Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
173
Views
0
Helpful
0
Replies

Router 4331 and SW SG300 - Mulitple vlans with trunk mode do not work

Mina Tawfik
Level 1
Level 1

‎03-24-2024 09:28 PM

Hi,

I have the following setup:

Router 4331:

G0/0/0 - internet connection

G0/0/1 - Internal network.

     g0/0/1.10 - vlan 10.

ZBF is configured to internal zone (internal network), external zone (internet connection).

 

SW SG300

Gi1 - mode access - vlan10

Gi3 - mode access - vlan 30

Gi4 - mode access - vlan 40

Gi5 - mode access - vlan 50

Gi26 - mode trunk - vlan all

 

Computer connected to SW gi1 - network card on the laptop configured to dhcp on.

 

The initial setup is that configured the router with only vlan10 and site-to-site vpn tunnel.

Everything is working fine. Computer is getting an IP from vlan10. Connected to the internet and vpn tunnel without any issues.

 

When I created on the router:

g0/0/1.30 and g0/0/1.40 and g0/0/1.50 for vlan 30,40,50

The computer does not get an ip when connected to Sw gi1 or gi3 or gi4 or gi5.

Nothing works.

The setup I want is that:

Create multiple vlans on the router. 10,30,40,50

Trunk mode for the connection between the router and sw.

on the sw vlan10 goes to gi1

                vlan30 goes to gi3

                vlan40 goes to gi4

                vlan50 goes to gi5

                all vlan goes to gi26

I cannot get it to work for some reason that I could not find out why.

 

----------------------------------------------------------------

Here is Router Config file - working with vlan10 only created:

service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ci_secondary
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 -----
!
no aaa new-model

!

crypto key generate rsa general-keys modulus 2048
ip name-server ----- ----- -----

ip domain name ci.local
!
ip dhcp pool vlan10
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server -----
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
vpdn-group pppoe
!
!
!
!
!
!
spanning-tree extend system-id
!
username mina privilege 15 password 0 -----
username dominic privilege 0 secret 5 -----
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any priv-internet-class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ssh
class-map type inspect match-any DHCP-ALLOW
match protocol udp
match access-group name ALLOW-DHCP
!
policy-map type inspect priv-internet-policy
class type inspect priv-internet-class
inspect
class type inspect DHCP-ALLOW
pass
class class-default
drop
!
zone security private
zone security internet
zone-pair security priv-internet-zone source private destination internet
service-policy type inspect priv-internet-policy
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ----- address -----
crypto isakmp keepalive 180 periodic
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 70 ipsec-isakmp
set peer -----
set transform-set TS
match address DOM-VPN-TRAFFIC

crypto map CMAP 71 ipsec-isakmp
set peer -----
set transform-set TS
match address VPN-VDC
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Internet SecondaryWAN
ip address ----- -----
ip nat outside
zone-member security internet
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map CMAP
no shutdown
!
interface GigabitEthernet0/0/1
description SecondaryLAN
no ip address
ip nat inside
zone-member security private
negotiation auto
no shutdown
!
interface GigabitEthernet0/0/1.10
description vlan10
encapsulation dot1Q 10
ip address 10.10.20.1 255.255.255.0
ip nat inside
zone-member security private
no shutdown
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source route-map NONAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 103.245.219.176
ip ssh version 2
!
!
ip access-list extended ALLOW-DHCP
permit udp any any eq bootps
permit udp any any eq bootpc
ip access-list extended DOM-VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 192.168.70.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 192.168.71.0 0.0.0.255
ip access-list extended VPN-VDC
permit ip 10.10.20.0 0.0.0.255 192.168.27.0 0.0.0.255
!
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map SWITCHVOX permit 10
match ip address 110
!
route-map NONAT deny 10
match ip address DOM-VPN-TRAFFIC VPN-VDC
!
route-map NONAT permit 20
match ip address 1
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 60 0
login local
transport input ssh
line vty 5 15
access-class 1 in
login local
!
!
end

----------------------------------------------------------------

 

 

 

 

----------------------------------------------------------------

Here is the SW config file:

vlan database

int vlan 10
name Internal-Staff-Network

int vlan 30
name Guest

int vlan 40
name R&D

int vlan 50
name Video-Conference

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname CI-HQ-ALS1
line ssh
exec-timeout 0
exit
username cisco password ----- privilege 15
!
interface gigabitethernet1
switchport mode access
switchport access vlan 10
!
interface gigabitethernet2
shutdown
switchport mode access
!
interface gigabitethernet3
switchport mode access
switchport access vlan 30
!
interface gigabitethernet4
switchport mode access
switchport access vlan 40
!
interface gigabitethernet5
switchport mode access
switchport access vlan 50
!
interface gigabitethernet6
shutdown
switchport mode access
!
interface gigabitethernet7
shutdown
switchport mode access
!
interface gigabitethernet8
shutdown
switchport mode access
!
interface gigabitethernet9
shutdown
switchport mode access
!
interface gigabitethernet10
shutdown
switchport mode access
!
interface gigabitethernet11
shutdown
switchport mode access
!
interface gigabitethernet12
shutdown
switchport mode access
!
interface gigabitethernet13
shutdown
switchport mode access
!
interface gigabitethernet14
shutdown
switchport mode access
!
interface gigabitethernet15
shutdown
switchport mode access
!
interface gigabitethernet16
shutdown
switchport mode access
!
interface gigabitethernet17
shutdown
switchport mode access
!
interface gigabitethernet18
shutdown
switchport mode access
!
interface gigabitethernet19
shutdown
switchport mode access
!
interface gigabitethernet20
shutdown
switchport mode access
!
interface gigabitethernet21
shutdown
switchport mode access
!
interface gigabitethernet22
shutdown
switchport mode access
!
interface gigabitethernet23
shutdown
switchport mode access
!
interface gigabitethernet24
switchport mode access
shutdown
!
interface gigabitethernet25
switchport mode access
shutdown
!
interface gigabitethernet26
switchport trunk allowed vlan add all
!
exit

----------------------------------------------------------------

 

These are the working setup. NO issues with that.

 

----------------------------------------------------------------

Now, when I change the router config file to the following:

service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ci_secondary
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!

crypto key generate rsa general-keys modulus 2048
ip name-server ----- ----- -----

ip domain name ci.local
!
ip dhcp pool vlan10
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server -----
!
ip dhcp pool vlan30
network 10.10.30.0 255.255.255.0
default-router 10.10.30.1
dns-server -----
!
ip dhcp pool vlan40
network 10.10.40.0 255.255.255.0
default-router 10.10.40.1
dns-server -----
!
ip dhcp pool vlan50
network 10.10.50.0 255.255.255.0
default-router 10.10.50.1
dns-server -----
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
vpdn-group pppoe
!
!
!
!
!
!
spanning-tree extend system-id
!
username mina privilege 15 password 0 -----
username dominic privilege 0 secret 5 -----
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any priv-internet-class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ssh
class-map type inspect match-any DHCP-ALLOW
match protocol udp
match access-group name ALLOW-DHCP
!
policy-map type inspect priv-internet-policy
class type inspect priv-internet-class
inspect
class type inspect DHCP-ALLOW
pass
class class-default
drop
!
zone security private
zone security internet
zone-pair security priv-internet-zone source private destination internet
service-policy type inspect priv-internet-policy
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ----- address -----
crypto isakmp keepalive 180 periodic
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 70 ipsec-isakmp
set peer -----
set transform-set TS
match address DOM-VPN-TRAFFIC
crypto map CMAP 71 ipsec-isakmp
set peer -----
set transform-set TS
match address VPN-VDC
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Internet SecondaryWAN
ip address ----- -----
ip nat outside
zone-member security internet
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map CMAP
no shutdown
!
interface GigabitEthernet0/0/1
description vlan10 internal network
no ip address
ip nat inside
zone-member security private
negotiation auto
no shutdown
!
interface GigabitEthernet0/0/1.10
description vlan10
encapsulation dot1Q 10
ip address 10.10.20.1 255.255.255.0
ip nat inside
zone-member security private
no shutdown
!
!
interface GigabitEthernet0/0/1.30
description Guest Network
encapsulation dot1Q 30
ip address 10.10.30.1 255.255.255.0
ip nat inside
zone-member security private
no shutdown
!
interface GigabitEthernet0/0/1.40
description R&D Network
encapsulation dot1Q 40
ip address 10.10.40.1 255.255.255.0
ip nat inside
zone-member security private
no shutdown
!
interface GigabitEthernet0/0/1.50
description Video Conference Network
encapsulation dot1Q 50
ip address 10.10.50.1 255.255.255.0
ip nat inside
zone-member security private
no shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source route-map NONAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 103.245.219.176
ip ssh version 2
!
!
ip access-list extended ALLOW-DHCP
permit udp any any eq bootps
permit udp any any eq bootpc
ip access-list extended DOM-VPN-TRAFFIC
permit ip 10.10.20.0 0.0.0.255 192.168.70.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 192.168.71.0 0.0.0.255
ip access-list extended VPN-VDC
permit ip 10.10.20.0 0.0.0.255 192.168.27.0 0.0.0.255
!
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map SWITCHVOX permit 10
match ip address 110
!
route-map NONAT deny 10
match ip address DOM-VPN-TRAFFIC VPN-VDC
!
route-map NONAT permit 20
match ip address 1
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 60 0
login local
transport input ssh
line vty 5 15
access-class 1 in
login local
!
!
end

----------------------------------------------------------------

 

 

NOthing works at all.

Can anyone help with the issue as I cannot find a reason?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card