Re: Routing with VLAN

Portus92 · ‎03-12-2020

Hi,

I have a Cisco 897 VA.

The WAN interface is connected to my pfSense (LAN 10.0.0.0/24, the pfSense address is 10.0.0.1).

On my router, the WAN interface IP address is 10.0.0.90. I would like to have two VLAN (10 and 20) with an Internet access (with the default gateway 0.0.0.0 0.0.0.0 10.0.0.1).

Here is my Cisco config :

ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.20.1 10.0.20.10
!
ip dhcp pool VLAN10
 network 10.0.10.0 255.255.255.0
 dns-server 10.0.10.1 
 default-router 10.0.10.1 
!
ip dhcp pool VLAN20
 network 10.0.20.0 255.255.255.0
 default-router 10.0.20.1 
 dns-server 10.0.20.1 
!
!
!
ip domain name home.com
ip name-server 10.0.0.1
ip name-server FE80::1:1
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
vtp mode transparent
!
vlan 10,20 
!
! 
interface GigabitEthernet0
 switchport trunk allowed vlan 1,10,20,1002-1005
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address 10.0.0.90 255.255.255.0
 duplex auto
 speed auto
 ipv6 address x:x:x:x::1/128
 ipv6 enable
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.0.10.1 255.255.255.0
!
interface Vlan20
 ip address 10.0.20.1 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip ssh version 2
!
ipv6 route ::/0 GigabitEthernet8 FE80::1:1

I connected a PC (10.0.10.11) on GE2, but ping to 10.0.0.1 (pfSense) is not working.

I can ping 10.0.10.1 with an other PC, but I can't ping 10.0.10.11.

There is a static route in my pfSense too :

Thanks a lot for your help.

paul driver · ‎03-13-2020

Hello

@Portus92 wrote:

I connected a PC (10.0.10.11) on GE2, but ping to 10.0.0.1 (pfSense) is not working.

I can ping 10.0.10.1 with an other PC, but I can't ping 10.0.10.11.

Turn off any software firewall on pc 10.0.10.11 and test again

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vishnu Vardhan S · ‎03-13-2020

Check trace, also use an ACL and count and check if you are getting any reply for the ICMP packet.

Please share a network diagram if you have one.

Please do not hesitate to click the STAR button if you are satisfied with my answer.

Portus92 · ‎03-14-2020

Hi, here is a little network diagram :

I tried to deactivate the firewall on the PC, but no effect.

With ACL (applied on VLAN 10), ping to 10.0.10.11 doesn't match :

Extended IP access list 110
    10 permit icmp any host 10.0.10.11
    20 permit icmp any host 10.0.10.1 (37 matches)
    30 permit ip any any (5442 matches)

Thank you.

Georg Pauwen · ‎03-14-2020

Hello,

what is connected to interface GigabitEthernet0 ?

Make sure your pfsense does NAT for the new networks, or use double NAT on the Cisco (changes marked in bold):

ip dhcp excluded-address 10.0.10.1 10.0.10.10
ip dhcp excluded-address 10.0.20.1 10.0.20.10
!
ip dhcp pool VLAN10
network 10.0.10.0 255.255.255.0
--> dns-server 8.8.8.8
default-router 10.0.10.1
!
ip dhcp pool VLAN20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
--> dns-server 8.8.8.8
!
ip domain name home.com
ip name-server 10.0.0.1
ip name-server FE80::1:1
ip cef
ipv6 unicast-routing
ipv6 cef
!
vtp mode transparent
!
vlan 10,20
!
interface GigabitEthernet0
switchport trunk allowed vlan 1,10,20,1002-1005
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 10.0.0.90 255.255.255.0
--> ip nat outside

duplex auto
speed auto
ipv6 address x:x:x:x::1/128
ipv6 enable
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.0.10.1 255.255.255.0
--> ip nat inside
!
interface Vlan20
ip address 10.0.20.1 255.255.255.0
--> ip nat inside
!
--> ip nat inside source list 1 interface GigabitEthernet8 overload
!
--> access-list 1 permit 10.0.10.0 0.0.0.255
--> access-list 1 permit 10.0.20.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip ssh version 2
!
ipv6 route ::/0 GigabitEthernet8 FE80::1:1

Portus92 · ‎03-14-2020

There is nothing connected to GE0.

The PC is connected to GE2.

With ip nat it works, thanks ! I'm not sure I fully understand why.

There is just one problem, I can't ping 10.0.10.1 or 10.0.10.11 from another PC.

With the PC on GE2, I can ping 10.0.0.1 and all the other devices on the network :