01-22-2011 05:12 AM - edited 03-06-2019 03:08 PM
Hello everyone,
I have a simple network consisting of 3550 switch, whose only purpose is to separate vlans, and 2800 series router that deals with inter-vlan routing, acl filtering, and dhcp service for all vlans. The idea is to also add DNS forwarding/caching option, so every host inside the vlans can get their default gateway (router subinterface) as their DNS server. Router will not host any zones, just forward and cache queries from ISP DNS.
However, I followed all online instructions on how to configure this, and DNS is still not propagating through vlans. Hosts still have to manually put ISP DNS in order to have Internet. We have a single public IP address, and nat overload is configured. I edited a relevant portions of my configuration, so someone could narrow down the problem. My newbie guess is that ACL might be the issue, but Im not sure which one and why.
interface GigabitEthernet0/0
no ip address
ip broadcast-address 0.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group 1 out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.5.1 255.255.255.0
ip access-group 2 out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.4
encapsulation dot1Q 4
ip address 192.168.30.1 255.255.255.0
ip access-group 1 out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 192.168.10.1 255.255.255.0
ip access-group 1 out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.6
encapsulation dot1Q 6
ip address 192.168.11.1 255.255.255.0
ip access-group 1 out
!
interface GigabitEthernet0/0.7
encapsulation dot1Q 7
ip address 192.168.20.1 255.255.255.0
ip access-group 3 out
!
interface GigabitEthernet0/0.8
encapsulation dot1Q 8
ip address 192.168.22.1 255.255.255.0
ip access-group 3 out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.9
encapsulation dot1Q 9
ip address 192.168.40.1 255.255.255.0
ip access-group 4 out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.44.1 255.255.255.0
ip access-group 4 out
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1
ip address X.X.X.X 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
!
!
ip dhcp pool LeecherPool
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 192.168.40.1
!
ip dhcp pool ForklanPool
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 192.168.30.1
!
ip dhcp pool SeclanPool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
!
ip dhcp pool SecwlanPool
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 192.168.11.1
!
ip dhcp pool SafelanPool
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 192.168.20.1
!
ip dhcp pool SafewlanPool
network 192.168.22.0 255.255.255.0
default-router 192.168.22.1
dns-server 192.168.22.1
!
ip dhcp pool RoamerPool
network 192.168.44.0 255.255.255.0
default-router 192.168.44.1
dns-server 192.168.44.1
!
!
ip name-server 204.130.255.3
!
ip route 0.0.0.0 0.0.0.0 Y.Y.Y.Y
!
ip dns server
!
!
!
!
!
access-list 1 deny 192.168.40.0 0.0.0.255
access-list 1 deny 192.168.44.0 0.0.0.255
access-list 1 deny 192.168.20.0 0.0.0.255
access-list 1 deny 192.168.22.0 0.0.0.255
access-list 1 permit any
access-list 2 deny 192.168.40.0 0.0.0.255
access-list 2 deny 192.168.44.0 0.0.0.255
access-list 2 deny 192.168.30.0 0.0.0.255
access-list 2 permit any
access-list 3 deny 192.168.40.0 0.0.0.255
access-list 3 deny 192.168.44.0 0.0.0.255
access-list 3 permit any
access-list 4 deny 192.168.20.0 0.0.0.255
access-list 4 deny 192.168.22.0 0.0.0.255
access-list 4 permit any
access-list 5 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.2.0 0.0.0.255
access-list 5 permit 192.168.30.0 0.0.0.255
access-list 5 permit 192.168.10.0 0.0.0.255
access-list 5 permit 192.168.11.0 0.0.0.255
access-list 5 permit 192.168.40.0 0.0.0.255
access-list 5 permit 192.168.44.0 0.0.0.255
!
!
ip nat inside source list 5 interface GigabitEthernet0/1 overload
!
end
As you can see, I have subinterfaces on the trunk, dhcp pools for those vlans, and access lists to filter traffic. Access lists are source based, and pointed "out" on destination subinterface. There is also "ip domain lookup" command that I issued, but is not seen in the configuration file (?).
Any help will be greatly appreciated!
01-22-2011 10:21 AM
Is the portion of the config you posted only from the 2800? Have you sniffed traffic and are queries reaching the 2800 and being forwarded?
ip domain lookup is enabled by default, which is probably why it isn't appearing when you show the config. If you turned it off (no ip domain-lookup), you should see the command in the config.
01-22-2011 10:32 AM
Yes, the config is only from the router. I am configuring the device remotely, and have on-site technician for some basic cabling etc, so I cant run Wireshark unfortunately. It would be a good troubleshooting though.
Do you think ACLs can be the problem?
01-23-2011 12:46 AM
Hi,
If you the version of IOS on your router supports the feature you can use embedded packet capture to capture packets remotely on the router
As a test if you remove the outbound ACL from one on the sub-interfaces can you browse the Internet using DNS names?
Please remember to rate all posts that are helpful.
01-23-2011 03:47 PM
Have you confirmed if the router is resolving the names itself?
Can you ping something like yahoo.com and see if it comes back with an ip address?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide