10-28-2014 02:58 AM - edited 03-07-2019 09:16 PM
Hi Team,
We have one ISR2951 with LAN: 192.168.1.1 (dhcp server enable - 192.168.1.10 - 192.168.1.250)
And Cisco SG300 switch with
VLAN1 (default) 192.168.1.254
VLAN10 192.168.10.254
VLAN20 192.168.20.254
VLAN30 192.168.30.254
i made it in such a way that Port 1 is the trunk port
and i tagged VLAN10,20and 30 to it.
Intervlan routing is happening meaning i can ping any machine connected to any of the vlan from the router and vice versa and also between VLANs
But only when i'm on VLAN1 i'm getting internet ..
and when i do dhcp relay on VLAN10,20 and 30 i'm not getting any ip from the router
i even try to enable ip helper on vlan10,20 and 30 but it says wrong ip address
and i create ip route for VLAN10,20 and 30 on the router
will it be possible for the router dhcp to relay dhcp to all the VLANs at the same time ...and get internet..
Physical connection is this way:
Router LAN port connected to Switch trunk port 1 (VLAN1) and VLAN10,20,30 are tagged to VLAN1 and i want the router to relay dhcp on VLAN 10,20 n 30 also all the devices connected to the VLANs should get internet ....from the router...
Will this possible or i need additional ports on the router for VLAN10,20 and 30... pliz help
Solved! Go to Solution.
10-28-2014 03:13 PM
And along with that you have to consider below points as well
1. the trunk on the switch port which is hooked to router and allow all the Vlans i.e. 10,20,30
2. enabling Ip helper address command on the each sub interface
3. You should add remaining subnets in to local access-list i.e.
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.30.0 0.0.0.255 any
4. And for got mention you have to enable the ip nat inside command on each subinterface
10-30-2014 04:20 AM
First, is there a legitimate reason you need to have each AP on a different VLAN? The common practice is to have a separate VLAN for wireless traffic and to put all of the APs on that VLAN. Large organizations with many wireless users may use multiple wireless VLANs, of course. You can also create multiple wireless VLANs to segregate traffic, such as having a public VLAN for guests and a second VLAN for dedicated employees. With Cisco APs, the VLAN is associated with the SSID and you broadcast multiple SSIDs for different purposes, with authentication configured to limit who can access the restricted SSIDs. Take a look at your requirements and consider whether having each AP in a different subnet is required to meet your purposes, or whether you can meet those needs in a different manner, such as having multiple SSIDs.
As for roaming, are you using lightweight APs with a WLAN controller or autonomous APs? If you're using LAPs with a WLC, you can allow roaming between subnets. Essentially, when the wireless client hops to a new LAP in a different subnet, it retains its original IP and the traffic is tunneled to the original WLC if necessary and placed in the correct VLAN for that subnet. I don't believe seamless layer 3 roaming is possible between autonomous APs in different subnets but wireless isn't my specialty, so don't take that as gospel.
10-28-2014 03:56 AM
"will it be possible for the router dhcp to relay dhcp to all the VLANs at the same time ...and get internet.."
Yes. Can you post your config?
HTH,
John
10-28-2014 06:06 AM
Router config:
!
interface GigabitEthernet0/0
ip address 115.111.5.34 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.3.254
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
no ip address
shutdown
!
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list local interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 115.111.5.33
ip route 192.168.1.0 255.255.255.0 192.168.10.254
ip route 192.168.1.0 255.255.255.0 192.168.20.254
ip route 192.168.1.0 255.255.255.0 192.168.30.254
ip route 192.168.10.0 255.255.255.0 192.168.1.254
ip route 192.168.10.0 255.255.255.0 192.168.20.254
ip route 192.168.10.0 255.255.255.0 192.168.30.254
ip route 192.168.20.0 255.255.255.0 192.168.1.254
ip route 192.168.20.0 255.255.255.0 192.168.30.254
ip route 192.168.20.0 255.255.255.0 192.168.10.254
ip route 192.168.30.0 255.255.255.0 192.168.1.254
ip route 192.168.30.0 255.255.255.0 192.168.20.254
ip route 192.168.30.0 255.255.255.0 192.168.10.254
!
ip access-list extended local
permit ip 192.168.1.0 0.0.0.255 any
10-28-2014 06:07 AM
my switch config:
sh run
config-file-header
switchc07ce5
v1.4.0.88 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968
!
port jumbo-frame
vlan database
vlan 10,20,30
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switchc07ce5
no passwords complexity enable
username cisco password encrypted 1925528a0e57fde994284bd9d51d23
ip ssh server
no ip http server
!
interface vlan 1
ip address 192.168.1.254 255.255.255.0
no ip address dhcp
!
interface vlan 10ort mode accesst mode access mode accessss
RL+Z, One line: <return> +Z, One line: <return> Z, One line: <return> One line: <return> ne line: <return> e lineterface gigabitethernet22rface gigabitethernet22face gigabitethernet22ce gigabitethernet22 gigabitethernet22gigabitethern
switchport mode accessode accesse access access23
switchport mode accesshport mode accesset25t25essstchport mode accesshport mode accessport mode accessrt mode access mode accessmode accessce gigabitethernet27 gigabitethernet27gigabitethern
switchport mode access
!
CTRL+Z, One line: <return> TRL+Z, One line: <return>
switchport mode access
!
interface gigabitethernet6
switchport mode access
!
interface gigabitethernet7
switchport trunk allowed vlan add 10
!
interface gigabitethernet8
switchport mode access
switchport access vlan 10
!
interface gigabitethernet9
switchport trunk allowed vlan add 20
!
interface gigabitethernet10
switchport mode access
switchport access vlan 20
!
interface gigabitethernet11
switchport trunk allowed vlan add 30
!
interface gigabitethernet12
switchport mode access
switchport access vlan 30
!
interface gigabitethernet13
switchport mode access
!
interface gigabitethernet14
switchport mode access
!
interface gigabitethernet15
switchport mode access
!
interface gigabitethernet16
switchport mode access
!
interface gigabitethernet17
switchport mode access
!
interface gigabitethernet18
switchport mode access
!
interface gigabitethernet19
switchport mode access
!
interface gigabitethernet20
switchport mode access
!
interface gigabitethernet21
switchport mode access
!
interface gigabitethernet22
switchport mode access
!
interface gigabitethernet23
switchport mode access
!
interface gigabitethernet24
switchport mode access
!
interface gigabitethernet25
switchport mode access
!
interface gigabitethernet26
switchport mode access
!
interface gigabitethernet27
switchport mode access
!
interface gigabitethernet28
switchport mode access
!
exit
ip helper-address all 192.168.1.1 37 42 49 53 137 138
ip default-gateway 192.168.1.1
10-28-2014 06:38 AM
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.3.254
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
Is your helper address supposed to be 192.168.30.254? I don't see a route for 192.168.3.x on the router, so it's going to try to send that traffic out of the wan interface which will fail. And like Rick said, you don't have anything configured for vlans on the router unless you didn't post that config. You'll have to have subinterfaces encapsulated for the appropriate vlan:
int g0/1.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
int g0/1.20
encapsulation dot1q 20
etc...
You can't route between vlans without something doing the routing for you. The switch can have the vlans on them, but you'd only be able to talk between hosts in the same vlan. To route between, you'll need to configure the above on your router.
HTH,
John
10-28-2014 03:13 PM
And along with that you have to consider below points as well
1. the trunk on the switch port which is hooked to router and allow all the Vlans i.e. 10,20,30
2. enabling Ip helper address command on the each sub interface
3. You should add remaining subnets in to local access-list i.e.
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.30.0 0.0.0.255 any
4. And for got mention you have to enable the ip nat inside command on each subinterface
10-18-2017 02:39 PM
Very helpful , ip nat inside worked for me, on fa0/1.2
10-28-2014 06:14 AM
Other than some route statements I do not see anything in the router config that relates to vlans 10, 20, and 30. And the only address translation configured is for 192.168.1.0. Both of these things impact the ability of the other vlans to get to the Internet.
HTH
Rick
10-28-2014 06:30 AM
what does your topology looks like?
10-28-2014 07:15 AM
Thank you guys.... the switch is on L3 Mode and VLAN1,10,20 and 30 are same member so i'm able to ping between VLAN1,10,20,30 and also able to ping the default router ip which 192.168.1.1
And what we require is something like this ... the router will act as the DHCP server for all the VLAN and when any device connected to any of the VLAN when need internet the router will do the routing and for communication between VLAN to VLAN it will happen on the switch level...
is this possible ...?
10-28-2014 07:20 AM
If the switch is operating as a layer 3 switch and doing the intervlan routing then this explains a lot about the issue. And the biggest problem is that you have not configured any address translation for the other networks. You need to add those other networks to your address translation if they are to get out to the Internet.
I also believe that there are issues with some of the static routes that you configured.
ip route 192.168.1.0 255.255.255.0 192.168.10.254
ip route 192.168.1.0 255.255.255.0 192.168.20.254
ip route 192.168.1.0 255.255.255.0 192.168.30.254
what are these routes trying to do? Why would you try to route your locally connected subnet to the remote networks?
ip route 192.168.10.0 255.255.255.0 192.168.20.254
ip route 192.168.10.0 255.255.255.0 192.168.30.254
And why would you try to route the remote networks to the other remote networks? That routing is being done on the layer 3 switch.
HTH
Rick
10-28-2014 07:48 AM
Hi Rick ... Thank you...
VLAN 1 interface is 192.168.1.254
VLAN10 = 192.168.10.254
VLAN20 = 192.168.20.254
VLAN30 = 192.168.20.254
ip route 192.168.1.0 255.255.255.0 192.168.10.254
ip route 192.168.1.0 255.255.255.0 192.168.20.254
ip route 192.168.1.0 255.255.255.0 192.168.30.254
ip route 192.168.10.0 255.255.255.0 192.168.1.254
ip route 192.168.20.0 255.255.255.0 192.168.1.254
ip route 192.168.30.0 255.255.255.0 192.168.1.254
if i don't enable this on the router i'm unable to ping the router LAN ip 192.168.1.1 from the VLANs 10,20 and 30 so i add the above route to the router running-config
now i'm able to get dhcp from the router but not internet... can u pliz help me again ...
10-28-2014 10:35 AM
I can see the purpose for these 3 static routes
ip route 192.168.10.0 255.255.255.0 192.168.1.254
ip route 192.168.20.0 255.255.255.0 192.168.1.254
ip route 192.168.30.0 255.255.255.0 192.168.1.254
but the other static routes do not make sense to me. If you believe that they are valid then please explain what purpose they serve in the configuration.
I have already pointed out twice that you have not configured any address translation for the addresses in vlan 10, 20, and 30. Without address translation these users can not access the Internet. So now for the third time I am telling you that your problem is the lack of address translation for those vlans.
HTH
Rick
10-29-2014 12:09 AM
Thank you Rick for all the help.... now i get DHCP from the router and get internet to all the VLANs... :-)
One more doubt though:
how can i make the router to give out DHCP Scope : 192.168.1.0 to all the VLANs irrespective of the VLAN interface ip....
Thank you again for your help...
10-29-2014 03:52 AM
Generally speaking, you can't. The whole point of VLANs is to segregate traffic. Each VLAN has its own subnet. When the router receives a packet for routing, it looks at the destination IP. It figures out which subnet that IP belongs to and sends the packet to the next hop for that subnet. So if the router receives a packet for 192.168.10.15, for example, it sees that the packet is being sent to an ip in subnet 192.168.10.0/24, checks the routing table and sees that the next hop for that subnet is 192.168.10.1 and forwards the packet to that IP for processing. If the IP is destined for 192.168.1.15 and you had that subnet spread throughout the VLANs, how would the router know which SVI to send the packet to? Furthermore, if the router somehow forwarded the packet to the SVI, it would look at it, say "This isn't in my subnet, so I can't deal with it. I'll just send it back to the router."
If you want everyone in a common subnet, then just put everyone in the same VLAN and simplify your configuration. If for some reason you need to restrict yourself to the 192.168.1 range and want to segregate traffic, you can subnet the class C range, say into four /26 subnets. If there's some real need to segregate traffic and maintain a single common subnet, you can look into private VLANs but that's a bit more complex topic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide