Solved: Cisco 3550 (SMI 12.2) Inter Vlan Routing

kevinang74 · ‎03-13-2012

Hi, I'm trying to setup inter vlan routing with my cisco 3550 layer 3 switch. My router is a cisco 2621XM.

Inter Vlan routing and access list is working fine. However, Internet access is not working. None of the machine in all the Vlan have internet access.

Ping test fail at the router 192.168.1.1

Is there anything I missed out?

Siwtch Config

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch
!
enable secret 5 $1$VIUk$X4CgzXTlrvQ/MdJMreQX21
enable password
!
no aaa new-model
clock timezone SIN 8
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.2.1 192.168.2.100
ip dhcp excluded-address 192.168.2.201 192.168.2.254
ip dhcp excluded-address 192.168.3.1 192.168.3.100
ip dhcp excluded-address 192.168.3.201 192.168.3.254
ip dhcp excluded-address 192.168.4.1 192.168.4.100
ip dhcp excluded-address 192.168.4.201 192.168.4.254
ip dhcp excluded-address 192.168.5.1 192.168.5.100
ip dhcp excluded-address 192.168.5.201 192.168.5.254
!
ip dhcp pool labpool
    network 192.168.4.0 255.255.255.0
    dns-server 165.21.83.88 165.21.100.88
    default-router 192.168.4.254
!
ip dhcp pool userpool
    network 192.168.2.0 255.255.255.0
    dns-server 165.21.83.88 165.21.100.88
    default-router 192.168.2.254
!
ip dhcp pool wireless
    network 192.168.5.0 255.255.255.0
    dns-server 165.21.83.88 165.21.100.88
    default-router 192.168.5.254
!
ip dhcp pool production
    network 192.168.3.0 255.255.255.0
    dns-server 165.21.83.88 165.21.100.88
    default-router 192.168.3.254
!
!
!
crypto pki trustpoint TP-self-signed-2461056768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2461056768
revocation-check none
rsakeypair TP-self-signed-2461056768
!
!
crypto pki certificate chain TP-self-signed-2461056768
certificate self-signed 01 nvram:IOS-Self-Sig#3801.cer
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 500
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 400
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 300
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/21
switchport access vlan 400
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/23
no switchport
ip address 192.168.1.254 255.255.255.0
speed 100
duplex full
!
interface FastEthernet0/24
switchport access vlan 200
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan200
description Users
ip address 192.168.2.254 255.255.255.0
!
interface Vlan300
description Production
ip address 192.168.3.254 255.255.255.0
!
interface Vlan400
description Testlab
ip address 192.168.4.254 255.255.255.0
ip access-group 101 in
!
interface Vlan500
description Wireless
ip address 192.168.5.254 255.255.255.0
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
ip http secure-server
!
!
access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 established
access-list 101 permit icmp 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 echo-reply
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
!
control-plane
!
!
line con 0
password
login
line vty 0 4
password
login
line vty 5 15
login
!
end

The router config is

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname aggarouter
!
boot-start-marker
boot system flash:2600-ik9s-mz.123-26.bin
boot-end-marker
!
enable secret 5 $1$.Af7$mlxHi9HoWKx07pKpoopEX.
!
clock timezone SIN 8
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip domain lookup source-interface FastEthernet0/0
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh rsa keypair-name
!
interface FastEthernet0/0
description WAN INTERFACE
ip address dhcp
ip nat outside
ip route-cache flow
speed auto
full-duplex
!
interface FastEthernet0/1
description LAN INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip route-cache flow
speed auto
full-duplex
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.20 22 interface FastEthernet0/0 1022
ip nat inside source static tcp 192.168.1.8 21 interface FastEthernet0/0 21
ip nat inside source static tcp 192.168.1.3 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.1.11 67 interface FastEthernet0/0 67
ip nat inside source static tcp 192.168.1.11 800 interface FastEthernet0/0 800
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet0/0 3389
ip http server
ip http access-class 1
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip dns server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!

!
line con 0
line 33 48
line aux 0
line vty 0 4
password 7 060708264D5D100A
login
transport input telnet ssh
line vty 5 15
login
transport input telnet ssh
!
!
end

CSCO11780655 · ‎03-15-2012

Hi, I was just looking at glance and I see your DNS ip address has a different subnet compared with your users and management ips. Please enable ip classless on your switch an look for any differences.

Sent from Cisco Technical Support iPad App

View solution in original post

nkarpysh · ‎03-13-2012

Hello,

So from LAN you are reaching the router - is Good.

The problem is now with routing or NAT I guess, First of all on router check if you hav a route to internet. If yes - good, if not - sort it applying static on ding dynamic routing with provider.

Next steps is NAT - if routing presnt your LAN host can send traffic to internet, but those send it with source address of 192.168.x.x. And internet servers have no idea how to forward it back. You need to configure NAT or PAT in your case to to make the translation of source address.

You can learn more about NAT/PAT here or other resources:

http://www.cisco.com/en/US/partner/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

Hope this helps,

Nik

HTH,
Niko

kevinang74 · ‎03-13-2012

Thanks for your reponse.

To add, I can ping internet from the switch itself but from machine, cannot ping the router

nkarpysh · ‎03-13-2012

See your curent NAT on WAN interface:

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.1.20 22 interface FastEthernet0/0 1022

ip nat inside source static tcp 192.168.1.8 21 interface FastEthernet0/0 21

ip nat inside source static tcp 192.168.1.3 22 interface FastEthernet0/0 22

ip nat inside source static tcp 192.168.1.11 67 interface FastEthernet0/0 67

ip nat inside source static tcp 192.168.1.11 800 interface FastEthernet0/0 800

ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet0/0 3389

!

access-list 1 permit 192.168.1.0 0.0.0.255

So you only NATing network 192.168.1.0 0.0.0.255 to the WAN. So when you do ping from Switch it is going from switch ip 192.168.1.254 which is within this range and that is working. Your LAN subnets are not within this range so NAT is not applied to those. You need to add you LAN subnets to ACL 1 for NAT to be applied to those as well.

Nik

HTH,
Niko

kevinang74 · ‎03-14-2012

I added other LAN subnet to the ACL 1 already but still not working.

Any other ideas?

Jeff Van Houten · ‎03-14-2012

Put ip address 192.168.1.2/24 on int vlan1 on the switch and do a no shut on that interface then try your pings.

Sent from Cisco Technical Support iPad App

kevinang74 · ‎03-14-2012

No luck. I get an error when I do that

192.168.1.2 overlapps with Fastethernet 0/23

Jeff Van Houten · ‎03-14-2012

Port 23 on the switch is plugged directly to fao/1 on the router?

Sent from Cisco Technical Support iPad App

kevinang74 · ‎03-14-2012

yes, it is connected directly to the router fa0/1

interface FastEthernet0/23

no switchport

ip address 192.168.1.254 255.255.255.0

speed 100

duplex full

Jeff Van Houten · ‎03-14-2012

Add additional statements to acces-list 1 on the router to include your other subnets you've defined on the switch.

Sent from Cisco Technical Support iPad App

kevinang74 · ‎03-14-2012

I have change my access-list 1 to

access-list 1 permit any

Still no luck. Thank you very much for the help so far!

Matthew Blanshard · ‎03-14-2012

Add to your router:

ip route 192.168.0.0 255.255.248.0 192.168.1.254

-Matt

kevinang74 · ‎03-15-2012

After adding the line you suggested. i get this error when I ping www.google.com

%unrecognized host or address, or protocol not running.

CSCO11780655 · ‎03-15-2012

Hi, I was just looking at glance and I see your DNS ip address has a different subnet compared with your users and management ips. Please enable ip classless on your switch an look for any differences.

Sent from Cisco Technical Support iPad App

kevinang74 · ‎03-19-2012

Million Thanks!

Finally, I got it working!