Hey

     interface gigabitethernet1/10
      switchport trunk native vlan 11  - See more at: https://supportforums.cisco.com/message/3869572#sthash.Qzf7n6Ta.dpuf

As you Said Interface Gigabitethernet 1/10

switchport trunk native vlan11

remove that

make it

like

no switchport trunk native vlan11

Switchport access vlan 11

     interface gigabitethernet1/10
      switchport trunk native vlan 11  - See more at: https://supportforums.cisco.com/message/3869572#sthash.Qzf7n6Ta.dpuf

hello Jawad,

I changed port 10 to "access" mode. no positive result. still no effect. I do not know why at switch terminal session (telnet) everything works. I can ping any axternal address I want. but hosts (VLAN11, VLAN 14) connected to this switch cannot ping the same external addres. it does not apply to VLAN 1. any host connected to PORT43 (VLAN 1) does have internet access. so I guess there is "full communication" between router and switch in case of VLAN 1,

but there is "not enough communication" between router and switch in case of VLAN 11 & VLAN 14

anyway below my configs:

switch:

vlan database

vlan 11-14

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

ip dhcp relay enable

ip dhcp information option

bonjour interface range vlan 1

hostname SG500

line telnet

exec-timeout 0

exit

no passwords complexity enable

username aaa password encrypted aaa privilege 15

no snmp-server server

ip http timeout-policy 0 http-only

clock timezone " " 1

clock summer-time web recurring eu

clock source sntp

clock dhcp timezone

ip name-server  10.10.10.1

ip telnet server

!

interface vlan 1

ip address 10.10.10.2 255.255.255.0

no ip address dhcp

!

interface vlan 11

name HOME

ip address 10.10.11.2 255.255.255.0

!

interface vlan 12

name MONITORING

ip address 10.10.12.2 255.255.255.0

!

interface vlan 13

name DMZ

ip address 10.10.13.2 255.255.255.0

!

interface vlan 14

name GUESTS

ip address 192.168.1.2 255.255.255.0

!

interface gigabitethernet1/1

switchport trunk native vlan 11

!

interface gigabitethernet1/2

switchport trunk native vlan 11

!

interface gigabitethernet1/3

switchport trunk native vlan 11

!

interface gigabitethernet1/4

switchport trunk native vlan 11

!

interface gigabitethernet1/5

switchport trunk native vlan 11

!

interface gigabitethernet1/6

switchport trunk native vlan 11

!

interface gigabitethernet1/7

switchport trunk native vlan 11

!

interface gigabitethernet1/8

switchport trunk native vlan 11

!

interface gigabitethernet1/9

switchport trunk native vlan 11

!

interface gigabitethernet1/10

switchport mode access

switchport access vlan 11

!

interface gigabitethernet1/11

switchport trunk native vlan 11

!

interface gigabitethernet1/12

switchport trunk native vlan 11

!

interface gigabitethernet1/13

switchport trunk native vlan 11

!

interface gigabitethernet1/14

switchport trunk native vlan 11

!

interface gigabitethernet1/15

switchport trunk native vlan 12

!

interface gigabitethernet1/16

switchport trunk native vlan 12

!

interface gigabitethernet1/17

switchport trunk native vlan 12

!

interface gigabitethernet1/18

switchport trunk native vlan 12

!

interface gigabitethernet1/19

switchport trunk native vlan 12

!

interface gigabitethernet1/20

switchport trunk native vlan 12

!

interface gigabitethernet1/21

switchport trunk native vlan 12

!

interface gigabitethernet1/22

switchport trunk native vlan 12

!

interface gigabitethernet1/23

switchport trunk native vlan 12

!

interface gigabitethernet1/24

switchport trunk native vlan 12

!

interface gigabitethernet1/25

switchport trunk native vlan 13

!

interface gigabitethernet1/26

switchport trunk native vlan 13

!

interface gigabitethernet1/27

switchport trunk native vlan 13

!

interface gigabitethernet1/28

switchport trunk native vlan 13

!

interface gigabitethernet1/29

switchport trunk native vlan 14

!

interface gigabitethernet1/30

switchport trunk native vlan 14

!

interface gigabitethernet1/31

switchport trunk native vlan 14

!

interface gigabitethernet1/32

switchport trunk native vlan 14

!

interface gigabitethernet1/33

switchport trunk native vlan 14

!

interface gigabitethernet1/34

switchport trunk native vlan 14

!

interface gigabitethernet1/35

switchport trunk native vlan 14

!

interface gigabitethernet1/36

switchport trunk native vlan 14

!

interface gigabitethernet1/45

switchport trunk allowed vlan add 11-14

!

interface gigabitethernet1/46

switchport trunk allowed vlan add 11-14

!

interface gigabitethernet1/47

switchport trunk allowed vlan add 11-14

!

interface gigabitethernet1/48

switchport trunk allowed vlan add 11-14

!

ip route 0.0.0.0 0.0.0.0 10.10.10.1

snmp-server set  rlAutomaticClockSetFromPCEnabled rlAutomaticClockSetFromPCEnabled true

and router config:

!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname C877W
!
boot-start-marker
boot system flash:/c870-advipservicesk9-mz.124-24.T7.bin
boot-end-marker
!
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 151200
enable secret 5 dsdsds
!
no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 4:00
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-3274552524
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3274552524
revocation-check none
rsakeypair TP-self-signed-3274552524
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-111
certificate self-signed 01
111 111

        quit
dot11 mbssid
dot11 syslog
dot11 vlan-name GLAN4 vlan 4
dot11 vlan-name LOCAL vlan 1
dot11 vlan-name WLAN3 vlan 3
!
dot11 ssid zabel
vlan 4
authentication open
authentication key-management wpa
wpa-psk ascii 7 111
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.31 192.168.1.254
!
ip dhcp pool WLAN4
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 62.233.233.233 87.204.204.204
   netbios-name-server 10.10.10.2
   domain-name 111
   lease infinite
!
ip dhcp pool HOME
   import all
   network 10.10.11.0 255.255.255.0
   default-router 10.10.11.1
   dns-server 62.233.233.233
   lease infinite
!
ip dhcp pool 10
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.2
!
ip dhcp pool MONITORING
   import all
   network 10.10.12.0 255.255.255.0
   dns-server 62.233.233.233
   default-router 10.10.12.1
   lease infinite
!
ip dhcp pool default
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 62.233.233.233
   lease infinite
!
ip dhcp pool izabella
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 62.233.233.233
   default-router 192.168.2.1
   lease infinite
!
ip dhcp pool DMZ
   import all
   network 10.10.13.0 255.255.255.0
   default-router 10.10.13.1
   dns-server 62.233.233.233
   lease infinite
!
!
ip cef
no ip bootp server
ip name-server 62.233.233.233
ip name-server 87.204.204.204
no ip port-map x11 port tcp from 6000 to 6606  description X Window System
ip ips config location flash:/ips5/ retries 5 timeout 10
ip ips notify SDEE
no ip ips notify log
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!
ip inspect audit-trail
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

!
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
  key-string
   111 111 111
  quit
!
!
!
archive
log config
  hidekeys
!
!
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect imap match-any imap-mail
match  login clear-text
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any printer-9100
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-any print-9100
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-permit-icmpreply
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class class-default
  drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  inspect
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.2 point-to-point
description $FW_OUTSIDE$$ES_WAN$
ip flow ingress
zone-member security out-zone
pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
!
!
interface FastEthernet0
description LAN1
switchport mode trunk
!
interface FastEthernet1
description WLAN2
switchport mode trunk
!
interface FastEthernet2
description default
!
interface FastEthernet3
description GLAN4
switchport mode trunk
!
interface Dot11Radio0
no ip address
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
encryption mode ciphers tkip
!
encryption vlan 4 mode ciphers tkip
!
broadcast-key vlan 4 change 30
!
!
ssid zabel
!
no mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.4
encapsulation dot1Q 4
zone-member security in-zone
no cdp enable
bridge-group 4
bridge-group 4 subscriber-loop-control
bridge-group 4 spanning-disabled
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
!
interface Vlan1
description default$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan4
no ip address
traffic-shape rate 64000 8000 8000 1000
bridge-group 4
!
interface Vlan11
description HOME
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan14
description GUESTS
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname 111
ppp chap password 7 111
!
interface BVI4
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-cache timeout active 1
ip flow-export version 5
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source list 3 interface Dialer1 overload
ip nat inside source list 4 interface Dialer1 overload
ip nat inside source list 5 interface Dialer1 overload
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended any
remark SDM_ACL Category=128
permit ip any any
ip access-list extended printer
remark SDM_ACL Category=128
permit ip any any
!
logging trap debugging
logging 10.10.11.1
access-list 1 remark inside to Internet
access-list 1 remark SDM_ACL Category=2
access-list 1 remark LAN1
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark WLAN2
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.11.0 0.0.0.255
access-list 3 remark DLAN3
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.10.12.0 0.0.0.255
access-list 4 remark WLAN4
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.168.2.0 0.0.0.255
access-list 10 remark CCP_ACL Category=1
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 10.10.11.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.12.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq www
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 443
access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq cmd
access-list 102 deny   tcp any host 10.10.10.1 eq telnet
access-list 102 deny   tcp any host 10.10.10.1 eq 22
access-list 102 deny   tcp any host 10.10.10.1 eq www
access-list 102 deny   tcp any host 10.10.10.1 eq 443
access-list 102 deny   tcp any host 10.10.10.1 eq cmd
access-list 102 deny   udp any host 10.10.10.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 10.10.11.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 109 remark Auto generated by SDM Management Access feature
access-list 109 remark CCP_ACL Category=1
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq telnet
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq 22
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq www
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq 443
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq cmd
access-list 109 deny   tcp any host 10.10.11.1 eq telnet
access-list 109 deny   tcp any host 10.10.11.1 eq 22
access-list 109 deny   tcp any host 10.10.11.1 eq www
access-list 109 deny   tcp any host 10.10.11.1 eq 443
access-list 109 deny   tcp any host 10.10.11.1 eq cmd
access-list 109 deny   udp any host 10.10.11.1 eq snmp
access-list 109 permit ip any any
no cdp run

!
!
!
!
!
control-plane
!
bridge 4 protocol ieee
bridge 4 route ip
banner exec ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------

nice, huh ?

-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
speed 115200
line aux 0
transport output telnet
line vty 0 4
access-class 105 in
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 150.254.183.15 prefer source Dialer1
ntp server 193.110.137.171 source Dialer1
ntp server 212.244.36.227 source Dialer1
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.4.1012-k9.pkg sequence 1
end

Jawad,

one thing more:

after running: SH IP NAT TRANS on my router I got this:

Pro Inside global         Inside local          Outside local         Outside global

udp 178.36.174.138:53477  10.10.11.4:53477      62.233.233.233:53     62.233.233.233:53

udp 178.36.174.138:62634  10.10.11.4:62634      62.233.233.233:53     62.233.233.233:53

tcp 178.36.174.138:55128  192.168.2.3:55128     2.16.84.176:443       2.16.84.176:443

tcp 178.36.174.138:55129  192.168.2.3:55129     2.16.84.176:443       2.16.84.176:443

kindly check out these first two rows. looks like a host belonging to VLAN 11 tries to to do something with external DNS...

.... and it works !!!

look, I removed all firewall lines from my router config.

and now all VLANS have got an access to internet. Jawad, many thanks for your time

Yes its resolving dns and its uses udp for that.  I have verified you config its seems ok and working here on my testbed.

Kinldy Check Your DNS Your Nat Translation are being done it means you traffic is going outward.

Kindly on Switch when you connect to host hard coare it access port.

Thanks..

Do Remember one thig First Implement Basic Configuraiton then Go advance Further to implement secuirty because you can't troubleshoot issues. 

Cheers

** Do Rate Helpful Posts **