Re: cant access the internet behind C3750

jjessetej · ‎03-06-2022

hey guys,

not sure if its even possible but i want to connect this switch behind my home router (ASUS GT-AC5300) who's IP is 192.168.1.2.. i have created 3 VLANs with 10.10.x.x as i want to have anything behind the switch with that network scheme, so far the PCs can ping each other, the switch can ping the PCs and google's DNS 8.8.8.8, but the PCs cant access the internet.

Below is my running-conf, any advice on this would be appreciated! - when i wipe the switch everything works, so i am wondering if i need to create some type static routes on the router or if the VLANs being on a new network is blocker here.

EDIT:

Looks like that's what it was -for some reason my gw 192.168.1.2 hung after i configured the switch, which i found out after attempting to ping it from the 2 PCs, so i restarted it and added the static routes from those VLANs and now everything works.. Cant seem to mark this post as completed/solved.

static routes

10.10.10.0 255.255.255.0 192.168.1.250 << last hop being the IP address on the trunk int g1/0/25

10.10.20.0 255.255.255.0 192.168.1.250

10.10.30.0 255.255.255.0 192.168.1.250

Building configuration...

Current configuration : 4464 bytes
!
version 12.2
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Blackwell_SW
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ts
system mtu routing 1500
ip routing
!
ip dhcp pool 10
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 8.8.8.8 4.2.2.2
!
ip dhcp pool 20
   network 10.10.20.0 255.255.255.0
   default-router 10.10.20.1
   dns-server 8.8.8.8 4.2.2.2
!
ip dhcp pool 30
   network 10.10.30.0 255.255.255.0
   default-router 10.10.30.1
!
!
!
!
crypto pki trustpoint TP-self-signed-2476179840
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2476179840
 revocation-check none
 rsakeypair TP-self-signed-2476179840
!
!
crypto pki certificate chain TP-self-signed-2476179840
 certificate self-signed 01
  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343736 31373938 3430301E 170D3933 30333031 30393436
  32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34373631
  37393834 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100ED42 1F4C8937 DB199E19 D2E97E1A 87B0D767 F677B60E 3ABD170B 2D13D998
  04012341 28035FE1 17AC409C 7E268EB4 7EB9FD40 946FE910 48E2FEA2 8B75D54F
  F84C9235 6ED4DF20 2BD4400F 6B26DAD8 F67A704E 23299C7C 8B6C0CBD BCFFF4D3
  314B5B95 E6B03439 F9279E89 06616B06 87D03670 0F2AB1D0 9361C2E6 215A1716
  A5230203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
  551D1104 11300F82 0D426C61 636B7765 6C6C5F53 572E301F 0603551D 23041830
  16801434 604C6008 DAB0DAFE FEAACEB1 C06E7CE8 16F24C30 1D060355 1D0E0416
  04143460 4C6008DA B0DAFEFE AACEB1C0 6E7CE816 F24C300D 06092A86 4886F70D
  01010405 00038181 0086DADF 4E38A0E2 7AD01A2B F44B7911 A683B873 354520F2
  CA5D8147 83291CE9 EE247E34 E3B90B50 379E7CEB EA9A5C84 D05FF8D9 28433976
  515C9330 C1B3BBCC 5C448A94 972DA3B9 6D59FC01 536CC2C1 BA98C315 BBF31884
  2E389A2D 0C2C6A7C 59031119 64277E9E 3F5C08EA 1F5FA797 A3C2D5AB 254206C4
  A9DC5F71 04E7505C 52
  quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/5
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/6
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/7
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/8
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/9
 switchport access vlan 20
 switchport mode access
!
interface GigabitEthernet1/0/10
 switchport access vlan 20
 switchport mode access
!
interface GigabitEthernet1/0/11
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/12
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
 description TRUNK_to_ISP
 no switchport
 ip address 192.168.1.250 255.255.255.0
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan20
 ip address 10.10.20.1 255.255.255.0
!
interface Vlan30
 ip address 10.10.30.1 255.255.255.0
!
ip default-gateway 192.168.1.2
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip http server
ip http secure-server
!
!
!
!
vstack
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

Richard Burts · ‎03-06-2022

Thanks for explaining that you got it to work by configuring routes on the home router for the new networks. In addition to the home router having the routes for the new networks it would have been important for the home router to also perform Network Address Translation for the new networks. Is that also something you configured? Or perhaps when you add the routes the home router is smart enough to know that it must do NAT for them?

HTH

Rick

balaji.bandi · ‎03-06-2022

Add below on switch :

ip dhcp excluded-address10.10.10.1

ip dhcp excluded-address10.10.20.1

ip dhcp excluded-address10.10.30.1

!

no ip default-gateway 192.168.1.2

ip route 0.0.0.0 0.0.0.0 192.168.1.1 < what is IP address ?

ip route 0.0.0.0 0.0.0.0 192.168.1.2 < if this ASUS GT-AC5300 Router IP you can remove above IP Route)

As other post suggested, you need to have capabilities ASUS GT-AC5300 to add the static route as below towards your Switch and add IP address range to do nat (if this device not have capabilities, your setup not going to work)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎03-07-2022

Hello,

the below looks odd:

ip default-gateway 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.1.2

Remove this line:

--> no ip default-gateway 192.168.1.2

and also one of the default routes, as you have two next hops, with traffic being load balanced across both routes now, resulting in half of the traffic being blackholed, probably.

What is the IP address of the ASUS, 192.168.1.1, or 192.168.1.2 ? Remove the route that does not point to the ASUS IP address...

Richard Burts · ‎03-07-2022

The original post says that things are now working. But there are several comments about parts of the config. Previous responses have pointed out that the switch is configured with ip default-gateway. This is useful when the switch is operating as L2 switch. But when ip routing is enabled (as it is for this switch) then the ip default-gateway is ignored. It does no harm if it is still in the config. But it does no good having it in the config and I agree that it would be good to remove this.

Also previous posts have pointed out that there are 2 static default routes configured. The original post identifies that the home router is 192.168.1.2. We do not know what device (if any) is 192.168.1.1 and until we get clarification of what this is I agree that the original poster should remove the static default route that uses this next hop.

The config identifies the interface connecting the switch to the home router as a TRUNK. But it is not a trunk and is a routed port providing a transit link used to route traffic between the switch and the home router.

HTH

Rick

jjessetej · ‎03-07-2022

Hey All,

Sorry for the delay in my response, Yes - 192.168.1.2 is my router, i deleted ip route 0.0.0.0 0.0.0.0 192.168.1.2 after i saw it on my output above, forgot to include that on my EDIT -so thats no longer there. Thanks for pointing out about ip default-gateway 192.168.1.2 not being needed anymore, i will remove that and test.. and as far as doing NAT on the home router, i did not see an option to do this in the webgui, unless i missed it.. i am going to try to ssh into the router and see if i can see an output via CLI, perhaps it added this when i added the static routes, but so far everything is working as intended.

Good idea to add the excluded IPs, i will add that on the switch too.. again, thank you everyone!

jjessetej · ‎03-07-2022

on a side note, should I have used a trunk on that interface going to the router?

balaji.bandi · ‎03-08-2022

If your Router DSL (ISP) IP 192.168.1.2 then you need to keep ip route 0.0.0.0 0.0.0.0 192.168.1.2 and delete ip route 0.0.0.0 0.0.0.0 192.168.1.1

if the DSL Router do not have NAT capabilities, then the solution will not work. then you need to get any RasberryPi or Pfsense small kit between Switch and DSL Router act as NAT Router to make it work.

should I have used a trunk on that interface going to the router?

YES and NO

If you want to enable all Layer 3 Interface on DSL Router then making Trunk is good option.

if Switch acting as Layer 3 Device, then Making to P2p Interface is good choice

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎03-08-2022

Hello,

which router/modem model do you have ?

Richard Burts · ‎03-08-2022

The original poster asks a follow up question "should I have used a trunk on that interface going to the router?" The answer is that it depends on what you want the architecture of this network to be.

One alternative, which is what is currently implemented, is to have layer 3 routing enabled on the switch, to have inter vlan routing done on the switch, and for the switch to have a routed link to the router and to forward traffic with remote destinations to the router. In this architecture there is no need for a trunk.

The other alternative would be to have the switch operate as layer 2 switch. The switch can have multiple vlans, and would have a trunk connecting the switch to the router. In this architecture the inter vlan routing is done on the router. The switch needs to connect to the router using a trunk because the router needs to see each vlan directly (as locally connected).

Both architectures can work. I believe that the alternative that you have chosen is the better of the alternatives. Especially with the home router I believe it is better that the router only need to deal with traffic to remote destinations and that it not have to deal with local traffic.

HTH

Rick

jjessetej · ‎03-08-2022

i have a DOCSIS 3.0 E31N2V1 modem, i dont believe it does any routing, which connects to my router Asus GT-AC5300.. I was able to ssh to my router, and it looks like it did add some NAT when i added the static routes from the webgui;

 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  br0    br0     192.168.1.0/24       10.10.10.0/24
    0     0 ACCEPT     all  --  br0    br0     192.168.1.0/24       10.10.20.0/24

Richard Burts · ‎03-09-2022

Thanks for the update. +5 for confirming that it looks like the Asus did dynamically add NAT for the new networks when you configured the static routes for the new networks.

HTH

Rick

jjessetej · ‎03-09-2022

Hey guys, not sure if i should open another thread for this off subject question -- i later intend to add POE cameras and this switch isnt POE capable. Is there a way to quickly find out if a switch is POE, capable of doing routing and has 1gb ports based on the model? or i have to get in the cli and issue ip routing to verify routing and sh power inline for POE and sh int status for port speed? a guy is selling the below models online;

c3750

c2950

c3560G