09-18-2010 03:43 AM - edited 03-06-2019 01:03 PM
Hi All,
I am trying to configure a 3650 provide DHCP on routed port and once its pushed out an IP address allow users on to the internet. Issue is I get an IP address when connecting to fa0/2 but cannot get out on to the internet, neither can I ping the default gateway connected to the switch. Here is my config:
Building configuration...
Current configuration : 4786 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$nXfE$74CePIuEwZEvvquv1LpPw.
!
no aaa new-model
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
system mtu routing 1500
udld aggressive
ip subnet-zero
ip routing
!
ip dhcp pool cisco
network 10.10.1.0 255.255.255.0
default-router 10.10.1.1
domain-name test.com
dns-server 10.10.1.10
netbios-name-server 10.10.1.15
lease 7
!
!
mls qos map cos-dscp 0 8 16 26 32 46 46 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
macro global description cisco-global
errdisable recovery cause link-flap
errdisable recovery interval 60
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
no switchport
ip address 10.10.1.1 255.255.255.0
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust dscp
macro description cisco-router
auto qos voip trust
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.2.10 255.255.255.0
!
ip default-gateway 192.168.2.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 10.10.1.0 255.255.255.0 192.168.2.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password r!pw1r3
login
length 0
line vty 5 15
password *******
login
!
end
Any help that can be offered would be really appreciated. Just to note I am very new to Cisco.
Many Thanks
Rip Winder.
Solved! Go to Solution.
09-18-2010 12:06 PM
Hi,
That command is on 3560, 851 doesn't support it.
Regards,
Lei Tian
09-18-2010 12:11 PM
You can just connect your 3560 with the 851, and config "switchport protected' on all host ports. Do not put it on the uplink port to 851. All ports should be default in vlan 1; you don't need to put other command, unless you did some changes on the 3560.
HTH,
Lei Tian
09-18-2010 12:21 PM
Thanks, that's a huge help.
If I have DHCP server running on fa0/2 and this is then patched to a another switch outside of my control with multiple users are they still secure as long as they are in the same VLAN or is it based on actual physical ports?
Thanks
Rip.
09-18-2010 12:30 PM
Hi,
That depends on the config on the physical port that user connect to. By default, switch will forward traffic within same vlan; you have no control on the router. On the router, you can control the traffic pass through between different vlans. Apply ACL on the SVI, you can permit/deny communication from host in one vlan to host in another vlan.
HTH,
Lei Tian
09-19-2010 11:07 AM
Hi,
OK I configured the 3560 with default route and IP address from the 851 which is connected to WAN. I set NAT on the 851 and have configured DHCP on Vlan2 on the 3560. I connected a laptop to the 3560 and am getting an IP address however when I try to ping outside world or even ping the 851 from the laptop I get nothing, I can ping the static IP address assigned to the 3560 from 851 and when I telnet in to the 3560 I can ping the outside world, I'm thinking it might be to do with the static route in 3560. Any help you can offer would be much appreciated. I have given the config of the 3560 below:
Switch#show run
Building configuration...
Current configuration : 1879 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$nXfE$74CePIuEwZEvvquv1LpPw.
!
no aaa new-model
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
system mtu routing 1500
ip subnet-zero
ip routing
!
ip dhcp pool cisco
network 10.10.2.0 255.255.255.0
default-router 10.10.2.1
domain-name mydomain.com
dns-server 10.10.2.10
lease 7
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.10.10.3 255.255.255.248
!
interface Vlan2
description Cisco DHCP
ip address 10.10.2.1 255.255.255.0
!
ip default-gateway 10.10.10.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 10.10.2.0 255.255.255.0 10.10.10.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
09-19-2010 01:20 PM
Hi,
Remove "ip route 10.10.2.0 255.255.255.0 10.10.10.1" from 3560. Add 'ip route 10.10.2.0 255.255.255.0 10.10.10.3" on 851.
HTH,
Lei Tian
09-19-2010 01:31 PM
Wow thanks it worked. Could you possibly explain what I just did and why it was not working before? I would like to be able to understand? No problem if your too busy.
Many, many thanks,
Rip.
09-19-2010 01:40 PM
Hi,
Thanks for the rating and glad to help!
The reason it doesn't work before is because 851 doesn't have a route back to VLAN 2 on 3560. VLAN 2 is only configured on 3560, so you need to tell 851 in order to reach VLAN 2 network send the traffic to 3560.
Regards,
Lei Tian
09-19-2010 01:50 PM
Ah OK I see, thanks. When I deploy this in to the live environment we will have Vlan1 with IP address given to us from the tier 1 transit provider with their default gateway address. All IP addresses we provide via DHCP in Vlan2 will be public IP addresses so am I right in thinking we wont run in to this issue as long as the tier 1 is announcing our address space?
Thanks
Rip.
09-19-2010 02:09 PM
Yes, your understanding is correct. If the 851 is managed by provider, they will config the route.
Regards,
Lei Tian
09-19-2010 02:37 PM
Thats great. Thanks so much for your help. I'm not sure if this is your area but I am now looking at using 802.1q to use qinq on Vlan2. If I use qinq does the user actualy have to configure anything on their PC/CPE or does the 3560 just automatically place them in their own vlans?
Thanks
Rip.
09-19-2010 02:45 PM
Hi,
What is need for qinq at here? qinq typically is used in provider network, to tag customer traffic with a dedicate number, so traffic from one customer will not leak to another customer.
Regards,
Lei Tian
09-19-2010 02:57 PM
I am creating a service provider network on a smallish scale over a region. We are trying to start small and then scale up later once we get to a few hundred users, hence the 3560. All traffic is deliverd to us from customers in one Vlan so we need to ensure that the customers cannot see eachother. I tried the "switchport protection" command you suggested and it works but I understand one of the other service providers is doing qinq so wanted to ensure we are providing the right level of security. I'm not sure of the security differences between the two.
We first started off planning a central switch with PPPoE with AAA etc as would be expected but realised its not required as this is taken care of before the traffic reaches us.
We plan to upgrade to bigger better Cisco kit once we reach 500 users.
Thanks
Rip.
09-19-2010 03:49 PM
Hi,
A qinq is no more than regular vlans; it prevents communication between different vlans. The only difference is a qinq tunneling port doesn't care what traffic is sent to it; it can be L3 or L2. switchport protected will prevent communication within same vlan. So, you can see the difference.
If support qinq is the requirement, you can just add 'switchport mode dot1qtunnel' to the customer facing port. Few best practice rules you need to follow when deploy qinq:
1 change the system mtu to 1504 to support the additional 4 bytes header
2 enable dot1q tag native
3 don't use vlan 1 for native vlan ID, and do not pass any data traffic via native vlan.
Configuration example of qinq on 3560 can be found at
HTH,
Lei Tian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide