02-26-2016 01:57 PM - edited 03-08-2019 04:44 AM
Hello everyone,
I have recently updated the core switch in my network to stacked c3750g and c3750p and have them running as expected on a flat 192.168.5.0/24 range but I have finally come to terms that I have have just outgrown a flat /24 range. Now for several reasons I have been wanting to segment my lan into vlans to cut down on all the broadcast traffic and another layer of security.
This diagram outlines the key parts of my current setup:
Right now, all inter-VLAN communication is happening as expected, devices are able to access across all vlans without issue. DHCP addresses for all vlans are being dished out and configured correctly, DNS is working fine.
The issue is that any devices that are not on vlan 1 (192.168.5.0/24) are not able to access the internet.
Here is my info/config for the c3750 stack:
___________________________________
sw01-c3750>en
Password:
sw01-c3750#sho vers
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Image text-base: 0x01000000, data-base: 0x02F00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE10.bin"
cisco WS-C3750G-48TS (PowerPC405) processor (revision F0) with 131072K bytes of memory.
7 Virtual Ethernet interfaces
48 FastEthernet interfaces
56 Gigabit Ethernet interfaces
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750G-48TS 12.2(55)SE10 C3750-IPSERVICESK9-M
2 52 WS-C3750-48P 12.2(55)SE10 C3750-IPSERVICESK9-M
Switch 02
---------
Switch Uptime : 6 hours, 1 minute
Configuration register is 0xF
CONFIG.txt
__________________________________________________
sw01-c3750#sh ru
Building configuration...
Current configuration : 10461 bytes
!
! Last configuration change at 19:53:45 UTC Fri Feb 26 2016 by cisco
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sw01-c3750
!
boot-start-marker
boot-end-marker
!
enable secret 5 ********
enable password ********
!
username ******** password 0 ********
!
!
aaa new-model
!
!
aaa session-id common
switch 1 provision ws-c3750g-48ts
switch 2 provision ws-c3750-48p
system mtu routing 1500
ip routing
ip domain-name gmhq.********.com
ip name-server 192.168.5.10
ip name-server 192.168.5.1
ip dhcp excluded-address 192.168.5.1 192.168.5.199
ip dhcp excluded-address 10.0.10.1 10.0.10.25
!
ip dhcp pool DATA_LAN
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
option 66 ip 192.168.5.125
option 67 ascii smsboot\x64\wdsnbp.com
option 128 ip 192.168.5.111
option 150 ip 192.168.5.111
dns-server 192.168.5.10 192.168.5.1
domain-name gmhq.********.com
option 60 ascii "PXEClient"
!
ip dhcp pool MGMT
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 192.168.5.10 192.168.5.1
domain-name gmhq.********.com
!
ip dhcp pool Server
network 10.0.15.0 255.255.255.0
default-router 10.0.15.1
dns-server 192.168.5.10 192.168.5.1
domain-name gmhq.********.com
option 66 ip 192.168.5.125
option 67 ascii smsboot\x64\wdsnbp.com
option 128 ip 192.168.5.111
option 150 ip 192.168.5.111
option 60 ascii "PXEClient"
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 2
!
interface GigabitEthernet1/0/10
switchport access vlan 10
!
interface GigabitEthernet1/0/14
switchport access vlan 15
!
interface GigabitEthernet1/0/15
switchport access vlan 15
!
interface GigabitEthernet1/0/16
switchport access vlan 15
!
!
interface Vlan1
ip address 192.168.5.2 255.255.255.0
ip helper-address 192.168.5.125
ip helper-address 192.168.5.1
!
interface Vlan5
ip address 10.0.5.2 255.255.255.0
!
interface Vlan10
ip address 10.0.10.1 255.255.255.0
!
interface Vlan15
ip address 10.0.15.1 255.255.255.0
!
interface Vlan20
ip address 10.0.20.1 255.255.255.0
!
interface Vlan25
ip address 10.0.25.1 255.255.255.0
!
interface Vlan30
ip address 10.0.30.1 255.255.255.0
!
ip default-gateway 192.168.5.1
ip classless
ip default-network 192.168.5.0
ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip http server
ip http secure-server
!
!
!
snmp-server community ******** RO
snmp-server community ******** RW
!
!
line con 0
line vty 0 4
password ********
transport input ssh
line vty 5 15
password ********
!
ntp clock-period 36029066
ntp peer 192.168.5.111
end
traceroute and ping from c3750:
____________________________________________
sw01-c3750#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.1 to network 0.0.0.0
C* 192.168.5.0/24 is directly connected, Vlan1
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.10.0 is directly connected, Vlan10
C 10.0.15.0 is directly connected, Vlan15
S* 0.0.0.0/0 [1/0] via 192.168.5.1
sw01-c3750#sh ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.5.2 YES manual up up
Vlan5 10.0.5.2 YES manual up down
Vlan10 10.0.10.1 YES NVRAM up up
Vlan15 10.0.15.1 YES NVRAM up up
Vlan20 10.0.20.1 YES NVRAM up down
Vlan25 10.0.25.1 YES NVRAM up down
Vlan30 10.0.30.1 YES NVRAM up down
GigabitEthernet1/0/10 unassigned YES unset up up
GigabitEthernet1/0/14 unassigned YES unset up up
GigabitEthernet1/0/15 unassigned YES unset up up
GigabitEthernet1/0/16 unassigned YES unset up up
sw01-c3750#ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.194.46.39, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/21/26 ms
sw01-c3750#traceroute google.com
Type escape sequence to abort.
Tracing the route to google.com (173.194.46.39)
1 192.168.5.1 8 msec 0 msec 9 msec
2 10.158.92.1 8 msec 9 msec 25 msec
3 dtr02wrlkmi-tge-0-0-1-0.wrlk.mi.charter.com (96.34.33.156) 8 msec 17 msec 9 msec
4 96-34-35-112.static.unas.mi.charter.com (96.34.35.112) 17 msec 8 msec 17 msec
5 bbr01sgnwmi-bue-2.sgnw.mi.charter.com (96.34.2.58) 17 msec 9 msec 16 msec
6 bbr01aldlmi-bue-5.aldl.mi.charter.com (96.34.0.54) 26 msec 25 msec 17 msec
7 bbr01chcgil-bue-4.chcg.il.charter.com (96.34.0.99) 25 msec 25 msec 25 msec
8 prr01chcgil-bue-2.chcg.il.charter.com (96.34.3.9) 25 msec 25 msec 25 msec
9 96-34-152-30.static.unas.mo.charter.com (96.34.152.30) 34 msec 25 msec 25 msec
10 74.125.37.199 25 msec 25 msec 25 msec
11 209.85.243.53 17 msec 25 msec 25 msec
12 google.com (173.194.46.39) 25 msec 17 msec 17 msec
and some troubleshooting from a client on vlan 15(same issue exists for all devices on anything other than vlan 1):
_____________________________________________
root@GMHQUR2:~# ping google.com
PING google.com (216.58.216.110) 56(84) bytes of data.
^C
--- google.com ping statistics ---
20 packets transmitted, 0 received, 100% packet loss, time 19000ms
root@GMHQUR2:~# traceroute google.com
traceroute to google.com (173.194.46.39), 30 hops max, 60 byte packets
1 10.0.15.1 (10.0.15.1) 0.863 ms 1.034 ms 1.225 ms
2 192.168.5.1 (192.168.5.1) 0.355 ms 0.664 ms 0.826 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * *^C
root@GMHQUR2:~# ping 192.168.5.1
PING 192.168.5.1 (192.168.5.1) 56(84) bytes of data.
64 bytes from 192.168.5.1: icmp_seq=1 ttl=63 time=0.406 ms
64 bytes from 192.168.5.1: icmp_seq=2 ttl=63 time=0.343 ms
^C
--- 192.168.5.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.343/0.374/0.406/0.036 ms
root@GMHQUR2:~# traceroute 192.168.5.1
traceroute to 192.168.5.1 (192.168.5.1), 30 hops max, 60 byte packets
1 10.0.15.1 (10.0.15.1) 0.767 ms 0.956 ms 1.113 ms
2 192.168.5.1 (192.168.5.1) 0.350 ms 0.714 ms 0.919 ms
so this is the last problem I need to fix before I can start migrating all my systems over the new vlans.
I have been researching this issue and so far have not found anything thats corrected the issue so I figured this would be the place to ask!
any and all help would be greatly appreciated as its been a quite an educational journey for me to get this far!
Solved! Go to Solution.
02-27-2016 07:26 AM
It looks like the DD-wrt is not configured to NAT other subnets besides 192.168.5...
02-27-2016 07:26 AM
It looks like the DD-wrt is not configured to NAT other subnets besides 192.168.5...
02-29-2016 06:42 AM
Thanks for pointing me in the right direction! It was DD-wrt indeed blocking any non default subnets.
a little google-foo and I found these commands to run on the DD-wrt box and everything looks good to go!
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -j ACCEPT
thanks again!
Todd
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide