Solved: Re: Internet For Vlans

Zaxum · ‎12-17-2021

Hello,Switching, 2960, Catalyst 2000

I am really struggling to get internet access to a vlan that is created on C2960. The device does have thSwitching, 2960, Catalyst 2000e sdm lanbase and I have turned on ip routing. I can ping the external address of the switch, but I am unable to ping the router and beyond. Need some help. The setup is a WS-C2960S-24TS-L switch and I have that plugged into a 2911 router. I have internet on VLAN 1 but I am missing something in the path of the router or switch side.

Thanks,

Georg Pauwen · ‎12-20-2021

Hello,

actually, I would turn off ip routing on the switch altogether, as it is not needed and will slow down your clients. You can use a subinterface on the router, the configs would look like this:

C2960#sh run
Building configuration...

Current configuration : 2727 bytes
!
! Last configuration change at 08:01:48 CST Mon Dec 20 2021 by Admin
! NVRAM config last updated at 08:02:12 CST Mon Dec 20 2021 by Admin
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C2960
!
boot-start-marker
boot-end-marker
!
enable secret 5 my-super-secret-key
!
username Admin secret 5 my-secret-key
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c2960s-24ts-l
!
ip dhcp pool VLAN-10
network 24.1.1.0 255.255.255.0
default-router 24.1.1.1
dns-server 171.217.177.101
domain-name VLAN10.DOMAIN.LOCAL
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
!
interface GigabitEthernet1/0/1
description Uplink to GigabitEthernet0/1 Router
switchport mode trunk
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/13
spanning-tree portfast
!
interface GigabitEthernet1/0/14
spanning-tree portfast
!
interface GigabitEthernet1/0/15
spanning-tree portfast
!
interface GigabitEthernet1/0/16
spanning-tree portfast
!
interface GigabitEthernet1/0/17
spanning-tree portfast
!
interface GigabitEthernet1/0/18
spanning-tree portfast
!
interface GigabitEthernet1/0/19
spanning-tree portfast
!
interface GigabitEthernet1/0/20
spanning-tree portfast
!
interface GigabitEthernet1/0/21
spanning-tree portfast
!
interface GigabitEthernet1/0/22
spanning-tree portfast
!
interface GigabitEthernet1/0/23
spanning-tree portfast
!
interface GigabitEthernet1/0/24
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.77.71.253 255.255.255.0
!
ip default-gateway 10.77.71.254
!
no ip http server
no ip http secure-server
vstack
banner motd ^C !!blah blah blah!! ^C
!
line con 0
login local
line vty 0 4
login local
transport input ssh
line vty 5 15
login
no exec
!
ntp authenticate
ntp clock-period 22519349
ntp source Vlan1
ntp server 198.199.120.223
end

2911

Current configuration : 2217 bytes
!
! Last configuration change at 08:48:30 CST Mon Dec 20 2021 by admin
! NVRAM config last updated at 12:14:29 CST Fri Dec 17 2021 by admin
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C2911
!
boot-start-marker
boot-end-marker
!
enable secret 5 KEY
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CDT recurring
!
ip dhcp excluded-address 10.77.71.250 10.77.71.254
!
ip dhcp pool C2911
network 10.77.71.0 255.255.255.0
domain-name LAKEWOOD.DOMAIN.LOCAL
default-router 10.77.71.254
dns-server 171.217.177.101
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FJC1941A0QP
!
username Admin secret 5 KEY
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Link to GigabitEthernet1/0/1 Switch
ip address 10.77.71.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1q 10
ip address 24.1.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip ssh version 2
!
ipv6 ioam timestamp
!
access-list 1 permit 10.77.71.0 0.0.0.255
access-list 1 permit 24.1.1.0 0.0.0.255
!
control-plane
!
banner motd ^C !!BLAH ADMIN ONLY!! ^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp authenticate
ntp source GigabitEthernet0/0
ntp server pool.ntp.org
!
end

View solution in original post

Georg Pauwen · ‎12-17-2021

Hello,

make sure the router has an access list for the NAT part that covers the subnet of the new Vlan. Let's say the new Vlan has subnet 192.168.2.0/24, the access list on the router needs to reflect that:

ip nat inside source list 1 interface x overload

access-list 1 permit 192.168.2.0 0.0.0.255

If you are unsure about how to configure this, post the running configurations of the router and the switch, so we can fill in the bits and pieces.

Zaxum · ‎12-17-2021

Thanks for the reply!

I have created an access list as well as configured the router source list and still unable to ping router and or internet. Stand by, I will post config of both.

Georg Pauwen · ‎12-17-2021

Hello,

awaiting the configs...

Zaxum · ‎12-20-2021

Georg Pauwen · ‎12-20-2021

Hello,

that is just the switch config, we need the router (2911) config as well...

paul driver · ‎12-18-2021

Hello @Zaxum

Please see attach file, It should provide you with the basics for internet acces

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎12-18-2021

The original poster tells us " still unable to ping router" If the new vlan is not able to ping the router there is a problem before it gets to NAT. If the new vlan is not able to ping the router there are several things to check:

1) does the switch have a correctly configured vlan interface for the new vlan?

2) can the router ping the vlan interface on the switch for the new vlan?

3) do devices in the new vlan have a correct default gateway?

4) does the switch have correct forwarding logic for traffic from the new vlan?

5) does the router have a route for the subnet of the new vlan with a correct next hop?

6) does the router have any policy on an interface (acl, etc) that could impact traffic from the new vlan?

HTH

Rick

Zaxum · ‎12-20-2021

Here is a copy of switch config.

C2960#sh run
Building configuration...

Current configuration : 2727 bytes
!
! Last configuration change at 08:01:48 CST Mon Dec 20 2021 by Admin
! NVRAM config last updated at 08:02:12 CST Mon Dec 20 2021 by Admin
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C2960
!
boot-start-marker
boot-end-marker
!
enable secret 5 my-super-secret-key
!
username Admin secret 5 my-secret-key
!
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c2960s-24ts-l
ip routing
!
ip dhcp pool VLAN-10
network 24.1.1.0 255.255.255.0
default-router 24.1.1.1
dns-server 171.217.177.101
domain-name VLAN10.DOMAIN.LOCAL
!
!
ip domain-name blah.DOMAIN.LOCAL
ip name-server 171.217.177.101
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
!
interface GigabitEthernet1/0/1
switchport mode trunk
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/13
spanning-tree portfast
!
interface GigabitEthernet1/0/14
spanning-tree portfast
!
interface GigabitEthernet1/0/15
spanning-tree portfast
!
interface GigabitEthernet1/0/16
spanning-tree portfast
!
interface GigabitEthernet1/0/17
spanning-tree portfast
!
interface GigabitEthernet1/0/18
spanning-tree portfast
!
interface GigabitEthernet1/0/19
spanning-tree portfast
!
interface GigabitEthernet1/0/20
spanning-tree portfast
!
interface GigabitEthernet1/0/21
spanning-tree portfast
!
interface GigabitEthernet1/0/22
spanning-tree portfast
!
interface GigabitEthernet1/0/23
spanning-tree portfast
!
interface GigabitEthernet1/0/24
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.77.71.253 255.255.255.0
!
interface Vlan10
ip address 24.1.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.77.71.254
no ip http server
no ip http secure-server
vstack
banner motd ^C !!blah blah blah!! ^C
!
line con 0
login local
line vty 0 4
login local
transport input ssh
line vty 5 15
login
no exec
!
ntp authenticate
ntp clock-period 22519349
ntp source Vlan1
ntp server 198.199.120.223
end

Zaxum · ‎12-20-2021

Here is the config for the 2911 router.

Building configuration...

Current configuration : 2217 bytes
!
! Last configuration change at 08:48:30 CST Mon Dec 20 2021 by admin
! NVRAM config last updated at 12:14:29 CST Fri Dec 17 2021 by admin
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C2911
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 KEY
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 10.77.71.250 10.77.71.254
!
ip dhcp pool C2911
network 10.77.71.0 255.255.255.0
domain-name LAKEWOOD.DOMAIN.LOCAL
default-router 10.77.71.254
dns-server 171.217.177.101
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO2911/K9 sn FJC1941A0QP
!
!
vtp domain BLAH.DOMAIN.LOCAL
vtp mode transparent
username Admin secret 5 KEY
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.77.71.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 10.77.71.0 255.255.255.0 171.217.177.1
ip ssh version 2
!
ipv6 ioam timestamp
!
!
access-list 1 permit 10.77.71.0 0.0.0.255
!
control-plane
!
banner motd ^C !!BLAH ADMIN ONLY!! ^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp authenticate
ntp source GigabitEthernet0/0
ntp server pool.ntp.org
!
end

Richard Burts · ‎12-20-2021

Thanks for posting the configs. There are several things in the configs that we might want to discuss. But I will start with the most important thing and if you want further discussion we can have that. The most important issue is this: you have defined network 24.1.1.0/24 on the switch. And the switch does appear to be correctly configured to forward traffic from the one connected device in that network to the router. But the router has no routing information about that network. So traffic from that network could get to the router, but the router has no way to send traffic to that network. At a minimum you need a static route on the router for network 24.1.1.0 with the switch vlan 1 interface as the next hop.

HTH

Rick

Georg Pauwen · ‎12-20-2021

Hello,

actually, I would turn off ip routing on the switch altogether, as it is not needed and will slow down your clients. You can use a subinterface on the router, the configs would look like this:

C2960#sh run
Building configuration...

Current configuration : 2727 bytes
!
! Last configuration change at 08:01:48 CST Mon Dec 20 2021 by Admin
! NVRAM config last updated at 08:02:12 CST Mon Dec 20 2021 by Admin
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C2960
!
boot-start-marker
boot-end-marker
!
enable secret 5 my-super-secret-key
!
username Admin secret 5 my-secret-key
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c2960s-24ts-l
!
ip dhcp pool VLAN-10
network 24.1.1.0 255.255.255.0
default-router 24.1.1.1
dns-server 171.217.177.101
domain-name VLAN10.DOMAIN.LOCAL
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
!
interface GigabitEthernet1/0/1
description Uplink to GigabitEthernet0/1 Router
switchport mode trunk
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/13
spanning-tree portfast
!
interface GigabitEthernet1/0/14
spanning-tree portfast
!
interface GigabitEthernet1/0/15
spanning-tree portfast
!
interface GigabitEthernet1/0/16
spanning-tree portfast
!
interface GigabitEthernet1/0/17
spanning-tree portfast
!
interface GigabitEthernet1/0/18
spanning-tree portfast
!
interface GigabitEthernet1/0/19
spanning-tree portfast
!
interface GigabitEthernet1/0/20
spanning-tree portfast
!
interface GigabitEthernet1/0/21
spanning-tree portfast
!
interface GigabitEthernet1/0/22
spanning-tree portfast
!
interface GigabitEthernet1/0/23
spanning-tree portfast
!
interface GigabitEthernet1/0/24
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.77.71.253 255.255.255.0
!
ip default-gateway 10.77.71.254
!
no ip http server
no ip http secure-server
vstack
banner motd ^C !!blah blah blah!! ^C
!
line con 0
login local
line vty 0 4
login local
transport input ssh
line vty 5 15
login
no exec
!
ntp authenticate
ntp clock-period 22519349
ntp source Vlan1
ntp server 198.199.120.223
end

2911

Current configuration : 2217 bytes
!
! Last configuration change at 08:48:30 CST Mon Dec 20 2021 by admin
! NVRAM config last updated at 12:14:29 CST Fri Dec 17 2021 by admin
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C2911
!
boot-start-marker
boot-end-marker
!
enable secret 5 KEY
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CDT recurring
!
ip dhcp excluded-address 10.77.71.250 10.77.71.254
!
ip dhcp pool C2911
network 10.77.71.0 255.255.255.0
domain-name LAKEWOOD.DOMAIN.LOCAL
default-router 10.77.71.254
dns-server 171.217.177.101
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FJC1941A0QP
!
username Admin secret 5 KEY
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Link to GigabitEthernet1/0/1 Switch
ip address 10.77.71.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1q 10
ip address 24.1.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip ssh version 2
!
ipv6 ioam timestamp
!
access-list 1 permit 10.77.71.0 0.0.0.255
access-list 1 permit 24.1.1.0 0.0.0.255
!
control-plane
!
banner motd ^C !!BLAH ADMIN ONLY!! ^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp authenticate
ntp source GigabitEthernet0/0
ntp server pool.ntp.org
!
end

Zaxum · ‎12-20-2021

Hello,

What about multiple vlans? Do I use the same line for interfaces? Lets say I have VLAN 11 for instance would I still use the interface interface GigabitEthernet0/1.10? Or would I use something like 1.11? Is there a lower sub interface or do they go up from the 1.10? How does that work? How does it coincide with the encapsulation? Dot1q11?

interface GigabitEthernet0/1.10
encapsulation dot1q 10
ip address 24.1.1.1 255.255.255.0
ip nat inside

paul driver · ‎12-20-2021

Hello

the sub interface number does NOT relate to the encapsulated dot1q vlan number but its recommended to have parity to avoid confusion.

append that configuration and you should obtain connection for your hosts

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-20-2021

Hello,

as Paul said, you can use any subinterface number you want, but it is good practice to use the same one as the one you use for your Vlan (.11 for Vlan 11, .12 for Vlan 12, etc).

Obviously if you add another Vlan, you also need to add that Vlan to the access list used by NAT.