Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Routed port (DHCP) to Wan issue

Hi All,

I am trying to configure a 3650 provide DHCP on routed port and once its pushed out an IP address allow users on to the internet. Issue is I get an IP address when connecting to fa0/2 but cannot get out on to the internet, neither can I ping the default gateway connected to the switch. Here is my config:

Building configuration...

Current configuration : 4786 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$nXfE$74CePIuEwZEvvquv1LpPw.
!
no aaa new-model
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
system mtu routing 1500
udld aggressive

ip subnet-zero
ip routing
!
ip dhcp pool cisco
   network 10.10.1.0 255.255.255.0
   default-router 10.10.1.1
   domain-name test.com
   dns-server 10.10.1.10
   netbios-name-server 10.10.1.15
   lease 7
!
!
mls qos map cos-dscp 0 8 16 26 32 46 46 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2  1
mls qos srr-queue input cos-map queue 1 threshold 3  0
mls qos srr-queue input cos-map queue 2 threshold 1  2
mls qos srr-queue input cos-map queue 2 threshold 2  4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3  3 5
mls qos srr-queue input dscp-map queue 1 threshold 2  9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3  0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3  32
mls qos srr-queue input dscp-map queue 2 threshold 1  16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2  33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2  49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2  57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3  24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3  40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3  5
mls qos srr-queue output cos-map queue 2 threshold 3  3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3  2 4
mls qos srr-queue output cos-map queue 4 threshold 2  1
mls qos srr-queue output cos-map queue 4 threshold 3  0
mls qos srr-queue output dscp-map queue 1 threshold 3  40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3  24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3  48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3  56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3  16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3  32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1  8
mls qos srr-queue output dscp-map queue 4 threshold 2  9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3  0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
macro global description cisco-global
errdisable recovery cause link-flap
errdisable recovery interval 60
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
no switchport
ip address 10.10.1.1 255.255.255.0
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
mls qos trust dscp
macro description cisco-router
auto qos voip trust
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.2.10 255.255.255.0
!
ip default-gateway 192.168.2.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 10.10.1.0 255.255.255.0 192.168.2.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password r!pw1r3
login
length 0
line vty 5 15
password *******
login
!
end

Any help that can be offered would be really appreciated. Just to note I am very new to Cisco.

Many Thanks

Rip Winder.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

I am glad to help.

Yes, all user in same VLAN can see each other. Assuming you use 3560, you can simply put all host posts in 'switchport protected" mode, so all hosts cannot talk to each others. Another feature call private vlan can achieve same result, but it requires more configurations.

Please rate if that helps!

HTH,

Lei Tian

Cisco Employee

Re: Routed port (DHCP) to Wan issue

You can just connect your 3560 with the 851, and config "switchport protected' on all host ports. Do not put it on the uplink port to 851. All ports should be default in vlan 1; you don't need to put other command, unless you did some changes on the 3560.

HTH,

Lei Tian

28 REPLIES
Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

Can you ping 192.168.2.10? Can you check the routing table on next hop, make sure it has the route for 10.10.10.0/24 point to 192.168.2.10.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Hi, Thank you very much for your reply.

I can ping 192.168.2.10 when connected to the routed port fa0/2.

I tried to create ip route but got the following error:

Switch(config)#ip route 10.10.1.0 255.255.255.0 192.168.2.10
%Invalid next hop address (it's this router)

Thank,

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

Thanks for the information.

What I want you to check is on 192.168.2.1, make sure has to route to 10.10.10.0/24; not on this switch.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Hi,

192.168.2.1 is the gateway in my study that is connected to the Cisco 3560, its just a Belkin router so not sure I can do any config on it. Perhaps I am mis-understanding your instruction?

The actual setup I need once I put the switch in a live environment is to have a WAN connection on one port from a Tier 1 ISP in a datacentre and then DHCP running on another port that goes out to our users. I'm wondering if I need to make fa0/1 a router port and configure DHCP client or just staitc IP address and then configure fa0/2 as router port and configure DHCP server on this. Would the 3560 just automatically route the traffic from fa0/2 to fa0/1 or would I need to make a static route? or something else?

Thanks

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

Your 3560 has the route to the gateway, but if you don't tell the gateway, the gateway doesn't know how to route back to 10.10.10.0/24 subnet. I believe your gateway is doing NAT, you might also want to check the gateway make sure it does NAT for 10.10.10.0/24 subnet as well.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

I think the problem with the Belkin gateway is just adding to the issue. So I intend to start again and attach the WAN connection (Cable) directly to the 3560. If I start again from scratch what should be the steps to take if I want to have fa0/1 connected to WAN and fa0/2 providing DHCP?

The ideas I have had is:

Enable fa0/1 & 2 role as routers. Configure DHCP Client on fa0/1 and enable DHCP Server on fa0/2. However I am not sure how to have traffic on fa0/2 routed out over fa0/1.

Any config examples would be much appreciated.

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

You need a router to NAT the primary IP. 3560 doesnt have this function.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Please forgive me but could you explain in more detail, I'm struggling to understand the NAT function and how it relates?

If the ISP assigns Public IP 1.1.1.1 to the Cisco 3560 on fa0/1 as it is acting as a DHCP client then it connects to the internet with no problems.

If I am then running a DHCP server on fa0/2 and make a static route to fa0/1 where does the plan fall over. This should help me grasp the problem:) I know it does not work but do not understand why.

Thanks,

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

You are using 3560 as a DHCP server, and assign IP in 10.10.1.0/24 range to your hosts. This private IP range is not routable in internet, it only belongs to your local network. When traffic leave your local network, you need translate this private IP to a public IP or to the IP that provider assigned to you. That makes the packet source IP a routable IP in the internet.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

I think I am now starting to grasp it finally. So as the 3560 is not able to do NAT it cannot translate the 10.10.2.0 addresses to the outside world like a standard home netgear would do for instance.

When I deploy the kit in to the datacentre we will be connected to Tier 1 transit directly in to the Gig port. We are RIPE registered so have our own public IP ranges. If the DHCP pool we provide is all public IP's will this work on the 3560?


Thanks,

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Yes. If your are assigning public IPs to your hosts, you can use 3560.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Thank you so much for your help! I really appreciate your patience with me. I have some Cisco 800 routers I can play around with to practice before we deploy the 3560.

If you can bear to help me, any more another issue I think we might face is that the individual users will be able to see each other on the network. Is this assumption correct, and if so what would we have to do to avoid this? All DHCP users will be delivered in one VLAN to us so we cannot put them in there own individual VLANS. Is there another option?

Thanks

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

I am glad to help.

Yes, all user in same VLAN can see each other. Assuming you use 3560, you can simply put all host posts in 'switchport protected" mode, so all hosts cannot talk to each others. Another feature call private vlan can achieve same result, but it requires more configurations.

Please rate if that helps!

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

I have setup an 851 router, configured the WAN, have the LAN ports in Vlan1, setup NAT and everythings working fine. But I cant seem to perform switchport protected command. Is this due to a limitation on the 851 or is there another command for an actual router?

Thanks

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

That command is on 3560, 851 doesn't support it.

Regards,

Lei Tian

Cisco Employee

Re: Routed port (DHCP) to Wan issue

You can just connect your 3560 with the 851, and config "switchport protected' on all host ports. Do not put it on the uplink port to 851. All ports should be default in vlan 1; you don't need to put other command, unless you did some changes on the 3560.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Thanks, that's a huge help.

If I have DHCP server running on fa0/2 and this is then patched to a another switch outside of my control with multiple users are they still secure as long as they are in the same VLAN or is it based on actual physical ports?

Thanks

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

That depends on the config on the physical port that user connect to. By default, switch will forward traffic within same vlan; you have no control on the router. On the router, you can control the traffic pass through between different vlans. Apply ACL on the SVI, you can permit/deny communication from host in one vlan to host in another vlan.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Hi,

OK I configured the 3560 with default route and IP address from the 851 which is connected to WAN. I set NAT on the 851 and have configured DHCP on Vlan2 on the 3560. I connected a laptop to the 3560 and am getting an IP address however when I try to ping outside world or even ping the 851 from the laptop I get nothing, I can ping the static IP address assigned to the 3560 from 851 and when I telnet in to the 3560 I can ping the outside world, I'm thinking it might be to do with the static route in 3560. Any help you can offer would be much appreciated. I have given the config of the 3560 below:

Switch#show run

Building configuration...

Current configuration : 1879 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

enable secret 5 $1$nXfE$74CePIuEwZEvvquv1LpPw.

!

no aaa new-model

clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00

system mtu routing 1500

ip subnet-zero

ip routing

!

ip dhcp pool cisco

   network 10.10.2.0 255.255.255.0

   default-router 10.10.2.1

   domain-name mydomain.com

   dns-server 10.10.2.10

   lease 7

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

!

interface FastEthernet0/2

switchport access vlan 2

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

ip address 10.10.10.3 255.255.255.248

!

interface Vlan2

description Cisco DHCP

ip address 10.10.2.1 255.255.255.0

!

ip default-gateway 10.10.10.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 10.10.2.0 255.255.255.0 10.10.10.1

ip http server

!

!

control-plane

!

!

line con 0

line vty 0 4

Thanks,
Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

Remove "ip route 10.10.2.0 255.255.255.0 10.10.10.1" from 3560. Add 'ip route 10.10.2.0 255.255.255.0 10.10.10.3" on 851.

HTH,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Wow thanks it worked. Could you possibly explain what I just did and why it was not working before? I would like to be able to understand? No problem if your too busy.

Many, many thanks,

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

Thanks for the rating and glad to help!

The reason it doesn't work before is because 851 doesn't have a route back to VLAN 2 on 3560.  VLAN 2 is only configured on 3560, so you need to tell 851 in order to reach VLAN 2 network send the traffic to 3560.

Regards,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Ah OK I see, thanks. When I deploy this in to the live environment we will have Vlan1 with IP address given to us from the tier 1 transit provider with their default gateway address. All IP addresses we provide via DHCP in Vlan2 will be public IP addresses so am I right in thinking we wont run in to this issue as long as the tier 1 is announcing our address space?

Thanks

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Yes, your understanding is correct. If the 851 is managed by provider, they will config the route.

Regards,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

Thats great. Thanks so much for your help. I'm not sure if this is your area but I am now looking at using 802.1q to use qinq on Vlan2. If I use qinq does the user actualy have to configure anything on their PC/CPE or does the 3560 just automatically place them in their own vlans?

Thanks

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

What is need for qinq at here? qinq typically is used in provider network, to tag customer traffic with a dedicate number, so traffic from one customer will not leak to another customer.

Regards,

Lei Tian

Community Member

Re: Routed port (DHCP) to Wan issue

I am creating a service provider network on a smallish scale over a region. We are trying to start small and then scale up later once we get to a few hundred users, hence the 3560. All traffic is deliverd to us from customers in one Vlan so we need to ensure that the customers cannot see eachother. I tried the "switchport protection" command you suggested and it works but I understand one of the other service providers is doing qinq so wanted to ensure we are providing the right level of security. I'm not sure of the security differences between the two.

We first started off planning a central switch with PPPoE with AAA etc as would be expected but realised its not required as this is taken care of before the traffic reaches us.

We plan to upgrade to bigger better Cisco kit once we reach 500 users.

Thanks

Rip.

Cisco Employee

Re: Routed port (DHCP) to Wan issue

Hi,

A qinq is no more than regular vlans; it prevents communication between different vlans. The only difference is a qinq tunneling port doesn't care what traffic is sent to it; it can be L3 or L2.  switchport protected will prevent communication within same vlan. So, you can see the difference.

If support qinq is the requirement, you can just add 'switchport mode dot1qtunnel' to the customer facing port. Few best practice rules you need to follow when deploy qinq:

1 change the system mtu to 1504 to support the additional 4 bytes header

2 enable dot1q tag native

3 don't use vlan 1 for native vlan ID, and do not pass any data traffic via native vlan.

Configuration example of qinq on 3560 can be found at

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_46_se/configuration/guide/swtunnel.html#wp1001998

HTH,

Lei Tian

1268
Views
5
Helpful
28
Replies
CreatePlease to create content