01-27-2015 10:46 AM - edited 03-07-2019 10:24 PM
Hi. As a leaner I have been stuck with this issue for some time now and I know it is going to be basic stuff.
I have posted my working config for a Cisco connected directly to BT Infinity for reference
All connectivity on 10.80.2.0 network is fine going out to the BT network
My 2 questions are should the Gateway of last resort is be as such
217.32.145.4 to network 0.0.0.0
which is an IP address in the BT network is that correct?
And also any connected clients on 172.16.0.0 have no internet access. Also I can not ping or access anything on 172.16.1.0 from 10.80.2.0 network or vice versa
Thanks in advance - A networking leaner.
Ali
wowsville-cisco#sh ip route
Gateway of last resort is 217.32.145.4 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected
is directly connected, Dialer1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.80.2.0/24 is directly connected, Vlan101
L 10.80.2.252/32 is directly connected, Vlan101
86.0.0.0/32 is subnetted, 1 subnets
C 86.***.***.* is directly connected, Dialer1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Vlan102
L 172.16.1.1/32 is directly connected, Vlan102
217.32.145.0/32 is subnetted, 1 subnets
C 217.32.145.4 is directly connected, Dialer1
ip dhcp pool 0
import all
network 10.80.2.0 255.255.255.0
default-router 10.80.2.252
dns-server 194.72.0.98 62.6.40.178
!
!
!
ip domain name
ip name-server 194.72.0.98
ip name-server 62.6.40.178
ip name-server 10.80.2.252
ip cef
no ipv6 cef
controller VDSL 0
no cdp run
interface Ethernet0
no ip address
ip virtual-reassembly in
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL 0)
encapsulation dot1Q 101
ip virtual-reassembly in
no ip route-cache
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
shutdown
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
no cdp enable
!
interface FastEthernet2
switchport access vlan 102
no ip address
no cdp enable
!
interface FastEthernet3
switchport access vlan 101
no ip address
no cdp enable
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan101
ip address 10.80.2.252 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
!
interface Vlan102
ip address 172.16.1.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
!
interface Dialer1
description **BT INFINITY**
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap ms-chap callin
ppp chap hostname bthomehub@btbroadband.com
ppp chap password 0 password
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
dialer-list 1 protocol ip permit
!
access-list 1 permit any
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 deny icmp any any
access-list 101 permit tcp any any established
access-list 101 permit udp any any
access-list 101 permit tcp any any eq SSH
access-list 101 permit tcp any eq SSH any eq SSH
access-list 101 permit tcp any any eq SSLVPN
access-list 101 permit tcp any eq SSLVPN any eq SSLVPN
access-list 101 permit tcp any eq 1723 any eq 1723
access-list 101 permit udp any eq 1723 any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any eq 10000 any eq 10000
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit udp any eq non500-isakmp any eq non500-isakmp
access-list 102 permit ip any any
Solved! Go to Solution.
01-27-2015 06:08 PM
Try this configuration -
1) firstly I'm pretty sure Reza didn't mean add acl 100 to the the vlan 102 interface.
That acl was for NAT so can you remove it from the interface.
2) you have two vlans but you haven't allocated them on the switch. As Reza says it's not the most important thing but we'll do it anyway. So on your switch -
sw(config)# vlan 101
switch(config-vlan)# name <name> <-- name being whatever you like
sw(config-vlan)# exit
sw(config)# vlan 102
sw(config-vlan)# name <name>
sw(config-vlan)# exit
sw(config)# int <x> <-- whichever port on switch connects to fa2 on router
sw(config-if)# switchport mode access
sw(config-if)# switchport access vlan 102
sw(config-if)# spanning-tree portfast
sw(config-if)# exit
sw(config)# int fa0/3
sw(config-if)# switchport mode access
sw(config-if)# switchport access vlan 101
sw(config-if)# spanning-tree portfast
sw(config-if)# exit
2) On your router -
You need to create a DHCP pool for your 172.16.1.0/24 subnet unless you are statically configuring the clients in which case don't forget the default gateway and DNS servers.
Then you need to modify your configuration so -
no ip nat inside source list 1 interface dialer1 overload
access-list 103 permit ip 10.82.2.0 0.0.0.255 any
access-list 103 permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list 103 interface Dialer1 overload
The above should get you working to and from the internet.
if you still cannot communicate between the internal subnets then we may need to modify the acl to not do NAT for that traffic.
It depends, i have seen it work both ways.
Jon
01-27-2015 12:04 PM
Hi,
which is an IP address in the BT network is that correct?
That is correct. You have default route pointing to your provider (BT) for all Internet access.
And also any connected clients on 172.16.0.0 have no internet access. Also I can not ping or access anything on 172.16.1.0 from 10.80.2.0 network or vice versa
172.16.0.0 is a private address range and so if you want this subnet access the Internet you need a NAT statement.
in this to
ip nat inside source list 1 interface Dialer1 overload
add an access-list to allow 172.16.1.0 255.255.255.0 subnet
access-list 100 permit 172.16.1.0 0.0.0.255
the same for the 10.80.2.0/24 subnet
access-list 100 permit 10.80.2.0 0.0.0.255
and than test again.
Also not sure what access-list 101 is doing, as there is no deny statement in the access-list
HTH
01-27-2015 12:52 PM
Thanks for the response,
Config already had
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
added the following but still seeing the same issues
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit ip 10.80.2.0 0.0.0.255 any
01-27-2015 01:05 PM
ok, so are the end hosts in subnet 172.16.1.0/24 and 10.80.2.0/24 connected to this router or to a switch? if to a switch what is the config on the switch?
Also just for test, can you remove "ip access-group 102 in" from vlan 102 and test again?
HTH
01-27-2015 01:21 PM
So all the Devices on 10.80.2.0/24 are connected via the switch (config attached)
172.16.10/24 is connected directly to
interface FastEthernet2
switchport access vlan 102
no ip address
no cdp enable
Interface vlan102 now only have access-group 100 in but still the same results
interface Vlan102
ip address 172.16.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
Switch config (or rather unconfigured)
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.80.2.253 255.255.255.0
no ip route-cache
!
no ip http server
no ip http secure-server
01-27-2015 01:29 PM
on your layer-2 switch you need a default -gateway
config t
ip default-gateway 10.80.2.252
also on the router your vlan is 101 and on the switch it is 1. This shouldn't make
a difference if the port connecting the switch to the router is an access port.
So what port connect the switch to the router?
01-27-2015 01:42 PM
Gateway added to switch
FastEthernet0/1 access port from switch to
interface FastEthernet3
switchport access vlan 101
01-27-2015 06:08 PM
Try this configuration -
1) firstly I'm pretty sure Reza didn't mean add acl 100 to the the vlan 102 interface.
That acl was for NAT so can you remove it from the interface.
2) you have two vlans but you haven't allocated them on the switch. As Reza says it's not the most important thing but we'll do it anyway. So on your switch -
sw(config)# vlan 101
switch(config-vlan)# name <name> <-- name being whatever you like
sw(config-vlan)# exit
sw(config)# vlan 102
sw(config-vlan)# name <name>
sw(config-vlan)# exit
sw(config)# int <x> <-- whichever port on switch connects to fa2 on router
sw(config-if)# switchport mode access
sw(config-if)# switchport access vlan 102
sw(config-if)# spanning-tree portfast
sw(config-if)# exit
sw(config)# int fa0/3
sw(config-if)# switchport mode access
sw(config-if)# switchport access vlan 101
sw(config-if)# spanning-tree portfast
sw(config-if)# exit
2) On your router -
You need to create a DHCP pool for your 172.16.1.0/24 subnet unless you are statically configuring the clients in which case don't forget the default gateway and DNS servers.
Then you need to modify your configuration so -
no ip nat inside source list 1 interface dialer1 overload
access-list 103 permit ip 10.82.2.0 0.0.0.255 any
access-list 103 permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list 103 interface Dialer1 overload
The above should get you working to and from the internet.
if you still cannot communicate between the internal subnets then we may need to modify the acl to not do NAT for that traffic.
It depends, i have seen it work both ways.
Jon
01-29-2015 02:14 AM
Thank you Jon and Reza. This has got me far enough to be able carry on reading/learning. Just needed that little bit of expert help to get on track.
02-13-2015 06:17 AM
deleted
02-13-2015 06:17 AM
deleted
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide