Solved: 2921 router and 3750g L3 config help

jasonafernandez · ‎11-17-2016

I have a Cisco 2921 router setup at home on my cable internet. It's configured with NAT outside and inside. I have a uplink connected to a Cisco 3750g switch. The switch is configured as layer 3, ip routing enabled, dhcp for vlans, using external dns. I have 3 vlans enabled.

Configurations can be found here:
2921 router http://pastebin.com/CRsDBufc
3750g PoE switch http://pastebin.com/h4mG17xg

My problem is from Windows or Linux PC's behind the switch cannot traceroute. All returns are asterisks. I can ping out fine by hostname and IP address and receive replies.

Can anyone help me understand what is happening? Do I need ACL's? Does my switch port to router need "no switchport" instead of VLAN? Are my ip route's incorrect? I've tried a bunch of things but no avail.

I really appreciate everyones help and teaching me.

Reza Sharifi · ‎11-17-2016

Looking at your config and since all subnets terminate on the switch, you need a /30 (access port) between the switch and the router. After that, you would need to point your default router to the router's IP address.

HTH

View solution in original post

Reza Sharifi · ‎11-17-2016

Looking at your config and since all subnets terminate on the switch, you need a /30 (access port) between the switch and the router. After that, you would need to point your default router to the router's IP address.

HTH

jasonafernandez · ‎11-17-2016

Hi Reza,

I am trying to understand. Do you recommend I disable vlan1? I will assign a different ip with /30 to my switch uplink port and on router interface /30 as well? For the switch port, would I use the no switchport command followed by ip address?

Thanks

Reza Sharifi · ‎11-17-2016

Hi Jason,

Yes, 2 options, you can assign the uplink port on the switch to a vlan (example 100) and than create a SVI for it and assign an IP to it, or just simply make the port a routed port (no switchport) and assign an IP to it.

HTH

jasonafernandez · ‎11-17-2016

Hi Reza,

Appreciate all your help. Your recommendation worked.

From wifi vlan 20:

PS C:\Users\jason.fernandez> tracert google.com

Tracing route to google.com [216.58.219.14]
over a maximum of 30 hops:

1 3 ms 3 ms 2 ms 192.168.102.1
2 1 ms 1 ms 1 ms 192.168.100.1
3 10 ms 10 ms 9 ms xxx.254.236.xxx
4 13 ms 12 ms 13 ms tge0-10-0-1.vnnzca2401h.socal.rr.com [76.167.27.133]
5 13 ms 11 ms 15 ms agg11.vnnycajz02r.socal.rr.com [72.129.14.98]
6 15 ms 16 ms 15 ms agg29.tustcaft01r.socal.rr.com [72.129.13.2]
7 19 ms 14 ms 16 ms bu-ether26.tustca4200w-bcr00.tbone.rr.com [66.109.3.232]
8 13 ms 13 ms 13 ms 0.ae2.pr1.lax10.tbone.rr.com [107.14.19.54]
9 13 ms 13 ms 23 ms 216.156.65.225.ptr.us.xo.net [216.156.65.225]
10 15 ms 12 ms 13 ms 207.88.14.212.ptr.us.xo.net [207.88.14.212]
11 12 ms 13 ms 12 ms 207.88.13.25.ptr.us.xo.net [207.88.13.25]
12 56 ms 60 ms 52 ms 216.0.6.50
13 12 ms 14 ms 12 ms 209.85.245.35
14 12 ms 12 ms 13 ms 108.170.237.141
15 13 ms 12 ms 12 ms lax17s03-in-f14.1e100.net [216.58.219.14]

Trace complete.

From wks vlan 10:

PS C:\Users\jason.fernandez> tracert google.com

Tracing route to google.com [216.58.219.14]
over a maximum of 30 hops:

1 2 ms 1 ms 2 ms 192.168.101.1
2 <1 ms <1 ms <1 ms 192.168.100.1
3 9 ms 8 ms 9 ms xxx.254.236.xxx
4 9 ms 10 ms 10 ms tge0-10-0-1.vnnzca2401h.socal.rr.com [76.167.27.133]
5 11 ms 15 ms 11 ms agg11.vnnycajz02r.socal.rr.com [72.129.14.98]
6 29 ms 15 ms 15 ms agg29.tustcaft01r.socal.rr.com [72.129.13.2]
7 40 ms 19 ms 16 ms bu-ether26.tustca4200w-bcr00.tbone.rr.com [66.109.3.232]
8 12 ms 11 ms 13 ms 0.ae2.pr1.lax10.tbone.rr.com [107.14.19.54]
9 11 ms 11 ms 10 ms 216.156.65.225.ptr.us.xo.net [216.156.65.225]
10 24 ms 13 ms 12 ms 207.88.14.212.ptr.us.xo.net [207.88.14.212]
11 11 ms 18 ms 11 ms 207.88.13.25.ptr.us.xo.net [207.88.13.25]
12 60 ms 61 ms 61 ms 216.0.6.50
13 11 ms 12 ms 10 ms 209.85.245.35
14 13 ms 11 ms 69 ms 108.170.237.141
15 11 ms 11 ms 13 ms lax17s03-in-f14.1e100.net [216.58.219.14]

Trace complete.

Reza Sharifi · ‎11-17-2016

Hi Jason,

Glad to help and thanks for the rating!

Reza

jasonafernandez · ‎12-02-2016

Hi Reza,

I spoke too soon, didn't realize this in my testing. For whatever reason traceroute is only working on my WIFI, but not on wired LAN. It doesn't matter the OS-Win7/10/Fedora. My AP and controller are using same VLAN switch port config as my workstation VLAN-just different subnet. If I assign a LAN workstation into my WIFI VLAN it still does not work.

Updated configs since our last discussion.

Router config:

http://pastebin.com/nSdhQDqn

Switch config:

http://pastebin.com/h19n4EQ8

Any additional ideas?

Reza Sharifi · ‎12-02-2016

Hi Jason,

From the switch, can you run a couple of tests as follows:

ping 8.8.8.8 source 192.168.101.1

ping 8.8.8.8 source 192.168.102.1

Also, can you verify

1-vlan 10 is for workstation

2-vlan 20 is for wifi

3-The pc you are trying to test with is connected to port g1/0/1 or g1/0/2 and has a correct default gateway (192.168.101.1)?

HTH

jasonafernandez · ‎12-02-2016

Hi Reza,

Yes the PC I am testing from is g1/0/1. I also tested g1/0/2. The AP is connected to g1/0/14. Wifi connected devices are able to successfully traceroute. All hops resolve. Only the LAN side is returning *** for all hops except the last hop.

Win10 PC:

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : 00-1F-BC-0E-FB-87
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4df3:c4fa:8f91:2349%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.101.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, December 1, 2016 4:43:04 PM
Lease Expires . . . . . . . . . . : Friday, December 2, 2016 4:43:04 PM
Default Gateway . . . . . . . . . : 192.168.101.1
DHCP Server . . . . . . . . . . . : 192.168.101.1
DHCPv6 IAID . . . . . . . . . . . : 50339772
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-94-E8-0C-00-1F-BC-0E-FB-87
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Disabled

3750-SW#ping 8.8.8.8 source 192.168.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.101.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/13/17 ms
3750-SW#ping 8.8.8.8 source 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.102.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/17 ms

3750-SW#sh int vlan 10
Vlan10 is up, line protocol is up
Hardware is EtherSVI, address is 001f.c917.5c42 (bia 001f.c917.5c42)
Description: Workstation
Internet address is 192.168.101.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 2000 bits/sec, 1 packets/sec
45495 packets input, 3114606 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
18418 packets output, 1488569 bytes, 0 underruns
0 output errors, 2 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

3750-SW#sh int vlan 20
Vlan20 is up, line protocol is up
Hardware is EtherSVI, address is 001f.c917.5c43 (bia 001f.c917.5c43)
Description: WiFi
Internet address is 192.168.102.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
14388 packets input, 1221439 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
4950 packets output, 421048 bytes, 0 underruns
0 output errors, 2 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

jasonafernandez · ‎12-02-2016

I also forgot to mention. The switch and router are able to successfully traceroute as well. All hops resolve.

Reza Sharifi · ‎12-02-2016

So, the issue that remains is that you can't ping 8.8.8.8 form the PC right?

Why does the PC have this IP

IPv4 Address. . . . . . . . . . . : 192.168.101.102(Preferred)

This IP should be excluded right?

Can you assign static IP to the PC and test to 8.8.8.8?

jasonafernandez · ‎12-02-2016

The PC can ping 8.8.8.8 and receives replies. It cannot traceroute. The PC with IP address 192.168.101.102 is within my range. My exclusion range is first 100 addresses, 50 addresses for scope, then remaining 105 excluded.

ip dhcp excluded-address 192.168.101.1 192.168.101.99
ip dhcp excluded-address 192.168.101.149 192.168.101.254
ip dhcp excluded-address 192.168.102.1 192.168.102.99
ip dhcp excluded-address 192.168.102.149 192.168.102.254

I think this is somehow DHCP server related. Is there any way to purge the MAC address/IP assignment? My PC keeps getting the same IP assigned. My laptop on the other hand, I was able to reproduce the issue. The switch logged the following error.

21:03:46: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0130.cda7.fa03.5b declined 192.168.102.111.

During this time, my laptop on wifi when it had the 192.168.102.111 experience the issue. I was able to ping but not traceroute.

Now that my laptop leased a new address at 192.168.102.114, it can successfully traceroute.

Any thoughts to this?

3750-SW#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.101.102 0100.1fbc.0efb.87 Dec 03 2016 02:55 PM Automatic
192.168.102.110 6cad.f881.f922 Dec 03 2016 01:28 PM Automatic
192.168.102.112 0130.cda7.fa03.5b Dec 03 2016 02:26 PM Automatic
192.168.102.113 01ac.3743.47bb.63 Dec 03 2016 02:38 PM Automatic
192.168.102.114 0160.5718.6ce5.99 Dec 03 2016 02:48 PM Automatic
3750-SW#sh ip dhcp conflict
IP address Detection method Detection time VRF
192.168.102.111 Gratuitous ARP Dec 02 2016 02:25 PM
3750-SW#

jasonafernandez · ‎12-02-2016

00:27:14: DHCPD: Sending notification of TERMINATION:
00:27:14: DHCPD: address 192.168.101.102 mask 255.255.255.0
00:27:14: DHCPD: reason flags: RELEASE 102.103
00:27:14: DHCPD: htype 1 chaddr 001f.bc0e.fb87
00:27:14: DHCPD: lease time remaining (secs) = 86140
00:27:14: DHCPD: interface = Vlan10
00:27:14: DHCPD: out_vlan_id 0
00:27:14: DHCPD: dhcpd_deactivate_binding binding removed from mac hash 3C48E0
00:27:14: DHCPD: returned 192.168.101.102 to address pool Workstation_LAN.
00:27:17: DHCPD: Sending notification of DISCOVER:
00:27:17: DHCPD: htype 1 chaddr 001f.bc0e.fb87
00:27:17: DHCPD: interface = Vlan10
00:27:17: DHCPD: class id 4d53465420352e30
00:27:17: DHCPD: out_vlan_id 0
00:27:17: DHCPD: Sending notification of DISCOVER:
00:27:17: DHCPD: htype 1 chaddr 001f.bc0e.fb87
00:27:17: DHCPD: interface = Vlan10
00:27:17: DHCPD: class id 4d53465420352e30
00:27:17: DHCPD: out_vlan_id 0
00:27:19: DHCPD: client requests 192.168.101.102.
00:27:19: DHCPD: Allocated binding 3C48E0
00:27:19: DHCPD: Adding binding to radix tree (192.168.101.102)
00:27:19: DHCPD: Adding binding to hash tree 3C48E0
00:27:19: DHCPD:dhcpd_binding_add_to_mac_hash: index- 187 add binding 3C48E0
00:27:19: DHCPD: assigned IP address 192.168.101.102 to client 0100.1fbc.0efb.87. (2078 0)
00:27:19: DHCPD: DHCPOFFER notify setup address 192.168.101.102 mask 255.255.255.0
00:27:19: DHCPD: Sending notification of ASSIGNMENT:
00:27:19: DHCPD: address 192.168.101.102 mask 255.255.255.0
00:27:19: DHCPD: htype 1 chaddr 001f.bc0e.fb87
00:27:19: DHCPD: lease time remaining (secs) = 86400
00:27:19: DHCPD: interface = Vlan10
00:27:19: DHCPD: out_vlan_id 0
00:29:03: DHCPD: child pool: 192.168.101.0 / 255.255.255.0 (Workstation_LAN)
00:29:03: DHCPD: pool Workstation_LAN has no parent.
00:29:03: DHCPD: child pool: 192.168.101.0 / 255.255.255.0 (Workstation_LAN)
00:29:03: DHCPD: pool Workstation_LAN has no parent.
00:29:03: DHCPD: child pool: 192.168.101.0 / 255.255.255.0 (Workstation_LAN)
00:29:03: DHCPD: pool Workstation_LAN has no parent.
00:29:03: DHCPD: child pool: 192.168.101.0 / 255.255.255.0 (Workstation_LAN)
00:29:03: DHCPD: pool Workstation_LAN has no parent.
00:29:03: DHCPD: child pool: 192.168.101.0 / 255.255.255.0 (Workstation_LAN)
00:29:03: DHCPD: pool Workstation_LAN has no parent.
00:29:03: DHCPD: child pool: 192.168.101.0 / 255.255.255.0 (Workstation_LAN)
00:29:03: DHCPD: pool Workstation_LAN has no parent.
00:32:43: DHCPD: Reload workspace interface Vlan10 tableid 0.
00:32:43: DHCPD: tableid for 192.168.101.1 on Vlan10 is 0
00:32:43: DHCPD: client's VPN is .
00:32:43: DHCPD: DHCPRELEASE message received from client 0100.1fbc.0efb.87 (192.168.101.102).
00:32:48: DHCPD: Reload workspace interface Vlan10 tableid 0.
00:32:48: DHCPD: tableid for 192.168.101.1 on Vlan10 is 0
00:32:48: DHCPD: client's VPN is .
00:32:48: DHCPD: using received relay info.
00:32:48: DHCPD: DHCPDISCOVER received from client 0100.1fbc.0efb.87 on interface Vlan10.
00:32:48: DHCPD: using received relay info.
00:32:50: DHCPD: Sending DHCPOFFER to client 0100.1fbc.0efb.87 (192.168.101.102).
00:32:50: DHCPD: no option 125
00:32:50: DHCPD: broadcasting BOOTREPLY to client 001f.bc0e.fb87.
00:32:50: DHCPD: Reload workspace interface Vlan10 tableid 0.
00:32:50: DHCPD: tableid for 192.168.101.1 on Vlan10 is 0
00:32:50: DHCPD: client's VPN is .
00:32:50: DHCPD: DHCPREQUEST received from client 0100.1fbc.0efb.87.
00:32:50: DHCPD: Sending DHCPACK to client 0100.1fbc.0efb.87 (192.168.101.102).
00:32:50: DHCPD: no option 125
00:32:50: DHCPD: broadcasting BOOTREPLY to client 001f.bc0e.fb87.

Reza Sharifi · ‎12-03-2016

Jason,

Sorry about the IP address confusion. I was just looking at the wrong IP. Your exclusion and the PC IP is correct.

Anyway, a couple of tests:

1-What if you assign a static IP address (in the exclude range) to your PC and test?

If that works than we know the issue is the DHCP server.

2-Can you delete the DHCP server config (for PCs) than rebuild and test?

After delete make sure you are not getting an IPs, if yes than rebuild it.

3-If it does not work after rebuilding it, than maybe a bug in the IOS.

4-Can you post "sh ver" from the 3750?

HTH

jasonafernandez · ‎12-03-2016

Hi Reza,

I went ahead and tried those tests, my thoughts being the same.

1-Assigning a static IP address in exclusion range makes no difference. So I can say its not DHCP issue. It is strange though of the error and reviewing sh ip dhcp pool, I see current index list next ip as 192.168.101.1. It never changes. At any rate, my workstations receive IP assignments within range.

2-I did disable service dhcp and remove the exclusion range. I also readded. No change.

3-Bug possible, but it should most definite work with static address, but doesn't. Don't think so...

4-sh ver below. I also tried using ipbase IOS. I was running 2 prior v15 IOS versions, still had same issue. Any recommendations dropping back to v12?

3750-SW#sh ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(2)SE10a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 03-Nov-16 14:17 by prod_rel_team

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

3750-SW uptime is 18 hours, 27 minutes
System returned to ROM by power-on
System restarted at 16:58:04 PST Fri Dec 2 2016
System image file is "flash:/c3750-ipservicesk9-mz.150-2.SE10a.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3750G-24PS (PowerPC405) processor (revision F0) with 131072K bytes of memory.
Processor board ID xxxxxxxxxxxxx
Last reset from power-on
3 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : xxxxxxxxx
Motherboard assembly number : 73-10217-07
Power supply part number : 341-0108-03
Motherboard serial number : xxxxxxxxxx
Power supply serial number : xxxxxxxxxxxxx
Model revision number : F0
Motherboard revision number : B0
Model number : WS-C3750G-24PS-S
System serial number : xxxxxxxxxxx
Top Assembly Part Number : 800-26855-01
Top Assembly Revision Number : C0
Version ID : V05
CLEI Code Number : xxxxxxxxxxxxx
Hardware Board Revision Number : 0x09

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3750G-24PS 15.0(2)SE10a C3750-IPSERVICESK9-M

Configuration register is 0xF

3750-SW#