06-22-2013 12:16 PM - edited 03-07-2019 02:02 PM
Good Day,
I have a problem getting a Catalyst 3560-CG POE to route the traffic between the local network and the Internet. VLAN 192 is the local network. Interface G 0/10 is connected to the ISP. When I ping the Internet from the the switch, it works. When I ping from a desktop on VLAN 192, it doesn't. I can ping only to the IP address that I get from the ISP DHCP server for my switch but it doesn't go farther. I have looked on the web and in this forum, but no luck. Can you help me? I think it has something to do with the routing between local VLAN 192 and the ISP network.
Thank you in advance for your time and help.
on the switch:
ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/24/27 ms
on the desktop:
ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Here is my configuration and other info. Not of great importance, I have a Cisco 2504 Wireless controller connected in G0/9 and two access points on G0/7 and G0/8 Vlan 5.
sh ver
Cisco IOS Software, C3560C Software (C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 18-May-11 15:35 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x02800000
ROM: Bootstrap program is C3560C boot loader
BOOTLDR: C3560C Boot Loader (C3560C-HBOOT-M) Version 12.2(55r)EX11, RELEASE SOFTWARE (fc1)
quebon07videotron01 uptime is 8 minutes
System returned to ROM by power-on
System image file is "flash:/c3560c405ex-universalk9-mz.122-55.EX2/c3560c405ex-universalk9-mz.122-55.EX2.bin"
...
License Level: ipbase
License Type: Permanent
Next reload license Level: ipbase
cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.
Processor board ID FOC1652Y54E
Last reset from power-on
3 Virtual Ethernet interfaces
10 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
...
Model revision number           : C0
Motherboard revision number     : A0
Model number                    : WS-C3560CG-8PC-S
Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 10    WS-C3560CG-8PC-S   12.2(55)EX2           C3560c405ex-UNIVERSALK9-M
sh run
Building configuration...
Current configuration : 4594 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
ip routing
ip dhcp limited-broadcast-address
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool local
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 24.200.241.37 24.202.72.13 24.200.0.1
!
!
vtp domain public
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-28486656
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-28486656
revocation-check none
rsakeypair TP-self-signed-28486656
!
!
crypto pki certificate chain TP-self-signed-28486656
certificate self-signed 01
...
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 5,192
!
!
!
interface GigabitEthernet0/1
switchport access vlan 192
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2
switchport access vlan 192
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
switchport access vlan 192
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
switchport access vlan 192
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/5
switchport access vlan 192
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/6
switchport access vlan 192
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/7
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/8
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/9
description Wireless controller
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,5,192
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/10
description Videotron
no switchport
ip address dhcp
!
interface Vlan1
no ip address
!
interface Vlan5
ip address 192.168.2.1 255.255.255.0
!
interface Vlan192
ip address 192.168.1.1 255.255.255.0
ip broadcast-address 192.168.1.255
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
ip http secure-server
!
ip sla enable reaction-alerts
!
!
line con 0
exec-timeout 30 0
line vty 0 4
exec-timeout 30 0
login local
line vty 5 15
exec-timeout 30 0
login local
!
end
sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 70.83.108.1 to network 0.0.0.0
70.0.0.0/24 is subnetted, 1 subnets
C 70.83.108.0 is directly connected, GigabitEthernet0/10
C 192.168.1.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [254/0] via 70.83.108.1
Thank you again
Solved! Go to Solution.
06-22-2013 12:57 PM
Hi,
Since you are using private IP address on your LAN then you need to NAT, but the 3560 series switches do not support NAT.
Or is the ISP doing the NAT for you?
If you need to NAT, you need a router.
HTH
 
					
				
		
06-22-2013 01:51 PM
Hello,
I agree with Reza, one would assume you need NAT (PAT - or aka overload) here. Because you have an internet facing address on your Gi0/10, everyone out there in the WWW knows how to get to your external address (its advertised out to the internet via your ISP). This is why the ping works on your switch.
What about your internal hosts.... You have a 192.168.1.X address inside, this is an RFC1918 address range and therefore no one would be allowed to route directly to your internal hosts, nor is it feasible. All outbound traffic needs to be translated to your external address of the Gi0/10 interface, so the WWW + your Router knows where to send back the traffic to.
Unfortunately, the 3560 does not support NAT as mentioned previously, hence you need a router to carry out this function.
Hope this helps,
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
06-22-2013 12:57 PM
Hi,
Since you are using private IP address on your LAN then you need to NAT, but the 3560 series switches do not support NAT.
Or is the ISP doing the NAT for you?
If you need to NAT, you need a router.
HTH
06-22-2013 06:17 PM
Thank you very much for your help.
 
					
				
		
06-22-2013 01:51 PM
Hello,
I agree with Reza, one would assume you need NAT (PAT - or aka overload) here. Because you have an internet facing address on your Gi0/10, everyone out there in the WWW knows how to get to your external address (its advertised out to the internet via your ISP). This is why the ping works on your switch.
What about your internal hosts.... You have a 192.168.1.X address inside, this is an RFC1918 address range and therefore no one would be allowed to route directly to your internal hosts, nor is it feasible. All outbound traffic needs to be translated to your external address of the Gi0/10 interface, so the WWW + your Router knows where to send back the traffic to.
Unfortunately, the 3560 does not support NAT as mentioned previously, hence you need a router to carry out this function.
Hope this helps,
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
06-22-2013 06:11 PM
Thank you very much for your help.
Here is another question, what switch would be able to NAT, routing of course, and have 24 ports? I would like to have one piece of equipment.
Do you have other recommendations?
Would a ASA5505 do the job (without the numbers of port I need)?
Thank you again.
06-22-2013 07:04 PM
Hi,
There is no small Cisco switch (that I know) that can have 24 ports and do NAT. So, you have a couple of choices:
1-In addition to your switch buy a small router and connect the switch to the router and have the router do the NATing for you. This solution is very common.
2-Buy a router with a 24 port switch module, use the switch part to connect your end devices and use the router to the NATing for you. This is all in one device. This solution is not as common but possible.
For the first solution buy a 2901, 2911 or 2921 router.
Here is the data sheet for the 2900 series.
http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html
For the second solution buy a 2921 router and add the 24 port switch module to it.
here is the data sheet for the 2900 series
http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html
And here is the data sheet for the switch module:
see table-10 for different modules;
http://www.cisco.com/en/US/prod/collateral/routers/ps10536/data_sheet_c78-553980.html
HTH
06-22-2013 07:23 PM
Wow you're good!
Thank you
06-22-2013 07:29 PM
Glad to help and thanks for the rating.
BTW, if it is me, I prefer option-1.
HTH
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide