Solved: Routed port (DHCP) to Wan issue

ripwinder · ‎09-18-2010

Hi All,

I am trying to configure a 3650 provide DHCP on routed port and once its pushed out an IP address allow users on to the internet. Issue is I get an IP address when connecting to fa0/2 but cannot get out on to the internet, neither can I ping the default gateway connected to the switch. Here is my config:

Building configuration...

Current configuration : 4786 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$nXfE$74CePIuEwZEvvquv1LpPw.
!
no aaa new-model
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
system mtu routing 1500
udld aggressive

ip subnet-zero
ip routing
!
ip dhcp pool cisco
   network 10.10.1.0 255.255.255.0
   default-router 10.10.1.1
   domain-name test.com
   dns-server 10.10.1.10
   netbios-name-server 10.10.1.15
   lease 7
!
!
mls qos map cos-dscp 0 8 16 26 32 46 46 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
macro global description cisco-global
errdisable recovery cause link-flap
errdisable recovery interval 60
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
no switchport
ip address 10.10.1.1 255.255.255.0
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust dscp
macro description cisco-router
auto qos voip trust
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.2.10 255.255.255.0
!
ip default-gateway 192.168.2.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 10.10.1.0 255.255.255.0 192.168.2.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password r!pw1r3
login
length 0
line vty 5 15
password *******
login
!
end

Any help that can be offered would be really appreciated. Just to note I am very new to Cisco.

Many Thanks

Rip Winder.

Lei Tian · ‎09-18-2010

Hi,

I am glad to help.

Yes, all user in same VLAN can see each other. Assuming you use 3560, you can simply put all host posts in 'switchport protected" mode, so all hosts cannot talk to each others. Another feature call private vlan can achieve same result, but it requires more configurations.

Please rate if that helps!

HTH,

Lei Tian

View solution in original post

Lei Tian · ‎09-18-2010

You can just connect your 3560 with the 851, and config "switchport protected' on all host ports. Do not put it on the uplink port to 851. All ports should be default in vlan 1; you don't need to put other command, unless you did some changes on the 3560.

HTH,

Lei Tian

View solution in original post

Lei Tian · ‎09-18-2010

Hi,

Can you ping 192.168.2.10? Can you check the routing table on next hop, make sure it has the route for 10.10.10.0/24 point to 192.168.2.10.

HTH,

Lei Tian

ripwinder · ‎09-18-2010

Hi, Thank you very much for your reply.

I can ping 192.168.2.10 when connected to the routed port fa0/2.

I tried to create ip route but got the following error:

Switch(config)#ip route 10.10.1.0 255.255.255.0 192.168.2.10
%Invalid next hop address (it's this router)

Thank,

Rip.

Lei Tian · ‎09-18-2010

Hi,

Thanks for the information.

What I want you to check is on 192.168.2.1, make sure has to route to 10.10.10.0/24; not on this switch.

HTH,

Lei Tian

ripwinder · ‎09-18-2010

Hi,

192.168.2.1 is the gateway in my study that is connected to the Cisco 3560, its just a Belkin router so not sure I can do any config on it. Perhaps I am mis-understanding your instruction?

The actual setup I need once I put the switch in a live environment is to have a WAN connection on one port from a Tier 1 ISP in a datacentre and then DHCP running on another port that goes out to our users. I'm wondering if I need to make fa0/1 a router port and configure DHCP client or just staitc IP address and then configure fa0/2 as router port and configure DHCP server on this. Would the 3560 just automatically route the traffic from fa0/2 to fa0/1 or would I need to make a static route? or something else?

Thanks

Rip.

Lei Tian · ‎09-18-2010

Hi,

Your 3560 has the route to the gateway, but if you don't tell the gateway, the gateway doesn't know how to route back to 10.10.10.0/24 subnet. I believe your gateway is doing NAT, you might also want to check the gateway make sure it does NAT for 10.10.10.0/24 subnet as well.

HTH,

Lei Tian

ripwinder · ‎09-18-2010

I think the problem with the Belkin gateway is just adding to the issue. So I intend to start again and attach the WAN connection (Cable) directly to the 3560. If I start again from scratch what should be the steps to take if I want to have fa0/1 connected to WAN and fa0/2 providing DHCP?

The ideas I have had is:

Enable fa0/1 & 2 role as routers. Configure DHCP Client on fa0/1 and enable DHCP Server on fa0/2. However I am not sure how to have traffic on fa0/2 routed out over fa0/1.

Any config examples would be much appreciated.

Rip.

Lei Tian · ‎09-18-2010

Hi,

You need a router to NAT the primary IP. 3560 doesnt have this function.

HTH,

Lei Tian

ripwinder · ‎09-18-2010

Please forgive me but could you explain in more detail, I'm struggling to understand the NAT function and how it relates?

If the ISP assigns Public IP 1.1.1.1 to the Cisco 3560 on fa0/1 as it is acting as a DHCP client then it connects to the internet with no problems.

If I am then running a DHCP server on fa0/2 and make a static route to fa0/1 where does the plan fall over. This should help me grasp the problem:) I know it does not work but do not understand why.

Thanks,

Rip.

Lei Tian · ‎09-18-2010

You are using 3560 as a DHCP server, and assign IP in 10.10.1.0/24 range to your hosts. This private IP range is not routable in internet, it only belongs to your local network. When traffic leave your local network, you need translate this private IP to a public IP or to the IP that provider assigned to you. That makes the packet source IP a routable IP in the internet.

HTH,

Lei Tian

ripwinder · ‎09-18-2010

I think I am now starting to grasp it finally. So as the 3560 is not able to do NAT it cannot translate the 10.10.2.0 addresses to the outside world like a standard home netgear would do for instance.

When I deploy the kit in to the datacentre we will be connected to Tier 1 transit directly in to the Gig port. We are RIPE registered so have our own public IP ranges. If the DHCP pool we provide is all public IP's will this work on the 3560?

Thanks,

Rip.

Lei Tian · ‎09-18-2010

Yes. If your are assigning public IPs to your hosts, you can use 3560.

HTH,

Lei Tian

ripwinder · ‎09-18-2010

Thank you so much for your help! I really appreciate your patience with me. I have some Cisco 800 routers I can play around with to practice before we deploy the 3560.

If you can bear to help me, any more another issue I think we might face is that the individual users will be able to see each other on the network. Is this assumption correct, and if so what would we have to do to avoid this? All DHCP users will be delivered in one VLAN to us so we cannot put them in there own individual VLANS. Is there another option?

Thanks

Rip.

Lei Tian · ‎09-18-2010

Hi,

I am glad to help.

Yes, all user in same VLAN can see each other. Assuming you use 3560, you can simply put all host posts in 'switchport protected" mode, so all hosts cannot talk to each others. Another feature call private vlan can achieve same result, but it requires more configurations.

Please rate if that helps!

HTH,

Lei Tian

ripwinder · ‎09-18-2010

I have setup an 851 router, configured the WAN, have the LAN ports in Vlan1, setup NAT and everythings working fine. But I cant seem to perform switchport protected command. Is this due to a limitation on the 851 or is there another command for an actual router?

Thanks

Rip.