Solved: C9300 / Not able to ping WAN IP

Elrick Landon · ‎09-01-2023

Hi to all,

I use Cisco Switch 9300 (WS-C9300-48P-E). I have three VLAN setup on different port.

When i'm connected on console port, i was able to ping device on VLAN 19X.XXX.XXX/XX and the default GW, but i'm not able to ping WAN IP.

If i ping 19X.XXX.XXX.XXX, it answer (my default GW)

When i setup ip name-server 8.8.8.8 4.2.2.1, DNS resolution doesn't work when i try to ping internet hostname

When i setup ip name-server 192.168.1.1, DNS resolution is working but it is not able to ping internet hostname

How can i ping IP from WAN please?

My configuration :

Using 10409 out of 2097152 bytes
!Switch#show conf
Using 10409 out of 2097152 bytes
!
! Last configuration change at 21:23:17 cest Fri Sep 1 2023
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
service call-home
no platform punt-keepalive disable-kernel-core
!
hostname Switch
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 9 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
boot system switch all flash:packages.conf
clock timezone cest 1 0
clock summer-time cest recurring 4 Sun Mar 3:00 last Sun Oct 3:00
switch 1 provision c9300-48p
!
!
!
!
!
ip name-server XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
!
!
!
no login on-success log
!
!
!
!
!
vtp mode transparent
no device-tracking logging theft
!
crypto pki trustpoint TP-self-signed-xxxxxxxxxxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxxxxxxxxxxxxxxxxxx
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxxxxxxxxxx
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
crypto pki certificate chain SLA-TrustPoint
certificate ca 01 nvram:CiscoLicensi#1CA.cer
!
license boot level network-essentials addon dna-essentials
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 133123
!
username Cisco privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
mode sso
!
!
!
!
!
!
transceiver type all
monitoring
!
Vlan 6000
name VLAN_1
!
Vlan 7000
name VLAN_2
!
Vlan 8000
name VLAN_3
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC Data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access Vlan 8000
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access Vlan 8000
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access Vlan 8000
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access Vlan 8000
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access Vlan 7000
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access Vlan 7000
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access Vlan 7000
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access Vlan 7000
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access Vlan 7000
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/25
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/26
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/27
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/28
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/29
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/30
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/31
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/32
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/33
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/34
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/35
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/36
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/37
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/38
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/39
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/40
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/41
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/42
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/43
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/44
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/45
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/46
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/47
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/0/48
switchport access Vlan 6000
switchport mode access
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
switchport access Vlan 8000
switchport mode access
!
interface TenGigabitEthernet1/1/2
switchport access Vlan 8000
switchport mode access
!
interface TenGigabitEthernet1/1/3
switchport access Vlan 7000
switchport mode access
!
interface TenGigabitEthernet1/1/4
switchport access Vlan 7000
switchport mode access
!
interface TenGigabitEthernet1/1/5
switchport access Vlan 6000
switchport mode access
!
interface TenGigabitEthernet1/1/6
switchport access Vlan 6000
switchport mode access
!
interface TenGigabitEthernet1/1/7
switchport access Vlan 6000
switchport mode access
!
interface TenGigabitEthernet1/1/8
switchport access Vlan 6000
switchport mode access
!
interface FortyGigabitEthernet1/1/1
!
interface FortyGigabitEthernet1/1/2
!
interface TwentyFiveGigE1/1/1
!
interface TwentyFiveGigE1/1/2
!
interface AppGigabitEthernet1/0/1
!
interface Vlan1
no ip address
shutdown
!
interface Vlan6000
ip address 19X.XXX.XXX.XXX XXX.XXX.XXX.XXX
!
interface Vlan7000
ip address 17X.XXX.XXX.XXX XXX.XXX.XXX.XXX
!
interface Vlan8000
ip address 1XX.XXX.XXX.XXX XXX.XXX.XXX.XXX
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Vlan1
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXX
login
stopbits 1
line vty 0 4
session-timeout 15
exec-timeout 15 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXX
login
transport input none
line vty 5 15
password 7 XXXXXXXXXXXXXXXXXXXXXXXX
login
transport input none
line vty 16 31
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server fr.pool.ntp.org
!
end
end

Richard Burts · ‎09-02-2023

Your explanation and especially the drawing were very helpful. And it is quite helpful to know that the routing is done on the firewall and not on the switch. It does appear that the switch is functioning as a layer 2 switch. I was surprised to see 3 vlan interfaces with IP addresses. On many Cisco layer 2 switches there is only one vlan interface that has an IP address. Apparently the 9300 allows multiple interfaces with IP addresses.

Your switch is able to ping the 3 IP addresses of vlans on pfSense because those addresses are in locally connected subnets. You are not able to ping the WAN address because it is remote and the switch does not a default gateway. You could use ip default-gateway <ip_address> to enable ping to remote addresses.

HTH

Rick

View solution in original post

M02@rt37 · ‎09-01-2023

Hello @Elrick Landon,

You need ip default route on your equipment.

Which interface is the uplink ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Elrick Landon · ‎09-01-2023

How can i know which interface is the uplink ? Each subnet (in each VLAN) are allowed to go to internet, but i dunno if it help you?

How to add default GW after please?

balaji.bandi · ‎09-01-2023

we understand your Switch config. but one information we do not know how you have connection to Internet ?

Explain to us, do you have DSL or what Internet connection and what port that is connected to Cat 9300 ?

Until you establish and configure that port confiuration, the switch not able to reach WAN IP (with the magic)

by the way what WAN IP you not able to ping give example IP ?

Most cases here is identical setup :

Internet---ISP router---Cat 9300 Switch ---- users

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Elrick Landon · ‎09-02-2023

Hi,

My setup is like this :

Internet---ISP router (bridge mode) ---Firewall (pfSense) --- Cat 9300 Switch ---- Users on VLAN A, B and C

VLAN A = 19X.XXX.XXX/XX, ping from C9300 port console on VLAN gateway 19X.XX.XXX.XXX > OK

VLAN B = 17X.XXX.XXX/XX, ping from C9300 port console on VLAN gateway 17X.XXX.XXX.XXX > OK

VLAN C = 1XX.XXX.XXX/XX, ping from C9300 port console on VLAN gateway 1XX.XXX.XXX.XXX > OK

Does it help you ?

Richard Burts · ‎09-02-2023

There is much that we do not know about your environment and that makes it difficult to give good advice. For example we do not know where inter vlan routing is being done. And we do not know whether your switch is functioning as al layer 2 switch or layer 3 switch. Since I do not see ip routing enabled am I correct to assume that the switch is functioning as layer 2?

If the switch is layer 2 then it would be logical that inter vlan routing is done on your pfSense firewall. Is that the case? If inter vlan routing is done on pfSense then I would expect that the connection of switch to pfSense would be a trunk carrying all of the vlans.

HTH

Rick

Elrick Landon · ‎09-02-2023

Inter VLAN routage is made by pfsense, Switch has dedicated port allocated to VLAN A or B or C.

The firewall blocks communication between each VLAN, since the aim is to have three watertight VLANs, not visible to each other.

There is no routing enabled on the Switch, which is useless in absolute terms, as users only have access to machines on their own VLAN or to the Internet via the firewall.

From my point of view no routage, so my switch is functioning as layer 2

Does it help you enough ?

Richard Burts · ‎09-02-2023

Your explanation and especially the drawing were very helpful. And it is quite helpful to know that the routing is done on the firewall and not on the switch. It does appear that the switch is functioning as a layer 2 switch. I was surprised to see 3 vlan interfaces with IP addresses. On many Cisco layer 2 switches there is only one vlan interface that has an IP address. Apparently the 9300 allows multiple interfaces with IP addresses.

Your switch is able to ping the 3 IP addresses of vlans on pfSense because those addresses are in locally connected subnets. You are not able to ping the WAN address because it is remote and the switch does not a default gateway. You could use ip default-gateway <ip_address> to enable ping to remote addresses.

HTH

Rick

balaji.bandi · ‎09-03-2023

Sure indeed , so your Layer 3 is your FW , so you need check on the FW make sure they allowed between VLAN IP address range.

check below video may help you :

https://www.youtube.com/watch?v=lvJqZj395As

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Elrick Landon · ‎09-03-2023

I didn'y make trunk between swtich and firewall, my pfsense has 4 ethernet interface, one for each vlan, and the last for ISP.

so each vlan attacks a firewall interface

Richard Burts · ‎09-03-2023

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick