Solved: Re: CBS350 VLAN without internet access

zgtc · ‎03-09-2021

Hi,

I am new to cisco, and networking whatsoever. I bought a CBS350-16T-E-2G 16-Port and intend to use it as an L3 switch, if I understood correctly, I would be able to create VLANs and those would live in their own net, hidden from the other VLANs but able to connect other devices on the same VLAN directly though the switch, without going to/from the ISP router.

For now, I am using a very basic network:

ISP router is plugged to port 1, so default VLAN 1.
I have configured a VLAN 20 and a 192.168.20.1 IP, then assigned it to ports 5 and 9 as access.
Then I have plugged two raspberry pi to these ports, and assigned static IPs 192.168.20.10 and 11.
If I plug a computer into any other port it just gets a .1.x IP and has internet access.

PROBLEM

I can ping both rpi from the switch, and the rpi can ping each other and also the switch at 192.168.20.1, but they cannot access the internet.

Here is my current config:

switche44faf#show running-config
config-file-header
switche44faf
v3.0.0.69 / RCBS3.0_930_770_008
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
bonjour interface range vlan 1
hostname switche44faf
(username and user-key removed)
exit
exit
!
interface vlan 1
ip address 192.168.1.167 255.255.255.0
no ip address dhcp
!
interface vlan 20
name teen
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet5
switchport access vlan 20
!
interface GigabitEthernet9
switchport access vlan 20
!
exit
ip default-gateway 192.168.1.1

It is probably a very basic question, but how do I get the VLAN 20 to have internet access?

Thank you for your help
Sergi

zgtc · ‎04-11-2021

Part 1 of the problem was indeed the ISP router, so I used a new computer and installed pfsense v2.5.0. That allowed me to ping (IP and name, from native vlan and new vlan, to the internet) from the new router but still had the problem with the switch.

Then, don't ask me why, but pfsense 2.4.5.p1 did not have any problem at all. Yes, I had reinstalled pfsense v2.5.0 and also tried OPNsense v21.1 as well, both had the same issue not letting me access internet from a Cisco port as access (VLAN x), but once I installed the old pfsense 2.4.5.p1 it all went ok from the beginning.

View solution in original post

Georg Pauwen · ‎03-09-2021

Hello,

the problem is likely that the ISP router does not know how to NAT network 192.168.20.0/24. What brand/model is that router ? Try and get access to the ISP router and add the network to the networks that are translated.

zgtc · ‎03-09-2021

Thank you! The ISP router is a Sagemcom f@st 5366 sm. I will investigate how to NAT that network

zgtc · ‎03-09-2021

OK I am not very sure how to proceed with this screen, it's the only place I can see anything related to NAT:

balaji.bandi · ‎03-09-2021

Click add another subnet 192.168.20.0/24 - also you need to add static route back to switch

192.168.20.0/24 towards 192.168.1.167

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zgtc · ‎03-09-2021

Thank you. (I think) I have added the route back in the NAT mapping table, but I don't see how to add another subnet. Not even sure it is possible with this router. Still not able to ping the internet from the VLAN

balaji.bandi · ‎03-09-2021

Delete that entry which you added -in this screen you need to add NAT configuration,

External address *

Internal host 192.168.20.0/24

you need to find out another place where you can add route back.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zgtc · ‎03-09-2021

OK I think my router will definitely not allow me to map other internal hosts... see:

balaji.bandi · ‎03-09-2021

how about leaving the blank(external address) and click add

you may have provided this router information, what is the model of the device and manufacturer ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zgtc · ‎03-09-2021

Yes, the ISP router is a Sagemcom f@st 5366 sm.

If I just fill in the internal host it will not allow me to add to the NAT mapping table

I think someone's got to buy a router...

balaji.bandi · ‎03-09-2021

we tried to best to help you, even though that Router, not cisco, if you have a user manually refer how you can do or share here if we get the chance look and help you,

the basic idea is the same as we mentioned in the post

another option i can think is - use the switch as just layer 2 and use the same IP address range to get internet.

do you have more than 253 hosts in the network?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zgtc · ‎03-09-2021

Hi BB, I am really grateful for all the help, my main concern was if I was configuring the L2-L3 correctly, and apparently, I did.

I think I will try to install pfsense or similar on a pc, maybe then I can configure that pc/router NAT mapping. if not, then it would mean my ISP is not allowing me to use VLANs, but I hope this will be enough.

Thank you again

Georg Pauwen · ‎03-09-2021

Hello,

judging from the configuration you posted, the CBS350 is in layer 2 mode as of now. You don't need an 'ip default-gateway' but a default route, something like 'ip route 0.0.0.0 0.0.0.0 192.168.1.1.

Adding the additional network for NAT is definitely an option, using the NAT Mapping screenshot you posted.

So, first make sure your Vlan 20 clients can ping the Vlan 1 address of the ISP router.

zgtc · ‎03-09-2021

Great, I think we're doing some improvements! Again, very grateful for all the help.

I added the default route to the switch, and added the NAT again in the ISP router. Now my rpis can see each other and also the switch at 192.168.1.167, but not the ISP router at 192.168.1.1 and still no internet connection from vlan 20. Info below for reference.

zgtc · ‎03-10-2021

I bought a mini pc and installed a router-firewall software. I will now try to NAT network 192.168.20.0/24.

Again, thank you all for the help, will keep you posted once I can set up the new system.