Routing from 3560 to DSL modem not working

Answered Question

I'm setting up a lab switch, 3560 to a DSL router/modem and i cannot seem to get the routing from VLAN100 to the DSL router/ modem to work.

  • int g0/1 is connected to the DSL router/ modem
  • int g0/10 is connect to the client (10.10.100.10)


From the 3560, I can ping the DSL router (192.168.1.1), the client (10.10.100.10) and I can ping the internet.

From the client connected to to the 3560, I can ping the g0/1 interface IP address (192.168.1.201), but not the DSL router (192.168.1.1).

From the DSL router, I can ping the internet and the 3560 g0/1 ip address (192.168.1.201) but cannot ping the client (10.10.100.10)


Config from 3560 follows:


version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 3560Lab1-DLS2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

system mtu routing 1500

vtp domain TestLab

vtp mode transparent

ip routing

ip name-server 4.2.2.2

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 100

name Home_VLAN

!

!

!

!

interface GigabitEthernet0/1

description To DSL

no switchport

ip address 192.168.1.201 255.255.255.0

!

<snip>

!

interface GigabitEthernet0/10

description Client

switchport access vlan 100

switchport mode access

!

interface Vlan1

no ip address

shutdown

!

interface Vlan100

ip address 10.10.100.1 255.255.255.0

!

!

router eigrp 100

network 10.10.100.0 0.0.0.255

network 192.168.1.0 0.0.0.255

!

ip http server

ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1


Any help would be greatly appreciated!

Correct Answer by John Blakley about 4 years 11 months ago

I'm actually not sure. I have uverse and the modem that they supply allows you to put all of your traffic into a dmz. I had my router on the dmz interface which allowed my public address to be assigned to my router instead of the modem. The problem with that in this situation is that the 3560 doesn't support natting as far as I know, so it doesn't make sense to put your public ip on you switch.


So, another test that you could do if you wanted is to put your lan side ip on your dsl modem on the 10 subnet. Then you'd have to change the ip on vlan 10, but you'd be able to see if your 10.x.x.x host could get on the internet. I'm almost sure that's what this is. Now it doesn't explain why you couldn't ping between devices on the same switch in different vlans earlier though. You have the vlan created and a l3 svi attached with routing on, so those subnets are locally connected and should be able to route between vlans with no issue. Through all of this, I'm not sure if that part was ever fixed. Have you checked the ios version that you're on to see if you're running the latest?


If you decide to do the internal lan side address change on the dsl modem and it works, I'm afraid that you may not be able to segment your network into different subnets if you can't nat them via the modem. You could still create your vlans for internal testing, but they wouldn't be able to get on the internet because of the natting issue. This is one reason a lot of people on the forums will put a cisco router in between their dsl modem and switches. You could also do this with an ASA as well.


HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Sat, 08/25/2012 - 08:29
User Badges:
  • Purple, 4500 points or more

If this is a dsl router that has support for static routes, you'll need to add a static route for 10.10.100.0 pointing to 192.168.1.201 on the dsl router. If you don't have that, it will have a default gateway pointing to the ISP and it will know about your connected subnet of 192.168.1.0/24. The traffic from the 10.10.100.0/24 subnet will get to the dsl router/modem, but the modem will try to send it to the ISP because it doesn't have a route for 10.10.100.0 pointing back to your 3560.


HTH,

John


**** Please rate all useful posts ****

Hi thanks for the reply.  I actually have a static route in the DSL modem


DestinationSubnet MaskGatewayInterfaceRemove
10.10.100.0255.255.255.0192.168.1.201br0


The DSL modem also supports RIP.  I've turned on RIP (not currently on) and it doesn't really seem to do anything. There are 3 options for "interface".  One is WAN, one is LAN and the final is to put nothing in there at all.  I've tried the above with all three options and still nothing.  I'm sure it's something easy i'm overlooking.

John Blakley Sat, 08/25/2012 - 08:52
User Badges:
  • Purple, 4500 points or more

Can you ping the dsl mode if you source from vlan 100 on the 3560? (ping 192.168.1.1 sour vlan 100) From the looks of it, it simply looks like your static route isn't working on the dsl router....


Have you tried to reboot your dsl router after adding the static route?


HTH,

John

I hadn't tried that.  But yes, it does work. 


3560Lab1-DLS2#ping 192.168.1.1 sour vlan 100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

John Blakley Sat, 08/25/2012 - 09:15
User Badges:
  • Purple, 4500 points or more

That's even more interesting...Can you run "debug ip icmp" and ping the workstation from the dsl router? And can you post the results?

The DSL router doesn't have the capacity to issue a ping directly from it, or at least I can't find where it is.  (brand is Zhone).  So I plugged a PC (192.168.1.220) directly into the DSL modem and issued some pings.


Ping issued from client - 10.10.100.10

3560Lab1-DLS2#

Aug 25 16:54:44.645: ICMP: echo reply rcvd, src 10.10.100.10, dst 10.10.100.1, topology BASE, dscp 0 topoid 0

Aug 25 16:54:44.653: ICMP: echo reply rcvd, src 10.10.100.10, dst 10.10.100.1, topology BASE, dscp 0 topoid 0

Aug 25 16:54:44.653: ICMP: echo reply rcvd, src 10.10.100.10, dst 10.10.100.1, topology BASE, dscp 0 topoid 0

Aug 25 16:54:44.662: ICMP: echo reply rcvd, src 10.10.100.10, dst 10.10.100.1, topology BASE, dscp 0 topoid 0

Aug 25 16:54:44.662: ICMP: echo reply rcvd, src 10.10.100.10, dst 10.10.100.1, topology BASE, dscp 0 topoid 0


Pings issued from clients to g0/1 ip address

3560Lab1-DLS2#

Aug 25 16:55:51.284: ICMP: echo reply sent, src 192.168.1.201, dst 192.168.1.2, topology BASE, dscp 0 topoid 0

Aug 25 16:55:52.283: ICMP: echo reply sent, src 192.168.1.201, dst 192.168.1.2, topology BASE, dscp 0 topoid 0

Aug 25 16:55:53.281: ICMP: echo reply sent, src 192.168.1.201, dst 192.168.1.2, topology BASE, dscp 0 topoid 0

Aug 25 16:55:54.279: ICMP: echo reply sent, src 192.168.1.201, dst 192.168.1.2, topology BASE, dscp 0 topoid 0

Aug 25 17:02:32.010: ICMP: echo reply sent, src 192.168.1.201, dst 192.168.1.220, topology BASE, dscp 0 topoid 0

Aug 25 17:02:32.991: ICMP: echo reply sent, src 192.168.1.201, dst 192.168.1.220, topology BASE, dscp 0 topoid 0

Aug 25 17:02:34.006: ICMP: echo reply sent, src 192.168.1.201, dst 192.168.1.220, topology BASE, dscp 0 topoid 0

Aug 25 17:02:35.021: ICMP: echo reply sent, src 192.168.1.201, dst 192.168.1.220, topology BASE, dscp 0 topoid 0


when attempting to ping 10.10.100.10, the request times out on the client (192.168.1.220 or 192.168.1.2)

John Blakley Sat, 08/25/2012 - 10:29
User Badges:
  • Purple, 4500 points or more

can you do the same test but run debug ip packet and post the results?


Also, this shouldn't matter, but have you tried removing the routed port and then configuring vlan1s svi with an ip address? I'd be curious to see if it worked.


Sent from Cisco Technical Support iPhone App

This is the response when the client (192.168.1.220) pings the g0/1 IP (192.168.1.201)

Aug 25 17:56:12.624: IP: tableid=0, s=10.10.100.1 (local), d=10.10.100.10 (Vlan100), routed via FIB

Aug 25 17:56:12.624: IP: s=10.10.100.1 (local), d=10.10.100.10 (Vlan100), len 600, output feature, Check hwidb(81), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Aug 25 17:56:12.633: IP: s=192.168.1.201 (local), d=224.0.0.10 (GigabitEthernet0/1), len 60, local feature, RCLI(7), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Aug 25 17:56:12.633: IP: s=192.168.1.201 (local), d=224.0.0.10 (GigabitEthernet0/1), len 60, local feature, Local Clustering(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Aug 25 17:56:12.633: IP: s=192.168.1.201 (local), d=224.0.0.10 (GigabitEthernet0/1), len 60, sending broad/multicast

Aug 25 17:56:12.633: IP: s=192.168.1.201 (local), d=224.0.0.10 (GigabitEthernet0/1), len 60, sending full packet

Aug 25 17:56:12.641: IP: s=10.10.100.1 (local), d=10.10.100.10, len 600, local feature, RCLI(7), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Aug 25 17:56:12.641: IP: s=10.10.100.1 (local), d=10.10.100.10, len 600, local feature, Local Clustering(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Aug 25 17:56:12.641: IP: tableid=0, s=10.10.100.1 (local), d=10.10.100.10 (Vlan100), routed via FIB

Aug 25 17:56:12.641: IP: s=10.10.100.1 (local), d=10.10.100.10 (Vlan100), len 600, output feature, Check hwidb(81), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Aug 25 17:56:12.641: IP: s=10.10.100.1 (local), d=10.10.100.10, len 600, local feature, RCLI(7), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

The client at 192.168.1.220 times out when attempting to ping 10.10.100.1 or 10.10.100.10


I really appreciate your help on this btw

John Blakley Sat, 08/25/2012 - 11:16
User Badges:
  • Purple, 4500 points or more

No problem! We'll get there eventually


I'm curious to see if you could try something. On your routed port, try changing back to a switchport. Then under your vlan 1, put the ip address 192.168.1.201/24. Take your PC that you have connected directly to the dsl modem and plug it directly into the 3560. The. See if you can ping the workstation on vlan 100. If you can, the switch is routing correctly.



Sent from Cisco Technical Support iPhone App

Ok so here is the changed config


interface GigabitEthernet0/1

end


interface Vlan1

ip address 192.168.1.201 255.255.255.0

end


I've plugged the client PC (192.168.1.220) into g0/1.  From the client, I can ping 192.168.1.201, but cannot ping 10.10.100.1 or 10.10.100.10


The client PC on vlan 100 cannot ping 192.168.1.220

The router can ping 192.168.1.220


For routing on the switch I have:


ip routing


router eigrp 100

network 10.10.100.0 0.0.0.255

network 192.168.1.0


ip route 0.0.0.0 0.0.0.0 192.168.1.1


i've removed the ip default-gateway line

John Blakley Sat, 08/25/2012 - 11:43
User Badges:
  • Purple, 4500 points or more

Ok can you post


Sh vlan

Sh ip route



Sent from Cisco Technical Support iPhone App

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/3, Gi0/4, Gi0/5
                                                Gi0/6, Gi0/7, Gi0/8, Gi0/11
                                                Gi0/12, Gi0/13, Gi0/14, Gi0/15
                                                Gi0/16, Gi0/17, Gi0/18, Gi0/19
                                                Gi0/20, Gi0/21, Gi0/22, Gi0/23
                                                Gi0/24, Gi0/25, Gi0/26, Gi0/27
                                                Gi0/28
100  Home_VLAN                        active    Gi0/9, Gi0/10
1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 trcrf 101003     4472  1005   3276   -        -    srb      0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trbrf 101005     4472  -      -      15       ibm  -        0      0


VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7       7       off

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

3560Lab1-DLS2#




3560Lab1-DLS2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.1.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.100.0/24 is directly connected, Vlan100
L        10.10.100.1/32 is directly connected, Vlan100
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1
L        192.168.1.201/32 is directly connected, Vlan1
3560Lab1-DLS2#

John Blakley Sat, 08/25/2012 - 12:17
User Badges:
  • Purple, 4500 points or more

Last thing. Try removing ip routing and the readd it.


Sent from Cisco Technical Support iPhone App

done.

I also re-added

ip route 0.0.0.0 0.0.0.0 192.168.1.1


Same behavior. 


int vlan1 is still 192.168.1.201 255.255.255.0

int g0/1 is still plugged into the DSL router


3560Lab1-DLS2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.1.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.100.0/24 is directly connected, Vlan100
L        10.10.100.1/32 is directly connected, Vlan100
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1
L        192.168.1.201/32 is directly connected, Vlan1


3560Lab1-DLS2#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/3, Gi0/4, Gi0/5
                                                Gi0/6, Gi0/7, Gi0/8, Gi0/11
                                                Gi0/12, Gi0/13, Gi0/14, Gi0/15
                                                Gi0/16, Gi0/17, Gi0/18, Gi0/19
                                                Gi0/20, Gi0/21, Gi0/22, Gi0/23
                                                Gi0/24, Gi0/25, Gi0/26, Gi0/27
                                                Gi0/28
100  Home_VLAN                        active    Gi0/9, Gi0/10
1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 trcrf 101003     4472  1005   3276   -        -    srb      0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trbrf 101005     4472  -      -      15       ibm  -        0      0


VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7       7       off

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

3560Lab1-DLS2#


3560Lab1-DLS2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
3560Lab1-DLS2#ping www.google.com

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.227.80, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 58/58/59 ms
3560Lab1-DLS2#


Pings from vlan100 client (10.10.100.10)

C:\Users\administrator>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=63
Reply from 192.168.1.1: bytes=32 time=1ms TTL=63
Reply from 192.168.1.1: bytes=32 time=1ms TTL=63
Reply from 192.168.1.1: bytes=32 time=1ms TTL=63

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Users\administrator>ping 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 4.2.2.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\administrator>ping www.google.com
Ping request could not find host www.google.com. Please check the name and try a
gain.



When the directly attached 192.168.1.220 client was attached, it was able to ping the vlan ip 192.168.1.201 but received a mix of host unreachable and timeout errors when attempting to ping 10.10.100.1 and 10.10.100.10

      



Edit:  wait a sec... i can now ping 192.168.1.1 from 10.10.100.10 - previously was unable to.  Still unable to ping the internet from the 10.10.100.10 client.


I hooked up a different machine to a different port (g0/2).  The client was able to pull a dhcp address (192.168.1.3) from the DSL router and is able to browse the internet, but not able to ping addresses in vlan100

      

While i'm able to ping 192.168.1.1 from 10.10.100.10, i cannot pnig 192.168.1.3.  I can ping 192.168.1.3 from the switch.

John Blakley Sat, 08/25/2012 - 14:39
User Badges:
  • Purple, 4500 points or more

Does your modem nat? Your other problem could be that the modem is only natting the 192 subnet. Can you set it to also nat the 10 subnet?


Sent from Cisco Technical Support iPhone App

Looks like the NAT feature is for specific applications.  I created a rule in the "NAT -> virtual servers" section of the modem.

Server NameExternal Port StartExternal Port EndProtocolInternal Port StartInternal Port EndServer IP AddressRemote HostRemove
switch165535TCP/UDP165535192.168.1.20110.10.100.1



When creating a NAT rule on the modem, there is a "select a service" radio button gives you a number of different applications (games, tftp, etc) to select from.  I selected Custom Server, gave it the vlan1 IP address.  set the port range from 1--65535, TCP/UDP and put in the vlan 100 address as the remote host. 


There is also another option, which i'm not entirely sure what it's supposed to be.


NAT -- DMZ Host



The DSL router will forward IP packets from the WAN that do not belong to any of the applications configured in the Virtual Servers table to the DMZ host computer.


Enter the computer's IP address and click "Apply" to activate the DMZ host.


Clear the IP address field and click "Apply" to deactivate the DMZ host.


DMZ Host IP Address:


Not sure if i made the rule correctly - any ideas? 

      



Edit:  I can't make the NAT rule an entire subnet 0 it will only let me use a single IP

Correct Answer
John Blakley Sat, 08/25/2012 - 16:55
User Badges:
  • Purple, 4500 points or more

I'm actually not sure. I have uverse and the modem that they supply allows you to put all of your traffic into a dmz. I had my router on the dmz interface which allowed my public address to be assigned to my router instead of the modem. The problem with that in this situation is that the 3560 doesn't support natting as far as I know, so it doesn't make sense to put your public ip on you switch.


So, another test that you could do if you wanted is to put your lan side ip on your dsl modem on the 10 subnet. Then you'd have to change the ip on vlan 10, but you'd be able to see if your 10.x.x.x host could get on the internet. I'm almost sure that's what this is. Now it doesn't explain why you couldn't ping between devices on the same switch in different vlans earlier though. You have the vlan created and a l3 svi attached with routing on, so those subnets are locally connected and should be able to route between vlans with no issue. Through all of this, I'm not sure if that part was ever fixed. Have you checked the ios version that you're on to see if you're running the latest?


If you decide to do the internal lan side address change on the dsl modem and it works, I'm afraid that you may not be able to segment your network into different subnets if you can't nat them via the modem. You could still create your vlans for internal testing, but they wouldn't be able to get on the internet because of the natting issue. This is one reason a lot of people on the forums will put a cisco router in between their dsl modem and switches. You could also do this with an ASA as well.


HTH,

John

Thanks again for the help.  I've got an 1841 and a 5505 laying around here somewhere.  I'll set one of 'em up - was hoping to not have to jack with that but you're correct, 3560s don't support NAT as far as i know.  I think the only l3 switch that does is the 6500. 


Thanks again for the help - sadly consumer grade equipment fails again

Actions

This Discussion

Related Content