03-13-2012 06:59 PM - edited 03-07-2019 05:32 AM
Hi, I'm trying to setup inter vlan routing with my cisco 3550 layer 3 switch. My router is a cisco 2621XM.
Inter Vlan routing and access list is working fine. However, Internet access is not working. None of the machine in all the Vlan have internet access.
Ping test fail at the router 192.168.1.1
Is there anything I missed out?
Siwtch Config
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch
!
enable secret 5 $1$VIUk$X4CgzXTlrvQ/MdJMreQX21
enable password
!
no aaa new-model
clock timezone SIN 8
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.2.1 192.168.2.100
ip dhcp excluded-address 192.168.2.201 192.168.2.254
ip dhcp excluded-address 192.168.3.1 192.168.3.100
ip dhcp excluded-address 192.168.3.201 192.168.3.254
ip dhcp excluded-address 192.168.4.1 192.168.4.100
ip dhcp excluded-address 192.168.4.201 192.168.4.254
ip dhcp excluded-address 192.168.5.1 192.168.5.100
ip dhcp excluded-address 192.168.5.201 192.168.5.254
!
ip dhcp pool labpool
network 192.168.4.0 255.255.255.0
dns-server 165.21.83.88 165.21.100.88
default-router 192.168.4.254
!
ip dhcp pool userpool
network 192.168.2.0 255.255.255.0
dns-server 165.21.83.88 165.21.100.88
default-router 192.168.2.254
!
ip dhcp pool wireless
network 192.168.5.0 255.255.255.0
dns-server 165.21.83.88 165.21.100.88
default-router 192.168.5.254
!
ip dhcp pool production
network 192.168.3.0 255.255.255.0
dns-server 165.21.83.88 165.21.100.88
default-router 192.168.3.254
!
!
!
crypto pki trustpoint TP-self-signed-2461056768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2461056768
revocation-check none
rsakeypair TP-self-signed-2461056768
!
!
crypto pki certificate chain TP-self-signed-2461056768
certificate self-signed 01 nvram:IOS-Self-Sig#3801.cer
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 500
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 400
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 300
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/21
switchport access vlan 400
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/23
no switchport
ip address 192.168.1.254 255.255.255.0
speed 100
duplex full
!
interface FastEthernet0/24
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan200
description Users
ip address 192.168.2.254 255.255.255.0
!
interface Vlan300
description Production
ip address 192.168.3.254 255.255.255.0
!
interface Vlan400
description Testlab
ip address 192.168.4.254 255.255.255.0
ip access-group 101 in
!
interface Vlan500
description Wireless
ip address 192.168.5.254 255.255.255.0
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
ip http secure-server
!
!
access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
access-list 101 permit icmp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 echo-reply
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
!
control-plane
!
!
line con 0
password
login
line vty 0 4
password
login
line vty 5 15
login
!
end
The router config is
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname aggarouter
!
boot-start-marker
boot system flash:2600-ik9s-mz.123-26.bin
boot-end-marker
!
enable secret 5 $1$.Af7$mlxHi9HoWKx07pKpoopEX.
!
clock timezone SIN 8
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip domain lookup source-interface FastEthernet0/0
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh rsa keypair-name
!
interface FastEthernet0/0
description WAN INTERFACE
ip address dhcp
ip nat outside
ip route-cache flow
speed auto
full-duplex
!
interface FastEthernet0/1
description LAN INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip route-cache flow
speed auto
full-duplex
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.20 22 interface FastEthernet0/0 1022
ip nat inside source static tcp 192.168.1.8 21 interface FastEthernet0/0 21
ip nat inside source static tcp 192.168.1.3 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.1.11 67 interface FastEthernet0/0 67
ip nat inside source static tcp 192.168.1.11 800 interface FastEthernet0/0 800
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet0/0 3389
ip http server
ip http access-class 1
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip dns server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
line con 0
line 33 48
line aux 0
line vty 0 4
password 7 060708264D5D100A
login
transport input telnet ssh
line vty 5 15
login
transport input telnet ssh
!
!
end
Solved! Go to Solution.
03-15-2012 07:44 PM
Hi, I was just looking at glance and I see your DNS ip address has a different subnet compared with your users and management ips. Please enable ip classless on your switch an look for any differences.
Sent from Cisco Technical Support iPad App
03-13-2012 08:11 PM
Hello,
So from LAN you are reaching the router - is Good.
The problem is now with routing or NAT I guess, First of all on router check if you hav a route to internet. If yes - good, if not - sort it applying static on ding dynamic routing with provider.
Next steps is NAT - if routing presnt your LAN host can send traffic to internet, but those send it with source address of 192.168.x.x. And internet servers have no idea how to forward it back. You need to configure NAT or PAT in your case to to make the translation of source address.
You can learn more about NAT/PAT here or other resources:
http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml
Hope this helps,
Nik
03-13-2012 08:20 PM
Thanks for your reponse.
To add, I can ping internet from the switch itself but from machine, cannot ping the router
03-13-2012 08:31 PM
See your curent NAT on WAN interface:
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.20 22 interface FastEthernet0/0 1022
ip nat inside source static tcp 192.168.1.8 21 interface FastEthernet0/0 21
ip nat inside source static tcp 192.168.1.3 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.1.11 67 interface FastEthernet0/0 67
ip nat inside source static tcp 192.168.1.11 800 interface FastEthernet0/0 800
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet0/0 3389
!
access-list 1 permit 192.168.1.0 0.0.0.255
So you only NATing network 192.168.1.0 0.0.0.255 to the WAN. So when you do ping from Switch it is going from switch ip 192.168.1.254 which is within this range and that is working. Your LAN subnets are not within this range so NAT is not applied to those. You need to add you LAN subnets to ACL 1 for NAT to be applied to those as well.
Nik
03-14-2012 06:43 PM
I added other LAN subnet to the ACL 1 already but still not working.
Any other ideas?
03-14-2012 09:11 PM
Put ip address 192.168.1.2/24 on int vlan1 on the switch and do a no shut on that interface then try your pings.
Sent from Cisco Technical Support iPad App
03-14-2012 09:19 PM
No luck. I get an error when I do that
192.168.1.2 overlapps with Fastethernet 0/23
03-14-2012 09:26 PM
Port 23 on the switch is plugged directly to fao/1 on the router?
Sent from Cisco Technical Support iPad App
Sent from Cisco Technical Support iPad App
03-14-2012 09:32 PM
yes, it is connected directly to the router fa0/1
interface FastEthernet0/23
no switchport
ip address 192.168.1.254 255.255.255.0
speed 100
duplex full
03-14-2012 09:32 PM
Add additional statements to acces-list 1 on the router to include your other subnets you've defined on the switch.
Sent from Cisco Technical Support iPad App
03-14-2012 09:44 PM
I have change my access-list 1 to
access-list 1 permit any
Still no luck. Thank you very much for the help so far!
03-14-2012 10:43 PM
Add to your router:
ip route 192.168.0.0 255.255.248.0 192.168.1.254
-Matt
03-15-2012 06:25 PM
After adding the line you suggested. i get this error when I ping www.google.com
%unrecognized host or address, or protocol not running.
03-15-2012 07:44 PM
Hi, I was just looking at glance and I see your DNS ip address has a different subnet compared with your users and management ips. Please enable ip classless on your switch an look for any differences.
Sent from Cisco Technical Support iPad App
03-19-2012 02:34 AM
Million Thanks!
Finally, I got it working!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide