Re: Routing issue with layer 3 switch - e.g. no route to Internet

toneydial · ‎01-02-2019

Hi all,

I'm stumped with a routing issue that has arisen with a simple network change - I currently have inter-routing between VLANs, but can't reach the DSL router within my network or Internet addresses beyond when testing from a computer. I can ping from the Layer 3 switch console to the Internet.

Please see attached for a crude drawing: the network consists of two 3560 switches and a DSL router as well as two Wifi APs (not shown for clarity).

Prior to recent changes, there were no issues: both switches were configured as layer 2 devices and the only VLAN used was the default (Vlan 1) i.e, it was a simple setup with minimal configuration.

Sorry, I don't have full config dump with me to post.

The changes were to segregate the network via Vlans and to use one switch as a Layer 3 device. Upon issuing the command no switchport for Gi0/1 at the layer 3 switch, I was no longer able to ping the DSL router or anything beyond it from the test PC on Gi0/9. Gi0/9 is set for switchport mode acess , switchport access vlan 100. Route of last resort is set to 192.168.254.254.

Thanks for looking.

Sean

luis_cordova · ‎01-02-2019

Hi @toneydial,

Could you show the configuration of the L3 switch?

Queries:
-Did you enter the ip routing command on the L3 switch?
-Configured the dynamic routing protocol on the L3 switch?
-Can you visualize the default route in the routing table of the L3 switch?

Regards

toneydial · ‎01-02-2019

Hi @luis_cordova,
Yes, ip routing command was issued. I will post the config and other supporting info later.

Richard Burts · ‎01-02-2019

Sean

I am not sure about some of what you are describing and not sure whether we have a single problem with several symptoms or have several problems. So I suggest that we take one step at a time in trying to figure out what is going on. For me the first step would be figuring out the issue with the PC. You tell us that it is on an access port in vlan 100 and you tell us something about route of last resort. I am not clear whether this route of last resort was for the PC or for the switch. Can you clarify? Also can you post the output of ipconfig and of arp -a from the PC.

HTH

Rick

HTH

Rick

toneydial · ‎01-02-2019

Hi @Richard Burts

The route of last resort is for the layer 3 switch.

The PC is on VLAN 100, using a default G.W. of 10.1.100.1, mask of /24 and an IP of 10.1.100.99

For the sake of simpilcity - let's just focus on Vlan 100 as the rest of the Vlans haven't been implemented yet. Below is a simplified drawing of the layout.

The PC can ping the IP interface address of Gi0/1 of the layer 3 switch, which is 192.168.254.100, but it can't ping the DSL router (192.168.254.254) or beyond (8.8.8.8).

I'll post later this afternoon/evening the arp tables and config as I'm sure there's something simple I've overlooked.

Thanks.

Alan Ng'ethe · ‎01-02-2019

In addition to the response above, my quick simulation tells me that the DSL does not 'know' how to get back to the vlan 10, 20, 100 and 200 subnets. I suspect that some kind of NAT on the L3 catalyst would resolve this problem, but doubt that its supported on that model. I would confirm the routing on the modem, and ensure that it 'knows' how to get back to the newly created subnets.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

toneydial · ‎01-02-2019

Hi @Alan Ng'ethe

You are correct that the DSL router wouldn't know what to do with the Vlan tags.

I had already set port Gi0/1 to no switchport per the guidelines of Cisco document 41860. https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

From that guideline :

"The no switchport command makes the interface Layer 3 capable. The IP address is in the same subnet as the default router. Note: This step can be omitted if the switch reaches the default router through a VLAN. In its place, configure an IP address for that VLAN interface. "

Thanks for the input!

Alan Ng'ethe · ‎01-02-2019

Thank you for the link; its a great refresher.

Remember to mark any posts that have been helpful.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

Richard Burts · ‎01-02-2019

Sean

Thanks for the additional information and the clarification that the route of last resort was for the Layer 3 switch. I am inclined to agree with Alan that the issue may be the modem not knowing about vlan 100 and its subnet. A good way to test this would be on the layer 3 switch

1) ping the address of the modem. I expect this should work. Note that for this ping the source address would be the layer 3 switch address on the routed port.

2) ping the address of the modem specifying that the source address is the address of the switch for vlan 100. I expect that this will not work and if so supports the explanation that the modem does not know about the subnet for vlan 100 (or the other new vlans).

HTH

Rick

HTH

Rick

toneydial · ‎01-02-2019

Yes, the more I thought about it, the more I began to think @Alan Ng'ethe was on the right track. I'm uploading the Config file with (putty.txt) - some output omitted for brevity. I am also including the PC arp table and IP config, per your request.

The 192.168.254.0 network is a DHCP pool from the DSL router. I'll have to look to see if it can handle Vlan tagging; my guess is that it won't. My aim was to avoid using a router on a stick to break up broadcast domains, and I'm beginning to think I was over ambitious with the equipment at hand...

Thanks for your input!

Richard Burts · ‎01-02-2019

Thank you for the additional information. I believe that it confirms that the real issue is that the DSL router does not know about the new vlans and their new subnets. The solution to this issue will depend on whether the DSL router can be configured to recognize them and process them. Perhaps this is a two part issue: 1) can the DSL router do it and 2) can you make the changes on the DSL router or do you need to request from someone who controls it to make the changes.

You had a worthy goal of changing your network from a single vlan = flat network to a multiple vlan, multiple broadcast domain network. But the equipment at hand makes that a challenge. Your 3650 switch is capable of doing the routing part but not capable of doing the address translation part that is needed. If the DSL router is capable of address translation for multiple subnets (and capable of routing to multiple subnets in your network) then it can work.

I would not worry about whether the DSL router supports vlan tagging. You do not need vlan tagging to the DSL router. What you are setting up with the L3 switch routing for your subnets and using the link to the router as a routed port will work fine. The DSL router only needs to see its inside interface as a routed interface with a single IP. And it needs some route statements so that it will route to your subnets over that link. And it needs to do address translation for your new subnets.

HTH

Rick

HTH

Rick

Andrew Khalil · ‎01-02-2019

Hello Toneydial,

Greetings,

Actually it's an easy issue to fix, the idea is that your L3 switch itself can ping the INTERNET because it has a link with a known network to the DSL (the interface with the IP 192.168.254.100), while the other networks (of vlan 10, 20, 100, 200) are not known for the DSL itself!

You have 2 solutions,the first is to teach the DSL itself these networks through routing (simply by creating a default route on the DSL modem in the direction of the L3 SW) but I don't like such a solution!

The second one that I prefer and recommend is to create a default route ONLY on the L3 switch in the direction of the DSL, in addition to an overload NAT!

And in order to simplify that solution, I have created for you a topology like yours, and I will issue the configuration that you have to configure on the L3 switch as well as on the L2 switch, (please find the attached topology diagram).

Note: all interfaces in this configuration is according to my topology diagram, so you need to change just the interface according to your one, but IP addresses are the same as yours!

----------------------------

On L3 SW:

#vlan 10

#int vlan 10

#ip add 10.1.10.1 255.255.255.252

#no shut

#exit

#vlan 20

#int vlan 20

#ip add 10.1.20.1 255.255.255.0

#no shut

#exit

#vlan 100

#int vlan 100

#ip add 10.1.100.1 255.255.255.0

#no shut

#exit

#vlan 200

#int vlan 200

#ip add 10.1.200.1 255.255.255.0

#no shut

#exit

#int f0/1 (to the DSL)

#no switchport

#ip add 192.168.254.100 255.255.255.0

#ip nat outside

#no shut

#exit

#int f0/2 (to the L2 Switch)

#switchport mode trunk

#ip nat inside

#no shut

#exit

#int f0/3 (to the test PC)

#switchport mode access

#switchport access vlan 100

#ip nat inside

#no shut

#exit

#ip routing

#ip route 0.0.0.0 0.0.0.0 192.168.254.254

#access-list 1 permit 10.1.20.0 0.0.0.255

#access-list 1 permit 10.1.100.0 0.0.0.255

(these are the networks the allowed to access the INTERNET, I have considered that vlan 10 will not access as it's for management, but if you want you can add one more access-list line with it's network subnet and wildcard)

#ip nat inside source list 1 interface f0/1 overload

----------------------------

On L2 Sw:

#vlan 10

#int vlan 10

#ip add 10.1.10.2 255.255.255.252

#no shut

#exit

#vlan 20

#vlan 200

#int f0/1

#switchport mode trunk

#exit

#ip default-gateway 10.1.10.1

----------------------------

That's it, now all the network will work normally!

Please try it, and let me know if you will need any more assistance!

It's a pleasure to help,

Also, please don't forget to rate my reply as a helpful if it will help you to solve the problem, and mark it as a solution! It will be so nice from you!

Thanks in advance,

Bst Rgds,

Andrew Khalil

Richard Burts · ‎01-02-2019

Andrew

This is a nice response. I could quibble about a few minor things such as not including ip nat inside on the vlan interfaces while including it on swithport access port and trunk ports. But the big issue with it is the suggestion to perform address translation on the switch. In the original post Sean tells us that the switches are 3560. The last time I checked the 3560 did not support address translation.

HTH

Rick

HTH

Rick

Andrew Khalil · ‎01-02-2019

Hello Richard,

Greetings,

Yeah you are right, 3560 doesn't support the NAT function, I just didn't concentrate that @toneydial had mentioned such a model!

But at any case, I have offered 2 solutions, whether to configure a default route on the modem in the direction of the L3 switch, or to use the NAT!

Now the NAT one isn't valid anymore! You have a good memory and concentration @Richard Burts! That's why I am still a big FAN! ))

Note: That 3560 has a NAT commands but it's useless! I mean when you use it it's accepted but isn't functioning!

Please don't forget the helpful replies!

Bst Rgds,

Andrew Khalil

Richard Burts · ‎01-02-2019

Andrew

Glad that you are still a fan. Unfortunately there are flaws in both of your suggestions. From the DSL router the Internet is outbound from toneydial's network. If the DSL router default route pointed to his layer 3 switch then it would kill access to the Internet.

We do not know much about that DSL router and whether toneydial has access to it. If he is able to make configuration changes on it (or is able to request changes from whoever controls the DSL router) there is a possible solution in configuring routes on the DSL router for the new vlan subnets and in configuring address translation for those subnets. The other potential solution that occurs to me is for toneydial to put a router into his network connecting the switch and the DSL router. This could handle routing for the new subnets and do the address translation.

toneydial has not told us much about the original network other than that it was all in one vlan. I am guessing that the vlan was using 192.168.254 as its network. Which would explain why the DSL router is not aware of the new vlan subnets.

HTH

Rick

HTH

Rick