cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2232
Views
0
Helpful
16
Replies
Highlighted
Beginner

Routing between /27 and /30 block (VLAN to Physical WAN)

Hello all,

Sorry if this is a mega simple question, but we need to setup something like this: WAN Configuration (generic).jpg

The physical connectivity between the ISP network and External Switch 1 i.e. the /30 network is on port GigabitEthernet 0/19. The /27 network is configured as VLAN100. How do we configure such that all hosts in the 192.168.1.64/27 network can access the Internet using the .66 HSRP IP. Then of course we can configure routing in the Firewall to allow hosts in the internal network to access the internet too. But that's another story.

Help please?

Thanks so much in Advance

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

If you can ping it after removing /30 block, then certainly it's an issue on your ISP side as you've already discovered.

View solution in original post

16 REPLIES 16
Highlighted
Rising star

Do you need to nat traffic from 192.168.1.64/27 devices to the Internet? Cat3xxx switches don't support NAT.

Highlighted

Hi Roman,

No. Don't need to NAT. Natting can be handled in the Firewall downstream from the Catalyst switches.

BTW, good thing to bring up. Forgot to mention that the External Switches are Catalyst 3560G-24 Port switches running the Advanced IP Services IOS.

Thanks

Highlighted

Are you trying to get that 192.168.x.x subnet to route through ASA, NAT and then back to the Internet? That won't work. Traffic has to enter the ASA through one interface and then exit through another in order to NAT

Highlighted

Hi Roman,

No. Don't worry about the ASA. That ASA is just for giving the whole picture. We just want the machines in /27 block to be able to access the Internet going through the /30 block which is physically connected to the ISP's network. Once that works, the ASA will be just another machine on the /27 block which can do the NAT stuff for internal machines

HTH

Highlighted

Ok, but where is the trick? Enable ip routing on the 3560, configure default route to the next-hop, and set host's default gateway to the 3560 HSRP IP.

Highlighted

Haha, there is no trick other than the fact that we're not very good with Cisco stuff. Haven't had to touch it for a while.

ip routing IS turned on. The problem is that we're unable to ping any outside host on the Internet from inside the switch. The current config is as follows (only the relevant sections are provided):

ip routing

interface GigabitEthernet0/19

description Primary DIA to ISP

no switchport

ip address 10.1.1.66 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

priority-queue out

service-policy input LAN-MARKER

interface Vlan100

ip address 192.168.1.67 255.255.255.224

no ip redirects

no ip proxy-arp

load-interval 600

standby 1 ip 192.168.1.66

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 10

ip default-gateway 10.1.1.65

Highlighted

"ip default-gateway" doesn't work when "ip routing" is enabled. Instead configure default route with

ip route 0.0.0.0 0.0.0.0 10.1.1.65

Highlighted

I'm quite sure it does. That's how we had configured it before and everything used to work. We just had to change ISPs and had to simply change the IP addresses for the new ISP. The other difference is that previously we had iBGP configured with the ISP who provided us two WAN links and the default route for /30 block was set within the BGP configuration. Now we don't have BGP with the ISP so we don't really know where to stick in the default router for the /30 block which is .65. Previously, we had configuration like

ip default-gateway

and the default gateway for the /30 block was stuck inside the BGP configuration. There was no default router specified for the /27 block which is great coz we saved an IP address which is otherwise be wasted as the provider's gateway/network port on the other side

Highlighted

i repeat the command "ip default-gateway" doesn't work when "ip routing" is enabled, that command didn't do anything when BGP was running. Your BGP peer was providing you a dynamic BGP default route 0.0.0.0. Now you need to set it statically with "ip route 0.0.0.0 0.0.0.0 10.1.1.65"

Highlighted

haha ok....thanks for the clarification. We did change it before responding to the last message, and it didn't work either. Still can't ping any host on the internet.

The only configuration that works is IF we remove the /30 block completely and just use the /27 block.

I think this could be a problem at the ISP end also. The thing is that I am unable to ping the default gateway for the /30 block i.e. 10.1.1.65 (obv not the real IP of the ISP) from the Internet, but can ping the default gateway for the /27 block i.e. 192.168.1.65 (again, not the the real IP). However, I can ping it from the switch itself.

So you think our side of config looks good after changing ip route to 0.0.0.0 and pointing it to the default gateway of the /30 block?

Thanks

Highlighted

Are you saying you can ping your 192.168.1.65 IP from the Internet? I assume that IP belongs to the ASA (or some server). Well that's a great indication that routing is working. You probably can't ping that 10/30 IP because ISP is blocking ping traffic to their IPs.

Paste your full config one more time, not sure yet why you can't ping Internet hosts.

By the way, your switch on the right will need a different default route:

ip route 0.0.0.0 0.0.0.0 192.168.1.67

Highlighted

yes, we can ping the the address .65 in the /27 block from the Internet BUT this address is NOT configured anywhere inside our network. This is the IP that's probably sitting configured on the router of the ISP. This should not be the case as after getting the /30 block, we should have all 30 IP addresses to use since we've already taken care of the path to the ISP with the /30 block. We agree that the default router of the /30 block i.e. 10.1.1.65 isn't responding to pings since it may be blocked by the ISP but we don't trust the competance of these people. They have messed up before and they might be messing up again. A ticket has been opened with them but no one has responded in the last 5 hrs!

For the given scenario only 10.1.1.65 (ISP side) and 10.1.1.66 (our side) should be pingable (assuming no one has turned off pings), but we're instead able to ping 192.168.1.65 which should NOT be pingable as this should now we completely in our network but since it is responding to pings and we have not configured it anywhere, it's clearly sitting on the ISP network, which was also proven since if we configure the switches to remove the /30 block and just use the /27 block using 192.168.1.65 as the default route, everything works. We think this is an ISP issue.

Also, we hope you've caught on to the fact that none of these ranges are real...for security reasons Both blocks we have are Class A Public IP addresses.

The config we gave earlier is the main config. Everything after that is just access rules and configuration of VLANs etc.

Cheers

Highlighted

Yes, I figured that

It sounds like that block is assigned to some device inside ISP's network, or could even possibly be assigned to some other customer are you able to connect to it with a web browser? Are you able to reach any other IPs in that range?

Highlighted

the 192.168.1.65 is definitely not assigned to some other customer as we're able to use it as a default gateway if we remove the /30 block and it's on the ISP side. What they should've done is when they gave us the /30 block, they should have released the 192.168.1.65 address and aggregated the /27 block to be routed via the /30 block but they clearly haven't done that. Can't believe we wasted all this time in trying to resolve it. Should have just waited for the ISP to get back to us.  Maybe we'll have to get back to this after the ISP sorts it out at their end??