30.235.2 255.255.255.0
!
!
router eigrp 1
network 0.0.0.0
network 10.64.101.0 0.0.0.255
network 172.30.235.0 0.0.0.255
eigrp stub connected summary
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.30.235.1
!
!
line con 0
stopbits 1
line vty 0 4
password (&%^09234bhbgc!#@132ih
login
!
end

CORE_SWITCH#


Switch ping from Router

Router#ping 172.30.235.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.235.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

Router ping from Switch

CORE_SWITCH#ping 172.30.235.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.235.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

 

Internet ping from Router

Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/36/54 ms

 

Internet ping from Switch

CORE_SWITCH#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

Internet Tracert from Switch

CORE_SWITCH#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 172.30.235.1 0 msec 0 msec 0 msec
2 * * *
3 * * *
4 * * *
5 * * *

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎11-26-2021 12:14 AM - last edited on ‎11-27-2021 11:50 PM by Community Manager

Hello,

 

not sure if this is a typo ?

 

--> ip nat inside source list 101 interface GigabitEthernet0/0/2 overload

 

According to your configuration, the WAN interface is GigabitEthernet0/0/0. Make sure that is reflected in your config:

 

--> ip nat inside source list 101 interface GigabitEthernet0/0/0 overload

 

View solution in original post

0 Helpful
16 Replies 16

Go to solution
Georg Pauwen
VIP
VIP

‎11-26-2021 12:14 AM - last edited on ‎11-27-2021 11:50 PM by Community Manager

Hello,

 

not sure if this is a typo ?

 

--> ip nat inside source list 101 interface GigabitEthernet0/0/2 overload

 

According to your configuration, the WAN interface is GigabitEthernet0/0/0. Make sure that is reflected in your config:

 

--> ip nat inside source list 101 interface GigabitEthernet0/0/0 overload

 

0 Helpful

Go to solution
maisiba
Level 1
Level 1
In response to Georg Pauwen

‎11-26-2021 12:24 AM

Ooh yes, thanks, that was a typo.
Corrected but still internet unreachable from Core Switch

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to maisiba

‎11-26-2021 12:42 AM - last edited on ‎11-27-2021 11:51 PM by Community Manager

Hello,

 

do the clients connected to the core switch get an Internet connection ?

 

Try to ping from the switch with a source ip:

 

CORE_SWITCH#ping 8.8.8.8 source 172.30.235.2

 

Go to solution
maisiba
Level 1
Level 1
In response to Georg Pauwen

‎11-26-2021 12:49 AM - last edited on ‎11-27-2021 11:53 PM by Community Manager 

CORE_SWITCH#ping 8.8.8.8 so 172.30.235.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.30.235.2
.....
Success rate is 0 percent (0/5)
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎11-26-2021 01:00 AM

Hello,

 

post the output of 'show ip route' from both the switch and the router...

0 Helpful

Go to solution
maisiba
Level 1
Level 1
In response to Georg Pauwen

‎11-26-2021 01:25 AM - last edited on ‎11-27-2021 11:53 PM by Community Manager 

Router#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is xx.159.244.127 to network 0.0.0.0

S* 0.0.0.0/0 [10/0] via xx.159.244.127
10.0.0.0/24 is subnetted, 1 subnets
D 10.64.101.0
[90/3072] via 172.30.235.2, 02:34:30, GigabitEthernet0/0/2.200
154.159.0.0/16 is variably subnetted, 2 subnets, 2 masks
C xx.159.244.126/31 is directly connected, GigabitEthernet0/0/0
L xx.159.244.126/32 is directly connected, GigabitEthernet0/0/0
172.22.0.0/24 is subnetted, 1 subnets
D 172.22.171.0
[90/3072] via 172.30.235.2, 02:34:30, GigabitEthernet0/0/2.200
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.235.0/24 is directly connected, GigabitEthernet0/0/2.200
L 172.30.235.1/32 is directly connected, GigabitEthernet0/0/2.200
D 192.168.235.0/24
[90/3072] via 172.30.235.2, 02:34:30, GigabitEthernet0/0/2.200







CORE_SWITCH#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 172.30.235.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.30.235.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.64.101.0/24 is directly connected, Vlan110
L 10.64.101.1/32 is directly connected, Vlan110
xx.159.0.0/31 is subnetted, 1 subnets
D xx.159.244.126 [90/28416] via 172.30.235.1, 02:38:27, Vlan200
172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.22.171.0/24 is directly connected, Vlan10
L 172.22.171.1/32 is directly connected, Vlan10
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.235.0/24 is directly connected, Vlan200
L 172.30.235.2/32 is directly connected, Vlan200
192.168.235.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.235.0/24 is directly connected, Vlan128
L 192.168.235.1/32 is directly connected, Vlan128
0 Helpful

Go to solution
paul driver
VIP
VIP

‎11-26-2021 01:32 AM - last edited on ‎11-27-2021 11:55 PM by Community Manager

Hello

You have no NAT assigned to the routed port of the lan interface, Also change the switchport from a trunk to an access port in vlan 200 then test again

 

Router
interface GigabitEthernet0/0/2.200
description LAN
ip nat inside







switch
default interface GigabitEthernetx/x
interface GigabitEthernetx/x
description RTR facing
switchport host
switchport access vlan 200

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
maisiba
Level 1
Level 1
In response to paul driver

‎11-26-2021 02:50 AM - last edited on ‎11-27-2021 11:55 PM by Community Manager

Router WAN interface has NAT assigned, please re-check the configs above.

 

Made below changes on switch, still internet unreachable from switch.

 

interface TenGigabitEthernet1/12
switchport access vlan 200
switchport mode access
spanning-tree portfast
 

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to maisiba

‎11-26-2021 04:06 AM

Hello,

 

when you ping 8.8.8.8 from 172.30.235.2 (the switch) and then issue the command 'show ip nat translation *" on the router, do you actually see an entry for 172.30.235.2 ?

0 Helpful

Go to solution
maisiba
Level 1
Level 1
In response to Georg Pauwen

‎11-26-2021 06:28 PM - last edited on ‎11-27-2021 11:56 PM by Community Manager

Hello Georg, 

No, there is no translation recorded on router as shown below;

 

CORE_SWITCH#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CORE_SWITCH#exit

[Connection to 172.30.235.2 closed by foreign host]
Router#sh ip nat translations
Total number of translations: 0

 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to maisiba

‎11-26-2021 05:41 AM

Hello

Apologies missed that...

TBH your configuration looks okay, apart from the dynamic PAT statement pointing to gig0/0/2 but you say that has been removed and replaced to point to gig0/0/0 - correct?

 

What rtr are you using and version of software?
rtr

sh version


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
maisiba
Level 1
Level 1
In response to paul driver

‎11-26-2021 06:32 PM - last edited on ‎11-27-2021 11:59 PM by Community Manager

Hello Paul,

Yes corrections were done and dynamic pat points to g0/0/0 and still switch not able to ping 8.8.8.8.

 

I'm using Cisco 4331, below sh ver

 

Router#sh ver
Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Sun 08-Jul-18 04:33 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

Router uptime is 14 hours, 19 minutes
Uptime for this control processor is 14 hours, 21 minutes
System returned to ROM by PowerOn
System image file is "bootflash:isr4300-universalk9.16.06.04.SPA.bin"
Last reload reason: PowerOn

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.




Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9

AdvUCSuiteK9 None None None
uck9
cme-srst
cube


Technology Package License Information:

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None None None
uck9 None None None
securityk9 None None None
ipbase ipbasek9 Permanent ipbasek9

cisco ISR4331/K9 (1RU) processor with 1795999K/6147K bytes of memory.
Processor board ID FDO2435M0HB
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3207167K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to maisiba

‎11-27-2021 12:34 AM - last edited on ‎11-28-2021 12:00 AM by Community Manager

Hello

Can you try the following:
no access-list extended 101
access-list 101 deny host xx.xx.244.126 any < deny the wan interface from the nat acl
access-list 101 permit ip 192.168.235.0 0.0.0.255 any
access-list 101 permit ip 10.64.101.0 0.0.0.255 any
access-list 101 permit ip 172.22.171.0 0.0.0.255 any
access-list 101 permit ip 172.30.235.0 0.0.0.255 any

router eigrp 1
no network 0.0.0.0
no network 10.64.101.0 0.0.0.255 < I dont see this on any physical interface 

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
maisiba
Level 1
Level 1
In response to paul driver

‎11-27-2021 09:37 AM - last edited on ‎11-28-2021 12:00 AM by Community Manager

Hello Paul,

Apparently, the router had no ACLs, dunno how they disapeared.

Added them back and Core Switch picked internet

ACLs added

access-list 101 permit ip 192.168.235.0 0.0.0.255 any
access-list 101 permit ip 10.64.101.0 0.0.0.255 any
access-list 101 permit ip 172.22.171.0 0.0.0.255 any
access-list 101 permit ip 172.30.235.0 0.0.0.255 any




CORE_SWITCH#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/28/36 ms


Thank you very much all!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card