cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3878
Views
5
Helpful
7
Replies

Cisco Catalyst 3560-CG routing problem with an ISP

sjuneau
Level 1
Level 1

Good Day,

I have a problem getting a Catalyst 3560-CG POE to route the traffic between the local network and the Internet. VLAN 192 is the local network. Interface G 0/10 is connected to the ISP. When I ping the Internet from the the switch, it works. When I ping from a desktop on VLAN 192, it doesn't. I can ping only to the IP address that I get from the ISP DHCP server for my switch but it doesn't go farther. I have looked on the web and in this forum, but no luck. Can you help me? I think it has something to do with the routing between local VLAN 192 and the ISP network.

Thank you in advance for your time and help.

on the switch:

ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 21/24/27 ms

on the desktop:

ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 8.8.8.8:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Here is my configuration and other info. Not of great importance, I have a Cisco 2504 Wireless controller connected  in  G0/9 and two access points on G0/7 and G0/8 Vlan 5.

sh ver
Cisco IOS Software, C3560C Software (C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 18-May-11 15:35 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x02800000

ROM: Bootstrap program is C3560C boot loader
BOOTLDR: C3560C Boot Loader (C3560C-HBOOT-M) Version 12.2(55r)EX11, RELEASE SOFTWARE (fc1)

quebon07videotron01 uptime is 8 minutes
System returned to ROM by power-on
System image file is "flash:/c3560c405ex-universalk9-mz.122-55.EX2/c3560c405ex-universalk9-mz.122-55.EX2.bin"

...

License Level: ipbase
License Type: Permanent
Next reload license Level: ipbase

cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.
Processor board ID FOC1652Y54E
Last reset from power-on
3 Virtual Ethernet interfaces
10 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

...

Model revision number           : C0
Motherboard revision number     : A0
Model number                    : WS-C3560CG-8PC-S


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 10    WS-C3560CG-8PC-S   12.2(55)EX2           C3560c405ex-UNIVERSALK9-M

sh run

Building configuration...

Current configuration : 4594 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec show-timezone

service timestamps log datetime msec show-timezone

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname hostname

!

boot-start-marker

boot-end-marker

!

no aaa new-model

system mtu routing 1500

ip routing

ip dhcp limited-broadcast-address

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.20

!

ip dhcp pool local

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 24.200.241.37 24.202.72.13 24.200.0.1

!

!

vtp domain public

vtp mode transparent

!

!

crypto pki trustpoint TP-self-signed-28486656

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-28486656

revocation-check none

rsakeypair TP-self-signed-28486656

!

!

crypto pki certificate chain TP-self-signed-28486656

certificate self-signed 01

...

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

!

!

!

vlan internal allocation policy ascending

!

vlan 5,192

!

!

!

interface GigabitEthernet0/1

switchport access vlan 192

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/2

switchport access vlan 192

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/3

switchport access vlan 192

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/4

switchport access vlan 192

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/5

switchport access vlan 192

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/6

switchport access vlan 192

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/7

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/8

switchport access vlan 5

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/9

description Wireless controller

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,5,192

switchport mode trunk

spanning-tree portfast

!

interface GigabitEthernet0/10

description Videotron

no switchport

ip address dhcp

!

interface Vlan1

no ip address

!

interface Vlan5

ip address 192.168.2.1 255.255.255.0

!

interface Vlan192

ip address 192.168.1.1 255.255.255.0

ip broadcast-address 192.168.1.255

!

ip classless

ip route 0.0.0.0 0.0.0.0 dhcp

ip http secure-server

!

ip sla enable reaction-alerts

!

!

line con 0

exec-timeout 30 0

line vty 0 4

exec-timeout 30 0

login local

line vty 5 15

exec-timeout 30 0

login local

!

end

sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 70.83.108.1 to network 0.0.0.0

     70.0.0.0/24 is subnetted, 1 subnets

C       70.83.108.0 is directly connected, GigabitEthernet0/10

C    192.168.1.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [254/0] via 70.83.108.1

Thank you again

2 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Since you are using private IP address on your LAN then you need to NAT, but the 3560 series switches do not support NAT.

Or is the ISP doing the NAT for you?

If you need to NAT, you need a router.

HTH

View solution in original post

Bilal Nawaz
VIP Alumni
VIP Alumni

Hello,

I agree with Reza, one would assume you need NAT (PAT - or aka overload) here. Because you have an internet facing address on your Gi0/10, everyone out there in the WWW knows how to get to your external address (its advertised out to the internet via your ISP). This is why the ping works on your switch.

What about your internal hosts.... You have a 192.168.1.X address inside, this is an RFC1918 address range and therefore no one would be allowed to route directly to your internal hosts, nor is it feasible. All outbound traffic needs to be translated to your external address of the Gi0/10 interface, so the WWW + your Router knows where to send back the traffic to.

Unfortunately, the 3560 does not support NAT as mentioned previously, hence you need a router to carry out this function.

Hope this helps,

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Since you are using private IP address on your LAN then you need to NAT, but the 3560 series switches do not support NAT.

Or is the ISP doing the NAT for you?

If you need to NAT, you need a router.

HTH

Thank you very much for your help.

Bilal Nawaz
VIP Alumni
VIP Alumni

Hello,

I agree with Reza, one would assume you need NAT (PAT - or aka overload) here. Because you have an internet facing address on your Gi0/10, everyone out there in the WWW knows how to get to your external address (its advertised out to the internet via your ISP). This is why the ping works on your switch.

What about your internal hosts.... You have a 192.168.1.X address inside, this is an RFC1918 address range and therefore no one would be allowed to route directly to your internal hosts, nor is it feasible. All outbound traffic needs to be translated to your external address of the Gi0/10 interface, so the WWW + your Router knows where to send back the traffic to.

Unfortunately, the 3560 does not support NAT as mentioned previously, hence you need a router to carry out this function.

Hope this helps,

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Thank you very much for your help.

Here is another question, what switch would be able to NAT, routing of course, and have 24 ports? I would like to have one piece of equipment.

Do you have other recommendations?

Would a ASA5505 do the job (without the numbers of port I need)?

Thank you again.

Hi,

There is no small Cisco switch (that I know) that can have 24 ports and do NAT.  So, you have a couple of choices:

1-In addition to your switch buy a small router and connect the switch to the router and have the router do the NATing for you.  This solution is very common. 

2-Buy a router with a 24 port switch module, use the switch part to connect your end devices and use the router to the NATing for you.  This is all in one device. This solution is not as common but possible.

For the first solution buy a 2901,  2911 or 2921 router.

Here is the data sheet for the 2900 series.

http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html

For the second solution buy a 2921 router and add the 24 port switch module to it.

here is the data sheet for the 2900 series

http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html

And here is the data sheet for the switch module:

see table-10 for different modules;

http://www.cisco.com/en/US/prod/collateral/routers/ps10536/data_sheet_c78-553980.html

HTH

Wow you're good!

Thank you

Glad to help and thanks for the rating.

BTW, if it is me, I prefer option-1.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: