Hello Glen, Richard:

faimymolina · ‎10-16-2015

Hello:

I have a router 2901 with an EHWIC-4ESG module installed. The switch module is working fine, I created several SVI and Intervlan communication is working, however, I can not get any host in my internal VLANs to communicate outside the router, not even pings. Am I missing any command to enable that communnication?

Thanks in advance.

Peter Paluch · ‎10-16-2015

Hi,

May I ask you to post your complete configuration? It is difficult to diagnose this kind of problem without seeing the configuration itself. Please make sure to remove sensitive information such as passwords but otherwise please leave all lines of the configuration intact.

Thank you!

Best regards,
Peter

faimymolina · ‎10-26-2015

hello Peter:

This is the configuration. I am also attaching a diagram.

I am able to ping from outside to the server 192.168.158.25, but I can not ping from 192.168.13.2 (a laptop in VLAN 13, same router).

Please let me know if you need more information.

Thanks a lot! Faimy.

------------------ show version ------------------

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.3(2)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 28-Mar-13 11:05 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

BORDE_HACIENDA uptime is 1 week, 22 hours, 16 minutes
System returned to ROM by power-on
System image file is "flash0:c2900-universalk9-mz.SPA.153-2.T.bin"
Last reload type: Normal Reload
Last reload reason: power-on

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2901/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FTX180581GJ
6 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
2 Voice FXO interfaces
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2901/K9 FTX180581GJ

Technology Package License Information for Module:'c2900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
uc            uck9          Permanent      uck9
data          None          None           None

Configuration register is 0x2102

------------------ show inventory ------------------

NAME: "CISCO2901/K9", DESCR: "CISCO2901/K9 chassis, Hw Serial#: FTX180581GJ, Hw Revision: 1.0"
PID: CISCO2901/K9 , VID: V06 , SN: FTX180581GJ

NAME: "4 Port GE Non-POE EHWIC Switch on Slot 0 SubSlot 0", DESCR: "4 Port GE Non-POE EHWIC Switch"
PID: EHWIC-4ESG , VID: V01 , SN: FOC18023895

NAME: "2nd generation two port FXO voice interface daughtercard on Slot 0 SubSlot 1", DESCR: "2nd generation two port FXO voice interface daughtercard"
PID: VIC2-2FXO , VID: V03 , SN: FOC174822LH

NAME: "PVDM3 DSP DIMM with 16 Channels on Slot 0 SubSlot 4", DESCR: "PVDM3 DSP DIMM with 16 Channels"
PID: PVDM3-16 , VID: V01 , SN: FOC18015U0U

NAME: "C1941/C2901 AC Power Supply", DESCR: "C1941/C2901 AC Power Supply"
PID: PWR-1941-2901-AC , VID: , SN:

CONFIG:

!
license udi pid CISCO2901/K9 sn FTX180581GJ
hw-module pvdm 0/0
!
!

!
ip ssh version 2
!
track 1 ip sla 10 reachability
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0

description TO WAN 1
ip address 192.168.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1

description TO WAN 2
ip address 192.168.0.1 255.255.255.252
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description TO LAN
switchport access vlan 111
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
switchport access vlan 13
no ip address
spanning-tree portfast

!
interface Vlan13
ip address 192.168.13.1 255.255.255.0
!
interface Vlan111
description TO LAN
ip address 10.20.0.2 255.255.255.252
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.0.2 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.2 10
ip route 192.168.158.25 255.255.255.255 10.20.0.1
!
ip sla auto discovery
ip sla 10
icmp-echo 192.168.0.2 source-ip 3.3.3.3
timeout 10000
frequency 10
ip sla schedule 10 life forever start-time now
access-list 1 permit 192.168.0.2
access-list 1 permit 192.168.1.2
!
control-plane
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
!

Richard Burts · ‎10-26-2015

Faimy

It is possible that this is a situation in which there is more than one problem. But I believe that I see at least one problem. When people describe problems in which devices connected to a router can not access outside one of the first things that I look for is how Network Address Translation is configured. And in your config I do not see any NAT. Can you tell us whether address translation is being done somewhere else in the network?

HTH

Rick

HTH

Rick

faimymolina · ‎10-27-2015

Hello Richard:

Actually we are not using NAT and end to end communication is fine. The problem is in the local network connected to the switch module (ports GE0/0/0, GE/0/0/1, GE/0/0/2, GE/0/0/3).

For example, network 10.20.0.0/30 is directly connected to the router. Of course I get to ping 10.20.0.1 from 10.20.0.2 (Router's SVI 111). But ping to 10.20.0.1 from 192.168.13.1 is not working. Thinking about the router as if it were a L3 switch, I should be able to ping 10.20.0.1 from any VLAN, right?

ROUTER#SH IP INT B
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM administratively down down
GigabitEthernet0/0         192.168.1.1     YES NVRAM up                    up
GigabitEthernet0/1         192.168.0.1     YES NVRAM up                    up
GigabitEthernet0/0/0       unassigned      YES unset up                    up
GigabitEthernet0/0/1       unassigned      YES unset down                  down
GigabitEthernet0/0/2       unassigned      YES unset up                    up
GigabitEthernet0/0/3       unassigned      YES unset down                  down
Loopback0                  3.3.3.3         YES NVRAM up                    up
NVI0                       192.168.1.1     YES unset up                    up
Vlan1                      unassigned      YES unset down                  down
Vlan13                     192.168.13.1    YES manual up                    up
Vlan111                    10.20.0.2       YES NVRAM up                    up

ROUTER#ping 10.20.0.1 source 10.20.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

ROUTER#ping 10.20.0.1 source 192.168.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.13.1
.....
Success rate is 0 percent (0/5)

Intervlan communication is working: if I connect a laptop to the router's port GE0/0/3 (IP 192.168.13.2) I get to ping 10.20.0.2 but not 10.20.0.1

I took this pings to illustrate it:

Microsoft Windows [Versión 6.3.9600]
(c) 2013 Microsoft Corporation. Todos los derechos reservados.

C:\WINDOWS\System32>ping 10.20.0.2

Haciendo ping a 10.20.0.2 con 32 bytes de datos:
Respuesta desde 10.20.0.2: bytes=32 tiempo=1ms TTL=253
Respuesta desde 10.20.0.2: bytes=32 tiempo=1ms TTL=253
Respuesta desde 10.20.0.2: bytes=32 tiempo=1ms TTL=253
Respuesta desde 10.20.0.2: bytes=32 tiempo=1ms TTL=253

Estadísticas de ping para 10.20.0.2:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 1ms, Máximo = 1ms, Media = 1ms

C:\WINDOWS\System32>ping 10.20.0.1

Haciendo ping a 10.20.0.1 con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.

Estadísticas de ping para 10.20.0.1:
Paquetes: enviados = 4, recibidos = 0, perdidos = 4
(100% perdidos),

C:\WINDOWS\System32>

There is a static route in 10.20.0.1 to 192.168.13.0/24:

ip route 192.168.13.0 255.255.255.0 10.20.0.2

Thanks in advance for your help!

Faimy.

Richard Burts · ‎10-27-2015

Faimy

Thank you for the additional information. Looking at the drawing I saw a router connecting to "WAN" and assumed that NAT might be an issue. Your additional information shows that NAT is not necessary.

I notice this in the output that you posted.

GigabitEthernet0/0/3 unassigned YES unset down down

Since Gig0/0/3 is the only interface configured in vlan 13 and that interface is down I am puzzled how vlan 13 is working.

I wonder if the issue might be that the gateway of the connected devices might not be configured correctly. Could you post the output of ipconfig from a device along with attempts on that device to ping to remote addresses?

HTH

Rick

HTH

Rick

faimymolina · ‎10-27-2015

Hello Richard:

yes, that's because when a took the show ip int b, I had already unplugged my laptop from the G0/0/3.

This pings are from my laptop when conected to g0/0/3:

C:\WINDOWS\System32>ping 10.20.0.2

Haciendo ping a 10.20.0.2 con 32 bytes de datos:
Respuesta desde 10.20.0.2: bytes=32 tiempo=1ms TTL=253
Respuesta desde 10.20.0.2: bytes=32 tiempo=1ms TTL=253
Respuesta desde 10.20.0.2: bytes=32 tiempo=1ms TTL=253
Respuesta desde 10.20.0.2: bytes=32 tiempo=1ms TTL=253

Estadísticas de ping para 10.20.0.2:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 1ms, Máximo = 1ms, Media = 1ms

C:\WINDOWS\System32>ping 10.20.0.1

Haciendo ping a 10.20.0.1 con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.

Estadísticas de ping para 10.20.0.1:
Paquetes: enviados = 4, recibidos = 0, perdidos = 4
(100% perdidos),

C:\WINDOWS\System32>

Ip address is 192.168.13.2. GW=192.168.13.1 (SVI 13).

Right know I don't have access to the server to ping my laptop.

10.20.0.1 is a router and has route to 192.168.13.0/24, next hop 10.20.0.2.

Hope that helps.

Thank you! Faimy.

Richard Burts · ‎10-27-2015

Faimy

I have read back through this discussion and it makes me want to understand more about what is at 10.20.0.1. In particular I am interested in one of the posts which shows

ROUTER#ping 10.20.0.1 source 10.20.0.2

which is successful. But that

ROUTER#ping 10.20.0.1 source 192.168.13.1

which fails. This would seem to indicate some issue on 10.20.0.1 with destinations in outside address space. Your comment is that 10.20.0.1 is a router, but what device is this?

HTH

Rick

HTH

Rick

faimymolina · ‎10-29-2015

Hello Richard: That's a 2801. I do not have access to that routers config but I know for sure it has a route to 192.168.13.0/24.

Best regards, Faimy.

Richard Burts · ‎10-29-2015

Faimy

When ROUTER#ping 10.20.0.1 source 10.20.0.2 works but ping to that same address from a remote source on the same device fails it is pretty much of an indicator that there is some issue on the device at 10.20.0.1.

HTH

Rick

HTH

Rick

faimymolina · ‎10-30-2015

Thank you! I'll try to get access to that router to check it myself. I'll keep you posted.

Best regards, Faimy.

glen.grant · ‎10-30-2015

So you just have no traffic between the switch portion and the regular router ports ?

Richard Burts · ‎10-30-2015

The Embeded Service engine is an interesting thought. But if it were the problem then how would this have worked?

ROUTER#ping 10.20.0.1 source 10.20.0.2

and Faimy did say that this worked.

Faimy

When you do get access to the router it would be interesting to know how it is configured. But a simple first step would be just to do some pings from the router. I would start by ping 10.20.0.2 (which I assume will work) and then trying to ping 192.168.13.1 which is connected interface on the same device and I am guessing that this will not work. If it does work then I would also try to ping 192.168.13.2.

HTH

Rick

HTH

Rick

glen.grant · ‎10-30-2015

sorry didnt catch that , thought he just didnt have traffic between the switchports and the normal router ports. Are all layer 2 vlans created in the vlan database on the switchside ?

faimymolina · ‎11-02-2015

Hello Glen, Richard:

I think am getting access to the 2800 this afternoon, I'll make some tests and copy the configuration.

Regarding the VLANs, yes, they are all created in the VLAN database.

Besides, there is communication from 10.20.0.2 (which is a SVI) to any router interface and to any other IP in the network, but not from 192.168.13.1, which is also an SVI. It is as if the router only allowes one SVI...

ROUTER#sh vlan-switch

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0/1
13   PRUEBAS                          active    Gi0/0/2, Gi0/0/3
111 HACIENDA                         active    Gi0/0/0
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type SAID       MTU   Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet 100001     1500 -      -      -        -    -        1002   1003
13   enet 100013     1500 -      -      -        -    -        0      0
111 enet 100111     1500 -      -      -        -    -        0      0
1002 fddi 101002     1500 -      -      -        -    -        1      1003
1003 tr    101003     1500 1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500 -      -      1        ibm -        0      0
1005 trnet 101005     1500 -      -      1        ibm -        0      0

I'll keep you all posted.

Best regards, Faimy.

EHWIC-4ESG module communication with external networks