Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
2
Replies

Home Lab routing / switching problems

Mattyyyyy
Level 1
Level 1

‎01-12-2025 07:14 PM

Hi,

I'm trying to set up a home lab and have a question. So I have the following network

home netowrk diagram2.png

My 1300 switch is connected to a Fortinet F40 firewall appliance which is in turned connected to a router/gateway device from my ISP.

I can't change anything on the gateway device so I'm stuck with the double nat sadly. I can't put it into bridge mode or update internal ip addresses/turn off dhcp. I also can't change out the gateway device itself without changing my ISP. (Which I eventually might do anyway). But I can ping from the switch all the way a public internet ip and a full public host name. So double nats dont seem to be an issue for now.

My objective is to ping all the way from a host in the defined network in the switch to a public address. I think I only need the follow settings / steps. The diagram above shows what I can and can't ping, but more info about exactly what I tried and found is bellow

Here is what I think is required to set up on the switch

  1. create SVI's for the correct vlans

    interface vlan 1
     name main
     ip address 10.0.0.1 255.255.255.0
     no ip address dhcp
     no snmp trap link-status
    !
    interface vlan 2
     name routing
     ip address 20.0.0.1 255.255.255.0
    !
    interface vlan 3
     name workstation
     ip address 30.0.0.1 255.255.255.0
    !
    interface vlan 4
     name iot
     ip address 40.0.0.1 255.255.255.0
    !
    interface vlan 5
     name server
     ip address 50.0.0.1 255.255.255.0
    !
  2. attach those vlans to the right access ports
    interface GigabitEthernet3
     switchport access vlan 3
    !
    interface GigabitEthernet7
     switchport access vlan 5
    !

  3. create a truck port that allow all the vlans I want to connect to the Internet.
    interface GigabitEthernet1 
     service-acl input deny_dhcp
     service-acl output deny_dhcp default-action permit-any
     switchport mode trunk
     switchport trunk native vlan 2

  4. enable ip routing (Level 3 routing)

    1. doesn't show up in the config file, but its on by default I think. setting no ip routing will show its turned off in the config. I turned it back on afterwords

  5. Create the associated vlans on the Foritnet F40.

  6. ensure that 802.1q ip encapsulation is enabled.

    1. I think this is on by default ?

      #config
      #ethtype dot1
  7. (optional) The switch is also set up to hand out dhcp ip address for the vlans.
    ip dhcp excluded-address 20.0.0.100 20.0.0.100
    ip dhcp pool network iot
    address low 40.0.0.1 high 40.0.0.254 255.255.255.0
    exit
    ip dhcp pool network main
    address low 10.0.0.1 high 10.0.0.254 255.255.255.0
    exit
    ip dhcp pool network server
    address low 50.0.0.1 high 50.0.0.254 255.255.255.0
    exit
    ip dhcp pool network routing
    address low 20.0.0.1 high 20.0.0.254 255.255.255.0
    exit
    ip dhcp pool network workstation
    address low 30.0.0.1 high 30.0.0.254 255.255.255.0
    exit                                                


Generally I can ping from a host to anything inside or connected to the swtich. 30.0.0.2 can ping 30.0.0.1, 50.0.0.1, and 50.0.0.3. But can't ping anything past the switch. e.g. from 30.0.0.2 to 20.0.0.100.

My two guess to what could be causing this are the following

  1. It seems like this points to a 802.1q ip encapsulation issue and the vlan ids are being stripped off the frames as they are leaving on the trunk port.

  2. I'm missing a route somewhere with the correct next hop and My ping is being eaten as its coming into the the SVI gateway

Here are other things I checked.

  • I can ping from hosts on one vlan to another

    • I can ping 50.0.0.3 -> 30.0.0.2

      • weirdly this broke from one working session to another. I fixed it by clearing the arp cache and renewing ip addresses from the hosts.

    • I can ping from any host to any SVI gateway id

      • from 30.0.0.2 -> 20.0.0.1

      • from 30.0.0.2 -> 30.0.0.1

    • From the switch itself I can ping any public ip and resolve and ping any public dns name.

      • ping 1.1.1.1

    • From a host I can not ping anything past the switch

      • ping 20.0.0.100 (from host 30.0.0.2) does not get past the SVI gateway.

    I checked and re-added ip 802.1q

Below is my running-config, settings, and 2 trace routes (one from a host and one from the switch), arp table, and ip routes.
Trace from host

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  _gateway (30.0.0.1)  1.228 ms  1.336 ms  1.377 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  *^C


Trace route from Switch 

Tracing the route to 1.1.1.1 (1.1.1.1), 30 hops max, 64 byte packets
[2025-01-12 21:11:32] Type Esc to abort.
[2025-01-12 21:11:33]  1  20.0.0.100 (20.0.0.100)  <10 ms  <10 ms  <10 ms
[2025-01-12 21:11:36]  2  192.168.12.1 (192.168.12.1)  <10 ms  <10 ms  <10 ms
[2025-01-12 21:11:38]  3  192.0.0.1 (192.0.0.1)  <10 ms  <10 ms  <30 ms
[2025-01-12 21:11:39]  4  192.0.0.1 (192.0.0.1)  <70 ms  <90 ms  <90 ms
[2025-01-12 21:11:41]  5   * 192.0.0.1 (192.0.0.1)  <130 ms  <110 ms
[2025-01-12 21:11:43]  6  192.0.0.1 (192.0.0.1)  <130 ms  <70 ms  <90 ms
[2025-01-12 21:11:45]  7  192.0.0.1 (192.0.0.1)  <70 ms  <90 ms  <70 ms
[2025-01-12 21:11:49]  8   *  *  *
[0000-00-00 00:00:00]  0  000.0.0.0 (000.0.0.0)  <00 ms  <00 ms  <00 ms
[0000-00-00 00:00:00] 00  000.0.0.0 (000.0.0.0)  <00 ms  <00 ms  <00 ms
[0000-00-00 00:00:00] 00  00.000.000.00 (00.000.000.00)  <00 ms  <00 ms  <00 ms
[0000-00-00 00:00:00] 00   0 00.000.00.000 (00.000.00.000)  <00 ms  <00 ms
[0000-00-00 00:00:00] 00  00.000.000.000 (00.000.000.000)  <00 ms  <00 ms  <00 ms
[0000-00-00 00:00:00] 00  00.000.0.00 (00.000.0.00)  <000 ms  <00 ms  <00 ms
[0000-00-00 00:00:00] 00  00.000.000.0 (00.000.000.0)  <00 ms  <000 ms  <00 ms
[0000-00-00 00:00:00] 00  00.000.000.000 (00.000.000.000)  <000 ms  <00 ms  <000 ms
[0000-00-00 00:00:00] 00  00.000.000.000 (00.000.000.000)  <00 ms  <00 ms  <00 ms
[0000-00-00 00:00:00] 00  000.000.00.00 (000.000.00.00)  <00 ms  <000 ms  <000 ms
[0000-00-00 00:00:00] 00  000.000.00.000 (000.000.00.000)  <00 ms  <00 ms  <00 ms
[2025-01-12 21:12:16] 20  1.1.1.1 (1.1.1.1)  <70 ms  <110 ms  <90 ms
[2025-01-12 21:12:18] 
[2025-01-12 21:12:18] Trace complete.

 

Show arp

[2025-01-12 21:18:36] 
[2025-01-12 21:18:36] Total number of entries: 4
[2025-01-12 21:18:36] 
[2025-01-12 21:18:36] 
[2025-01-12 21:18:36]   VLAN    Interface     IP address        HW address          status      
[2025-01-12 21:18:36] --------------------- --------------- ------------------- --------------- 
[2025-01-12 21:18:36] vlan 2     gi1        20.0.0.100      38:c0:ea:44:65:31   dynamic         
[2025-01-12 21:18:36] vlan 3     gi3        30.0.0.2        f8:ce:72:22:a7:6d   dynamic         
[2025-01-12 21:18:36] vlan 3     gi3        30.0.0.3        f8:ce:72:22:a7:6d   dynamic         
[2025-01-12 21:18:36] vlan 5                50.0.0.3        80:18:44:ea:cf:64   dynamic         
[2025-01-12 21:18:36] 
[2025-01-12 21:18:36]

Ip routes

[2025-01-12 21:19:30] IP Forwarding: enabled
[2025-01-12 21:19:30] Codes: > - best, C - connected, S - static,
[2025-01-12 21:19:30]        R - RIP
[2025-01-12 21:19:30] 
[2025-01-12 21:19:30] 
[2025-01-12 21:19:30] S   0.0.0.0/0 [1/4] via 20.0.0.100, 114:06:33, vlan 2                      
[2025-01-12 21:19:30] C   10.0.0.0/24 is directly connected, vlan 1                              
[2025-01-12 21:19:30] C   20.0.0.0/24 is directly connected, vlan 2                              
[2025-01-12 21:19:30] C   30.0.0.0/24 is directly connected, vlan 3                              
[2025-01-12 21:19:30] C   40.0.0.0/24 is directly connected, vlan 4                              
[2025-01-12 21:19:30] C   50.0.0.0/24 is directly connected, vlan 5                              
[2025-01-12 21:19:30]

Running Config

v4.0.0.93 / RLSB4.0HF_950_778_052
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 2-5
exit
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
ip dhcp server
ip dhcp excluded-address 20.0.0.100 20.0.0.100
ip dhcp pool network iot
address low 40.0.0.1 high 40.0.0.254 255.255.255.0
exit
ip dhcp pool network main
address low 10.0.0.1 high 10.0.0.254 255.255.255.0
exit
ip dhcp pool network server
address low 50.0.0.1 high 50.0.0.254 255.255.255.0
exit
ip dhcp pool network routing
address low 20.0.0.1 high 20.0.0.254 255.255.255.0
exit
ip dhcp pool network workstation
address low 30.0.0.1 high 30.0.0.254 255.255.255.0
exit                                                  Z, One line: <return>
bonjour interface range vlan 1
ip access-list extended deny_dhcp
deny udp any bootps any bootps ace-priority 40
deny udp any bootpc any bootpc ace-priority 60
permit ip any any ace-priority 80
exit
hostname switch896356
line console
exec-timeout 60
exit
line ssh
exec-timeout 30
exit
management access-list web
permit service https
permit service http
exit
logging buffered debugging
username matty password encrypted xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip http timeout-policy 1800 http-only
ip name-server  1.1.1.1 1.0.0.1
!
interface vlan 1
 name main
 ip address 10.0.0.1 255.255.255.0
 no ip address dhcp
 no snmp trap link-status
!
interface vlan 2
 name routing
 ip address 20.0.0.1 255.255.255.0
!
interface vlan 3
 name workstation
 ip address 30.0.0.1 255.255.255.0
i!
interface vlan 4
 name iot
 ip address 40.0.0.1 255.255.255.0
!
interface vlan 5
 name server
 ip address 50.0.0.1 255.255.255.0
!
interface GigabitEthernet1
 service-acl input deny_dhcp
 service-acl output deny_dhcp default-action permit-any
 switchport mode trunk
 switchport trunk native vlan 2
!
interface GigabitEthernet2
 switchport access vlan 2
 switchport trunk native vlan none
!
interface GigabitEthernet3
 switchport access vlan 3
!
interface GigabitEthernet7
 switchport access vlan 5
!
interface GigabitEthernet16
 no switchport
!
exit
macro auto processing type router enabled
ip dhcp information option
ip default-gateway 20.0.0.100

 

Labels:
0 Helpful
2 Replies 2

Mattyyyyy
Level 1
Level 1

‎01-12-2025 08:37 PM

So an update as I continue to work on this problem. I was playing around with one-to-one vlan mapping.  I never ended up making a mapping, but while working through the error

Cannot create new VLAN mapping one-to-one due to insufficient resource allocation. If needed, please adjust system router resources settings.

 and after applying

system resources vlan-mapping-entries 10


My switch restarted itself with the message

Setting the new configuration of route entries will require the software to automatically save the running-configuration file to the startup-configuration file and reboot the system, do you want to continue?


I can now ping from host at least one of the hosts (50.0.0.3) to the outside world.  my trunk port now has the following new configuration.   Which one of these configuration is making things work and why ?

[2025-01-12 23:09:30] interface GigabitEthernet1
[2025-01-12 23:09:30]  service-acl input deny_dhcp
[2025-01-12 23:09:30]  service-acl output deny_dhcp default-action permit-any
[2025-01-12 23:09:30]  switchport mode trunk
[2025-01-12 23:09:30]  switchport general allowed vlan add 1-5 untagged
[2025-01-12 23:09:30]  switchport trunk native vlan 2
[2025-01-12 23:09:30]  switchport nni ethtype dot1q
[2025-01-12 23:09:30] !

The two new lines are
* allowing vlan2 1-5 and untagged.  before I thought that was allowing all vlans on the trunk port ( the default behavior again) not sure what "untagged" means here.
and  
* switchport nni ethtype dotq; which i think might be allowing 802.1q tags on the network node interface.  telling it that its a general egress port connected to another network device ?


It seems like I set the right configuration somewhere along the way but it wasn't applied? how come when I set

switchport nni ethtype dot1q

it didn't apply right away or a didn't see it in the running config right afterwords.  ?






0 Helpful

Mattyyyyy
Level 1
Level 1

‎01-17-2025 09:20 AM

I changed the address to map to more standard internal ip address ranges and things started working.  I think my firewall was blocking them because they were just pretty wacky and already a known outside block.  I didn't think that would have been an issue, but changing them was the right thing to do anyway.  they are all mapped to the pattern 10.0.[10,20,30,40,50].1/24.

What is still really weird is inter vlan routing doesn't seem to be working.  a ping from 10.0.20.4 -> 10.0.50.2 goes all the way out to the fw and then routed back to the switch. I would like for internal network traffic to be routed directly from the switch.  I'll post this new issue in a new thread. 


I have things flowing from a host out to the internet, but for some reason inter-vlan routing is not working on the switch itself first.  for instance when I ping from

0 Helpful
Customers Also Viewed These Support Documents