Routing between Layer 3 and Layer 2 ports on Cisco 1921 ISR?

routelesscosmonaught · ‎04-12-2024

Greetings all,

I am struggling to route traffic out a layer 2 port from a layer 3 port on a Cisco 1921 Integrated Services Routers (ISR). Please help me figure out how to route traffic from my layer 3 port to layer 2 port on onboard HWIC card.

Cisco 1921 ISR comprises:

2 Layer three interfaces [gig0/0, gig0/1]
4 port GE switch card, EHWIC-4ESG
- Gig0/0/0 – Gig0/0/3
  - These ports do not support layer 3 functionality even though this is a router.

Traffic from my outside corporate network will come into Gig0/0 (layer 3) port, will undergo static NAT and will be routed out either Gig0/1 or Gig0/0/0 depending on which IP they pick up during NAT translation.

I have

created vlan 709,
marked vlan 709 as an inside NAT interface,
assigned vlan 709 an ip address, 172.29.40 .1

I have

made gig0/0/0 a switchport
made gig0/0/0 an access port
allowed gig0/0/0 to access vlan 709

There is a route in the routing table to direct traffic whose destination IP is translated by NAT to 172.29.40.3 to go to the 172.29.40.0 /24 network which is connected directly to gig/0/0/0

SSH is enabled in vty lines for output and input.

Under this scheme, when I try to ssh from the router to an end device out of gig0/0/0 on the 172.29.40.0 /24 network, the SSH connection does not work. SSH does not error out/time out but it just processes in the background, the command prompt is unresponsive for a moment, I never see a login prompt to the end device, and the router IOS CLI command prompt becomes responsive again after 15 seconds or so.

SSH is enabled on the end device because I can SSH to the router from the end device on the vlan 709 interface 172.29.40.1. I can ping it from the end device too.

Under this scheme, when I try to ssh from the router to an end device out of gig0/1 on the 172.28.254.0 /24 network, the SSH connection works. I can SSH in either direction. This seems to be easier because this is Layer 3 interface to Layer 3 interface routing (Gig0/0 --> Gig0/1).

Basically, It seems I misunderstand how to route from Layer 3 interface to Layer 2 port on HWIC card.

Here are the relevant parts of my configuration:

…

no aaa new-model

ethernet lmi ce

ip cef

no ipv6 cef

multilink bundle-name authenticated

redundancy

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 10.30.41.130 255.255.254.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 172.28.254.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/0/0

no ip address

no mop enabled

!

interface GigabitEthernet0/0/1

no ip address

no mop enabled

!

interface GigabitEthernet0/0/2

no ip address

no mop enabled

!

interface GigabitEthernet0/0/3

no ip address

no mop enabled

!

interface Vlan1

no ip address

shutdown

no mop enabled

!

interface Vlan709

ip address 172.29.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source static 172.28.254.12 10.30.41.141

ip nat inside source static 172.29.40.3 10.30.41.142

…

ip route 0.0.0.0 0.0.0.0 10.30.41.1 permanent

ip route 10.30.41.141 255.255.255.255 172.28.254.12

ip route 172.28.254.12 255.255.255.255 172.28.254.12

ip route 172.29.40.3 255.255.255.255 172.29.40.3

!

dialer-list 1 protocol ip permit

control-plane

vstack

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password acsacs

login local

transport input all

scheduler allocate 20000 1000

end

Router#

Thank you for your help.

RAdamWilliams · ‎04-12-2024

Why is that third static route there?

RAdamWilliams · ‎04-12-2024

Actually I meant forth static route. Also on the config you posted 0/0/0 seems defaulted.

routelesscosmonaught · ‎04-12-2024

After NAT translation, then routing happens so traffic destination will be 172.29.40.3 so need 4th static route. 2nd static route is a leftover from when I thought routing happened before translation.

balaji.bandi · ‎04-13-2024

Under this scheme, when I try to ssh from the router to an end device out of gig0/0/0 on the 172.29.40.0 /24 network, the SSH connection does not work. SSH does not error out/time out but it just processes in the background, the command prompt is unresponsive for a moment, I never see a login prompt to the end device, and the router IOS CLI command prompt becomes responsive again after 15 seconds or so.

This statement was not clear to us, can you explain the source IP and destination IP ?

what is the end device router or switch ? how does the routing on the end device ?

do you rough diagram how these connected ?

i see you have only static NAT from outside to inside ? but i do not see any NAT config inside (is that desired setup?

does the routing enabled on the router and end device ? - can you post show ip route from end device and router ?

as long as you have not enabled any source for the SSH and no ACL - any device can able to SSH to device.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

routelesscosmonaught · ‎04-14-2024

Greetings All,

OP here. I have solved my issue. The connection problem had nothing to do with the configuration of a Cisco device, in this case a Cisco 1921 Integrated Services Routers (ISR). The problem arose from a misconfiguration of a virtual network adapter in VMware vSphere environment: the virtual network adapter was not configured for vlan 709, the vlan I was configuring on the 1921 ISR router to act as the SVI.

Explanation:
To be clear, if you have an ISR router with an EHWIC-4ESG card installed, the 4 ports on the EHWIC-4ESG switch card are Layer 2 ports and therefore those 4 ports on EHWIC-4ESG switch card cannot directly have an IP address assigned to them with the ip address <network><mask> command from interface configuration mode.

If you wish to allow routing between the in built Layer 3 interfaces of the ISR (Gig0/0, Gig0/0) and the Layer 2 ports of the installed EHWIC-4ESG switch card, likely named (Gig0/0/0, Gig0/0/1, Gig0/0/2, Gig0/0/3), you will need to use the Switched Virtual Interface (SVI) method.

SVI method:

Router>enable
Router#configure terminal
Router(config)#vlan 709
Router(config-vlan)#name svi-example
Router(config-vlan)#state active
Router(config-vlan)#no shutdown
Router(config-vlan)#exit
Router(config)#interface vlan 709
Router(config-if)#ip address <network> <mask>
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface gig0/0/0
Router(config-if)#switchport mode access
Router(config-if)#switchport access vlan 709
Router(config-if)#no shutdown
Router(config-if)#end
Router#show vlan-switch
Router#show interfaces gig0/0/0 status
Router#show interfaces gig0/0/0 switchport
Router#show ip interface brief

In my case, I was performing Network Address Translation before route lookup so there is need to specify the vlan 709 as an inside interface; modify above as follows:

Router>enable
Router#configure terminal
Router(config)#interface vlan 709
Router(config)#ip address <network> <mask>
Router(config-if)#ip nat inside
Router(config-if)#no shutdown
Router(config-if)#end
Router#show vlan-switch
Router#show ip interface brief

Now you need to add appropriate routes in the routing table.

After doing the above configuration you should be able to route between Layer 2 and Layer 3 ports on ISR, provided you have appropriate routes in the routing table.

The problem I was having and could not see for so long was that the VLAN tagged traffic coming out of the staging switch directly connected the ISR router, and heading for the VM environment was being rejected at the VM environment because the network adapter configured for that VM server in the VM environment was not configured to allow vlan 709. It is now so I can now ping, ssh and do other management task configured on the VM server.

Thank you all for your time and advice.