04-12-2024 09:41 AM - edited 04-14-2024 09:40 AM
Hi all I'm setting up a CISCO LAB to keep me busy in my retirement. My Current network consists of a TP-Link Deco mesh network which works well for my IOT, PCs and internet access. I just got hold of a Cisco 1941 router with a EHWIC D8SGP module. My Plan was to put my Lab behind the 1941 with a gateway to the internet via the Deco main unit and have 3 VLANs and routing configured to allow inter VLAN routing and internet access.
From the console I can resolve hostnames and ping servers on the internet. But can't ping any of the VLAN interfaces.
The gigabitethernet0/0 interface gets allocated a reserved IP address from the Deco (
I don't get any DHCP leases except from the network (native VLAN1).
I'm pulling my hair out as 20 years ago I used to configure this **bleep** as a job. Getting old and the memory is not so great these days. One of the reasons I am setting up the lab to keep my mind active.
Any help would be appreciated. I've attached a copy of my current config and a file with show IP routes, version and vlans. Let me know if any further info is needed. Hopefully its a simple fix I just can't see.
04-12-2024 11:33 AM
Might have missed something but a few things to add:
Congrats on your retirement. Got a couple/three years to go myself.
04-12-2024 12:23 PM
I somewhete seem to recalll that with the Ethernet module, you have to create Vlan interfaces. Can you give that a try (e.g. interface Vlan 10) ?
04-14-2024 12:00 AM
So the switch module is treated like a remote switch and the trunking between router and switch is handled internally not via a trunked port?
04-12-2024 01:01 PM
I think Georg has identified your problem. If you're using sub-interfaces then that interface needs to be connected to a switch. If you're configuring the switchports from the router then all of your IP interface should be on VLAN interfaces.
04-14-2024 06:06 AM - edited 04-14-2024 09:53 AM
Ok so I erased the startup-config and started again. I now have DHCP issuing addresses based on vlan membership. PC can ping gi0/0 ( Issued by the TP-Link main Deco), but not the Deco main router ( PC can ping vlan 10 gateway So PC can't access anything past
Via console I can ping the Deco gateway and resolve and ping internet devices I can only ping vlan gateways when a client eg; PC is connected to an interface tagged with that vlan ID.
Gateway of last resort is to network
S* [254/0] via is variably subnetted, 2 subnets, 2 masks
C is directly connected, GigabitEthernet0/1
L is directly connected, GigabitEthernet0/1
C is directly connected, GigabitEthernet0/0 is subnetted, 1 subnets
L is directly connected, GigabitEthernet0/0
Current configuration : 2558 bytes
! Last configuration change at 16:34:39 UTC Sun Apr 14 2024
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
no aaa new-model
ip dhcp pool VLAN 10
ip dhcp pool VLAN20
ip dhcp pool VLAN30
ip name-server
ip cef
no ipv6 cef
multilink bundle-name authenticated
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
license udi pid CISCO1941/K9 sn FGL192720D2
controller Cellular 0/0
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
interface GigabitEthernet0/1
ip address
duplex auto
speed auto
interface GigabitEthernet0/1/0
switchport access vlan 10
no ip address
interface GigabitEthernet0/1/1
switchport access vlan 20
no ip address
interface GigabitEthernet0/1/2
switchport access vlan 30
no ip address
interface GigabitEthernet0/1/3
no ip address
interface GigabitEthernet0/1/4
no ip address
interface GigabitEthernet0/1/5
no ip address
interface GigabitEthernet0/1/6
no ip address
interface GigabitEthernet0/1/7
no ip address
interface Cellular0/0/0
ip address negotiated
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
ipv6 address autoconfig
interface Cellular0/0/1
no ip address
encapsulation slip
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly in
interface Vlan10
ip address
ip nat inside
ip virtual-reassembly in
interface Vlan20
ip address
ip nat inside
ip virtual-reassembly in
interface Vlan30
ip address
ip default-gateway
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer lte
no exec
line 0/0/1
no exec
line vty 0 4
transport input none
scheduler allocate 20000 1000
04-16-2024 02:00 AM
It looks like you still need an outside NAT interface and an associated access list. If you are just trying to test connectivity before getting that far remember that even though you have a route to get to it doesn't have a route for return traffic.
04-16-2024 03:37 AM - edited 04-16-2024 03:45 AM
Hi Thanks I have added a return route on the TP-Link Deco LAN interface ( and that allowed PCs on the VLANS (ie: network) to ping the Deco gateway ( but still not able to reach the beyond that. I did implement the NAT settings that you suggested but had no success get past the (G0/0) interface.
The Deco units are very restrictive and don't allow you to view what's going on or allow any advance configurations, so I'm thinking I might configure the 1941 as the main gateway and configure it to connect to the ISP using PPOE on G0/0. Create a dedicated VLAN for the Deco units and configure a trunk to a Cisco 3850 switch I have in my lab. That way the rest of my clients can continue to use the Deco mesh network and I will have better control over the entry point. Your thoughts ?
By the way thank you for your support. It's been a while since I played with this stuff and the brain is a bit slower these days, but things are starting to come back.
04-16-2024 05:12 AM
Could you post your current config and just curious as to how you are testing connectivity to the Internet. Are you relying on DNS which may not be working? Perhaps if you trace route to a web site's IP instead of the name that would indicate all is working and it's a DNS issue.
04-16-2024 09:02 AM - edited 04-16-2024 10:19 AM
04-16-2024 10:19 AM
There are plenty of open questions still, but here are some observations:
Finally, taking things in a different direction, is the DECO gateway already doing NAT? Perhaps you just need to get the routing correct and allow it to NAT for your networks.
04-16-2024 12:27 PM
Hi Chris,
Mate thanks for your support. I have implemented your suggested changes and not helping at this stage. As I said to RAdamsWilliams, I will have a go at moving the Deco further back in the network and connect the 1941 directly to the NBN interface. Unless your got anymore ideas.
04-17-2024 05:50 AM
Just to make sure, NBN is the Internet provider which connects to the DECO which provides the rest of your home wired and wifi Internet access. From the last config you sent it looked like the 1941’s connectivity to the DECO and lab VLANs was all through the G0/0 interface via a trunk configuration. If that’s the case I would not suggest connecting the lab to NBN and have the DECO behind that. The DECO provides the NAT and more importantly firewall features.
My only suggestion would be to break it down to a simpler configuration and get it to work without the NAT: