04-12-2024 09:41 AM - edited 04-14-2024 09:40 AM
Hi all I'm setting up a CISCO LAB to keep me busy in my retirement. My Current network consists of a TP-Link Deco mesh network which works well for my IOT, PCs and internet access. I just got hold of a Cisco 1941 router with a EHWIC D8SGP module. My Plan was to put my Lab behind the 1941 with a gateway to the internet via the Deco main unit and have 3 VLANs and routing configured to allow inter VLAN routing and internet access.
From the console I can resolve hostnames and ping servers on the internet. But can't ping any of the VLAN interfaces.
The gigabitethernet0/0 interface gets allocated a reserved IP address from the Deco (192.168.68.99 255.255.252.0)
I don't get any DHCP leases except from the 10.0.1.0 network (native VLAN1).
I'm pulling my hair out as 20 years ago I used to configure this **bleep** as a job. Getting old and the memory is not so great these days. One of the reasons I am setting up the lab to keep my mind active.
Any help would be appreciated. I've attached a copy of my current config and a file with show IP routes, version and vlans. Let me know if any further info is needed. Hopefully its a simple fix I just can't see.
Colin
04-12-2024 11:33 AM
Hello,
Might have missed something but a few things to add:
Congrats on your retirement. Got a couple/three years to go myself.
04-12-2024 12:23 PM
Hello,
I somewhete seem to recalll that with the Ethernet module, you have to create Vlan interfaces. Can you give that a try (e.g. interface Vlan 10) ?
04-14-2024 12:00 AM
So the switch module is treated like a remote switch and the trunking between router and switch is handled internally not via a trunked port?
04-12-2024 01:01 PM
I think Georg has identified your problem. If you're using sub-interfaces then that interface needs to be connected to a switch. If you're configuring the switchports from the router then all of your IP interface should be on VLAN interfaces.
04-14-2024 06:06 AM - edited 04-14-2024 09:53 AM
Ok so I erased the startup-config and started again. I now have DHCP issuing addresses based on vlan membership. PC can ping gi0/0 (192.168.68.99 Issued by the TP-Link main Deco), but not the Deco main router (192.168.68.1). PC can ping vlan 10 gateway 10.0.10.1. So PC can't access anything past 192.168.68.99
Via console I can ping 192.168.68.1 the Deco gateway and resolve and ping internet devices I can only ping vlan gateways when a client eg; PC is connected to an interface tagged with that vlan ID.
Gateway of last resort is 192.168.68.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 192.168.68.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.1.0/24 is directly connected, GigabitEthernet0/1
L 10.0.1.1/32 is directly connected, GigabitEthernet0/1
C 192.168.68.0/22 is directly connected, GigabitEthernet0/0
192.168.68.0/32 is subnetted, 1 subnets
L 192.168.68.99 is directly connected, GigabitEthernet0/0
Current configuration : 2558 bytes
!
! Last configuration change at 16:34:39 UTC Sun Apr 14 2024
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
ip dhcp pool VLAN 10
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 192.168.68.99
!
ip dhcp pool VLAN20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
dns-server 192.168.68.99
!
ip dhcp pool VLAN30
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
dns-server 192.168.68.99
!
!
!
ip name-server 203.12.160.35
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
!
!
license udi pid CISCO1941/K9 sn FGL192720D2
!
!
!
redundancy
!
!
!
!
!
controller Cellular 0/0
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.0.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
switchport access vlan 10
no ip address
!
interface GigabitEthernet0/1/1
switchport access vlan 20
no ip address
!
interface GigabitEthernet0/1/2
switchport access vlan 30
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
no ip address
!
interface Cellular0/0/0
ip address negotiated
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
ipv6 address autoconfig
!
interface Cellular0/0/1
no ip address
encapsulation slip
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly in
!
interface Vlan10
ip address 10.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 10.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 10.0.30.1 255.255.255.0
!
ip default-gateway 192.168.68.99
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer lte
no exec
line 0/0/1
no exec
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end
04-16-2024 02:00 AM
It looks like you still need an outside NAT interface and an associated access list. If you are just trying to test connectivity before getting that far remember that even though you have a route to get to 192.168.68.1 it doesn't have a route for return traffic.
04-16-2024 03:37 AM - edited 04-16-2024 03:45 AM
Hi Thanks I have added a return route on the TP-Link Deco LAN interface (10.0.0.0 255.255.0.0 192.168.68.99) and that allowed PCs on the VLANS (ie:10.0.10.0 network) to ping the Deco gateway (192.168.68.1) but still not able to reach the beyond that. I did implement the NAT settings that you suggested but had no success get past the 192.168.68.99 (G0/0) interface.
The Deco units are very restrictive and don't allow you to view what's going on or allow any advance configurations, so I'm thinking I might configure the 1941 as the main gateway and configure it to connect to the ISP using PPOE on G0/0. Create a dedicated VLAN for the Deco units and configure a trunk to a Cisco 3850 switch I have in my lab. That way the rest of my clients can continue to use the Deco mesh network and I will have better control over the entry point. Your thoughts ?
By the way thank you for your support. It's been a while since I played with this stuff and the brain is a bit slower these days, but things are starting to come back.
04-16-2024 05:12 AM
Hello,
Could you post your current config and just curious as to how you are testing connectivity to the Internet. Are you relying on DNS which may not be working? Perhaps if you trace route to a web site's IP instead of the name that would indicate all is working and it's a DNS issue.
04-16-2024 09:02 AM - edited 04-16-2024 10:19 AM
04-16-2024 10:19 AM
There are plenty of open questions still, but here are some observations:
Finally, taking things in a different direction, is the DECO gateway already doing NAT? Perhaps you just need to get the routing correct and allow it to NAT for your networks.
04-16-2024 12:27 PM
Hi Chris,
Mate thanks for your support. I have implemented your suggested changes and not helping at this stage. As I said to RAdamsWilliams, I will have a go at moving the Deco further back in the network and connect the 1941 directly to the NBN interface. Unless your got anymore ideas.
04-17-2024 05:50 AM
Just to make sure, NBN is the Internet provider which connects to the DECO which provides the rest of your home wired and wifi Internet access. From the last config you sent it looked like the 1941’s connectivity to the DECO and lab VLANs was all through the G0/0 interface via a trunk configuration. If that’s the case I would not suggest connecting the lab to NBN and have the DECO behind that. The DECO provides the NAT and more importantly firewall features.
My only suggestion would be to break it down to a simpler configuration and get it to work without the NAT:
What this accomplishes is packet flow is in one interface and out another in the 1941 instead of multiple sub-interfaces and having to process packets in and out of the same interface.
Simple is best. Again, just my thought.