Solved: C1121-4P Vlan not routing to internet.

MSDelamater · ‎03-09-2022

Hello,

Cannot find what is missing to allow devices attached to VLAN1 to access the internet. Laptop gets dhcp address, can ping 192.168.20.1 and interface gi0/0/1 which gets it address via dhcp. Laptop cannot ping 8.8.8.8. It has received an ip of 192.168.20.60 with gateway and dns of 192.168.20.1

Below is the running config, Thanks for your help, Mark

Building configuration...

Current configuration : 6829 bytes
!
! Last configuration change at 22:32:18 UTC Wed Mar 9 2022
!
version 17.5
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname LR-WiFi
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$V35rwcJ1SMXgs.$9Y14i36.2FLXZlGIwCVD96Gcb0.1KgHu4qwvTkKjAKM
!
no aaa new-model
!
!
!
!
!
!
!
ip name-server 64.90.65.2 64.90.65.5 8.8.8.8
ip dhcp excluded-address 192.168.20.1 192.168.20.10
!
ip dhcp pool MLpool1
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 192.168.20.1
lease 0 4
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2878514575
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2878514575
revocation-check none
rsakeypair TP-self-signed-2878514575

license udi pid C1121-4P sn FGL2539LDZ0
memory free low-watermark processor 70642
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password ************
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1
ip dhcp client client-id ascii FGL2539LDZ0
ip dhcp client hostname 5700
ip dhcp client update dns
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
ip address 10.0.20.1 255.255.255.0 secondary
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip access-group 1 out
ip virtual-reassembly
!
no ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
!
!
!
ip access-list standard 1
10 permit 192.168.20.0 0.0.0.255
20 permit 192.168.0.0 0.0.0.255
30 permit 192.168.1.0 0.0.0.255
40 permit 10.0.20.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
stopbits 1

Richard Burts · ‎03-09-2022

When I read the original post which describes problems in access to Internet my first reaction was to look for problems with NAT, which is the most common cause of problems in access to Internet. But your NAT config looks ok. In looking further I see that you use the same acl for NAT and as access-group on the vlan interface. I suspect this is your issue. Try removing the access-group from the vlan interface and let us know if access to Internet works?

If it does make a difference then I suggest that you review the logic of what you were trying to achieve when you assigned the acl to the vlan interface and look for a better way to achieve that objective.

HTH

Rick

View solution in original post

MSDelamater · ‎03-09-2022

Here is the show Route and VLAN

LR-WiFi#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected

Gateway of last resort is 199.59.116.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 199.59.116.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.20.0/24 is directly connected, Vlan1
L 10.0.20.1/32 is directly connected, Vlan1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan1
L 192.168.20.1/32 is directly connected, Vlan1
C 199.59.116.0/23 is directly connected, GigabitEthernet0/0/1
199.59.117.0/32 is subnetted, 1 subnets
L 199.59.117.143 is directly connected, GigabitEthernet0/0/1
LR-WiFi#

LR-WiFi#show vlan

---- -------------------------------- --------- -------------------------------
1 default active Gi0/1/0, Gi0/1/1, Gi0/1/2
Gi0/1/3
10 VLAN0010 active
100 WiFi active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

Richard Burts · ‎03-09-2022

When I read the original post which describes problems in access to Internet my first reaction was to look for problems with NAT, which is the most common cause of problems in access to Internet. But your NAT config looks ok. In looking further I see that you use the same acl for NAT and as access-group on the vlan interface. I suspect this is your issue. Try removing the access-group from the vlan interface and let us know if access to Internet works?

If it does make a difference then I suggest that you review the logic of what you were trying to achieve when you assigned the acl to the vlan interface and look for a better way to achieve that objective.

HTH

Rick

MSDelamater · ‎03-10-2022

Richard,

Thanks for the reply, almost home.

Removed "ip access-group 1 out" from "interface Vlan1" and had partial success. The laptop can now ping the internet and browse web pages.

When attaching my phone to an AP connected to the same switch as the laptop, I receive "not connected to the internet" I can ping gi0/0/1 from the phone. The switch is un-managed. For testing I connected a second AP, different make, with a different SSID and got the same results.

-Mark

Richard Burts · ‎03-10-2022

Mark

Thanks for the update. Glad to know that we made progress on the original issue.

I do not have enough information to offer good advice about the new issue. It is interesting that from the wireless connection you are successful in ping to G0/0/1. When connected on the wireless what IP address, mask, and gateway do you get?

Can you tell me where the AP is connected? In your original post I see this reference to wireless

100 WiFi active

But I do not see anything about vlan 100. With the AP connected does that change?

When you attempt to use the wireless connected phone are there any log messages generated on the router? Perhaps the first couple of pages of the output of show log might shed some light on logging activity?

HTH

Rick

MSDelamater · ‎03-10-2022

Earlier I had created a VLAN100 before deciding to start over. Rather than do a factory reset, I deleted startup-config from the router.

Could not find any reference in today's log entries related to the phone.

Did not find any reference to VLAN100 in show interface command

Below are updated show VLAN and Run outputs.

-Mark

**************************************************************

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1/0, Gi0/1/1, Gi0/1/2
Gi0/1/3
10 VLAN0010 active
100 WiFi active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
100 enet 100100 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

LR-WiFi#

*************************************************************

Show Run

LR-WiFi#
LR-WiFi#
LR-WiFi#
LR-WiFi#
LR-WiFi#show run
Building configuration...

Current configuration : 6976 bytes
!
! Last configuration change at 21:04:33 UTC Thu Mar 10 2022
!
version 17.5
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname LR-WiFi
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$V35rwcJ1SMXgs.$9Y14i36.2FLXZlGIwCVD96Gcb0.1KgHu4qwvTkKjAKM
!
no aaa new-model
!
!
!
!
!
!
!
ip name-server 64.90.65.2 64.90.65.5 8.8.8.8
ip dhcp excluded-address 192.168.20.1 192.168.20.10
!
ip dhcp pool MLpool1
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 192.168.20.1
lease 0 4
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2878514575
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2878514575
revocation-check none
rsakeypair TP-self-signed-2878514575
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2878514575
certificate self-signed 01
30820330 30820218 A0030201

license udi pid C1121-4P sn FGL2539LDZ0
memory free low-watermark processor 70642
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password **********
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1
ip dhcp client client-id ascii FGL2539LDZ0
ip dhcp client hostname 5700
ip dhcp client update dns
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
ip address 10.0.20.1 255.255.255.0 secondary
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list NATout interface GigabitEthernet0/0/1 overload
!
!
ip access-list standard NATout
10 permit 192.168.20.0 0.0.0.255
20 permit 192.168.0.0 0.0.0.255
30 permit 192.168.1.0 0.0.0.255
40 permit 10.0.20.0 0.0.0.255
!
!
ip access-list standard 1
10 permit 192.168.20.0 0.0.0.255
20 permit 192.168.0.0 0.0.0.255
30 permit 192.168.1.0 0.0.0.255
40 permit 10.0.20.0 0.0.0.255
!
!
!

Richard Burts · ‎03-10-2022

Mark

Thank you for the additional information, especially the explanation about vlan 100. That explains the output in show vlan. So this is not anything to worry about.

I am not clear about the secondary addressing for the vlan interface. Can you provide some clarification about what this is and what it is used for?

Can you tell me more about the AP? Where is it connected? Does it have any configuration? If so tell us a bit about it?

Also when you connect to the wireless can you tell us what IP address, mask, and gateway it gets? Also what addresses is it successful to ping? What addresses is not successful to ping?

I do not see anything in the running config about logging. So I assume that it is using defaults. The first page or 2 of output of show logging would clarify what kind of messages we would expect to see.

HTH

Rick

MSDelamater · ‎03-11-2022

Connected the laptop via Wi-Fi and it had internet connectivity so that lead to searching about phones connecting to Wi-Fi not seeing the internet. The solution was to change the DNS server in the DHCP config to 8.8.8.8 8.8.4.4 192.168.20.1.

This portion of the project is done.

Thanks.

Richard Burts · ‎03-11-2022

Mark

Thanks for the update. Interesting that the solution for the problem with phones was to change the DNS. Glad that my suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

If this portion of the project is done, are there other portions? Feel free to continue to use the community.

HTH

Rick