Solved: Vlan Routing

ali.cubitt1 · ‎01-27-2015

Hi. As a leaner I have been stuck with this issue for some time now and I know it is going to be basic stuff.

I have posted my working config for a Cisco connected directly to BT Infinity for reference

All connectivity on 10.80.2.0 network is fine going out to the BT network

My 2 questions are should the Gateway of last resort is be as such

217.32.145.4 to network 0.0.0.0

which is an IP address in the BT network is that correct?

And also any connected clients on 172.16.0.0 have no internet access. Also I can not ping or access anything on 172.16.1.0 from 10.80.2.0 network or vice versa

Thanks in advance - A networking leaner.

Ali

wowsville-cisco#sh ip route

Gateway of last resort is 217.32.145.4 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected
is directly connected, Dialer1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.80.2.0/24 is directly connected, Vlan101
L 10.80.2.252/32 is directly connected, Vlan101
86.0.0.0/32 is subnetted, 1 subnets
C 86.***.***.* is directly connected, Dialer1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Vlan102
L 172.16.1.1/32 is directly connected, Vlan102
217.32.145.0/32 is subnetted, 1 subnets
C 217.32.145.4 is directly connected, Dialer1

ip dhcp pool 0
import all
network 10.80.2.0 255.255.255.0
default-router 10.80.2.252
dns-server 194.72.0.98 62.6.40.178

!
!
!
ip domain name
ip name-server 194.72.0.98
ip name-server 62.6.40.178
ip name-server 10.80.2.252
ip cef
no ipv6 cef

controller VDSL 0
no cdp run

interface Ethernet0
no ip address
ip virtual-reassembly in
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL 0)
encapsulation dot1Q 101
ip virtual-reassembly in
no ip route-cache
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
shutdown
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
no cdp enable
!
interface FastEthernet2
switchport access vlan 102
no ip address
no cdp enable
!
interface FastEthernet3
switchport access vlan 101
no ip address
no cdp enable
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan101
ip address 10.80.2.252 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
!
interface Vlan102
ip address 172.16.1.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
!
interface Dialer1
description **BT INFINITY**
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap ms-chap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 0 password
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
dialer-list 1 protocol ip permit
!
access-list 1 permit any
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 101 permit tcp any any established
access-list 101 permit udp any any
access-list 101 permit tcp any any eq SSH
access-list 101 permit tcp any eq SSH any eq SSH
access-list 101 permit tcp any any eq SSLVPN
access-list 101 permit tcp any eq SSLVPN any eq SSLVPN
access-list 101 permit tcp any eq 1723 any eq 1723
access-list 101 permit udp any eq 1723 any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any eq 10000 any eq 10000
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit udp any eq non500-isakmp any eq non500-isakmp
access-list 102 permit ip any any

Jon Marshall · ‎01-27-2015

Try this configuration -

1) firstly I'm pretty sure Reza didn't mean add acl 100 to the the vlan 102 interface.

That acl was for NAT so can you remove it from the interface.

2) you have two vlans but you haven't allocated them on the switch. As Reza says it's not the most important thing but we'll do it anyway. So on your switch -

sw(config)# vlan 101
switch(config-vlan)# name <name> <-- name being whatever you like
sw(config-vlan)# exit

sw(config)# vlan 102
sw(config-vlan)# name <name>
sw(config-vlan)# exit

sw(config)# int <x> <-- whichever port on switch connects to fa2 on router
sw(config-if)# switchport mode access
sw(config-if)# switchport access vlan 102
sw(config-if)# spanning-tree portfast
sw(config-if)# exit

sw(config)# int fa0/3
sw(config-if)# switchport mode access
sw(config-if)# switchport access vlan 101
sw(config-if)# spanning-tree portfast
sw(config-if)# exit

2) On your router -

You need to create a DHCP pool for your 172.16.1.0/24 subnet unless you are statically configuring the clients in which case don't forget the default gateway and DNS servers.

Then you need to modify your configuration so -

no ip nat inside source list 1 interface dialer1 overload

access-list 103 permit ip 10.82.2.0 0.0.0.255 any
access-list 103 permit ip 172.16.1.0 0.0.0.255 any

ip nat inside source list 103 interface Dialer1 overload

The above should get you working to and from the internet.

if you still cannot communicate between the internal subnets then we may need to modify the acl to not do NAT for that traffic.

It depends, i have seen it work both ways.

Jon

View solution in original post

Reza Sharifi · ‎01-27-2015

Hi,

which is an IP address in the BT network is that correct?

That is correct. You have default route pointing to your provider (BT) for all Internet access.

And also any connected clients on 172.16.0.0 have no internet access. Also I can not ping or access anything on 172.16.1.0 from 10.80.2.0 network or vice versa

172.16.0.0 is a private address range and so if you want this subnet access the Internet you need a NAT statement.

in this to

ip nat inside source list 1 interface Dialer1 overload

add an access-list to allow 172.16.1.0 255.255.255.0 subnet

access-list 100 permit 172.16.1.0 0.0.0.255

the same for the 10.80.2.0/24 subnet

access-list 100 permit 10.80.2.0 0.0.0.255

and than test again.

Also not sure what access-list 101 is doing, as there is no deny statement in the access-list

HTH

ali.cubitt1 · ‎01-27-2015

Thanks for the response,

Config already had

ip nat inside source list 1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

added the following but still seeing the same issues
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit ip 10.80.2.0 0.0.0.255 any

Reza Sharifi · ‎01-27-2015

ok, so are the end hosts in subnet 172.16.1.0/24 and 10.80.2.0/24 connected to this router or to a switch? if to a switch what is the config on the switch?

Also just for test, can you remove "ip access-group 102 in" from vlan 102 and test again?

HTH

ali.cubitt1 · ‎01-27-2015

So all the Devices on 10.80.2.0/24 are connected via the switch (config attached)

172.16.10/24 is connected directly to

interface FastEthernet2
switchport access vlan 102
no ip address
no cdp enable

Interface vlan102 now only have access-group 100 in but still the same results

interface Vlan102
ip address 172.16.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy

Switch config (or rather unconfigured)

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.80.2.253 255.255.255.0
no ip route-cache
!
no ip http server
no ip http secure-server

Reza Sharifi · ‎01-27-2015

on your layer-2 switch you need a default -gateway

config t

ip default-gateway 10.80.2.252

also on the router your vlan is 101 and on the switch it is 1. This shouldn't make

a difference if the port connecting the switch to the router is an access port.

So what port connect the switch to the router?

ali.cubitt1 · ‎01-27-2015

Gateway added to switch

FastEthernet0/1 access port from switch to

interface FastEthernet3
switchport access vlan 101

Jon Marshall · ‎01-27-2015