Need some assistance with some basic VLAN/Routing config Cisco 1941.

cdcremin · ‎04-12-2024

Hi all I'm setting up a CISCO LAB to keep me busy in my retirement. My Current network consists of a TP-Link Deco mesh network which works well for my IOT, PCs and internet access. I just got hold of a Cisco 1941 router with a EHWIC D8SGP module. My Plan was to put my Lab behind the 1941 with a gateway to the internet via the Deco main unit and have 3 VLANs and routing configured to allow inter VLAN routing and internet access.

From the console I can resolve hostnames and ping servers on the internet. But can't ping any of the VLAN interfaces.

The gigabitethernet0/0 interface gets allocated a reserved IP address from the Deco (192.168.68.99 255.255.252.0)

I don't get any DHCP leases except from the 10.0.1.0 network (native VLAN1).

I'm pulling my hair out as 20 years ago I used to configure this **bleep** as a job. Getting old and the memory is not so great these days. One of the reasons I am setting up the lab to keep my mind active.

Any help would be appreciated. I've attached a copy of my current config and a file with show IP routes, version and vlans. Let me know if any further info is needed. Hopefully its a simple fix I just can't see.

Colin

chrihussey · ‎04-12-2024

Hello,

Might have missed something but a few things to add:

Add “ip nat outside’ to the G0/0 interface
Change the default route to “ip route 0.0.0.0 0.0.0.0 dhcp”
Create a simple ACL for the networks to be natted: "ip access-list 1 permit 10.0.0.0 255.255.0.0"
Add the global NAT statement “ip nat inside source list 1 interface g0/0 overload”

Congrats on your retirement. Got a couple/three years to go myself.

Georg Pauwen · ‎04-12-2024

Hello,

I somewhete seem to recalll that with the Ethernet module, you have to create Vlan interfaces. Can you give that a try (e.g. interface Vlan 10) ?

cdcremin · ‎04-14-2024

So the switch module is treated like a remote switch and the trunking between router and switch is handled internally not via a trunked port?

RAdamWilliams · ‎04-12-2024

I think Georg has identified your problem. If you're using sub-interfaces then that interface needs to be connected to a switch. If you're configuring the switchports from the router then all of your IP interface should be on VLAN interfaces.

cdcremin · ‎04-14-2024

Ok so I erased the startup-config and started again. I now have DHCP issuing addresses based on vlan membership. PC can ping gi0/0 (192.168.68.99 Issued by the TP-Link main Deco), but not the Deco main router (192.168.68.1). PC can ping vlan 10 gateway 10.0.10.1. So PC can't access anything past 192.168.68.99

Via console I can ping 192.168.68.1 the Deco gateway and resolve and ping internet devices I can only ping vlan gateways when a client eg; PC is connected to an interface tagged with that vlan ID.

show ip routes

Gateway of last resort is 192.168.68.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 192.168.68.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.1.0/24 is directly connected, GigabitEthernet0/1
L 10.0.1.1/32 is directly connected, GigabitEthernet0/1
C 192.168.68.0/22 is directly connected, GigabitEthernet0/0
192.168.68.0/32 is subnetted, 1 subnets
L 192.168.68.99 is directly connected, GigabitEthernet0/0

show running-config

Current configuration : 2558 bytes
!
! Last configuration change at 16:34:39 UTC Sun Apr 14 2024
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
ip dhcp pool VLAN 10
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 192.168.68.99
!
ip dhcp pool VLAN20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
dns-server 192.168.68.99
!
ip dhcp pool VLAN30
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
dns-server 192.168.68.99
!
!
!
ip name-server 203.12.160.35
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
!
!
license udi pid CISCO1941/K9 sn FGL192720D2
!
!
!
redundancy
!
!
!
!
!
controller Cellular 0/0
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.0.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
switchport access vlan 10
no ip address
!
interface GigabitEthernet0/1/1
switchport access vlan 20
no ip address
!
interface GigabitEthernet0/1/2
switchport access vlan 30
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
no ip address
!
interface Cellular0/0/0
ip address negotiated
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
ipv6 address autoconfig
!
interface Cellular0/0/1
no ip address
encapsulation slip
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly in
!
interface Vlan10
ip address 10.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 10.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 10.0.30.1 255.255.255.0
!
ip default-gateway 192.168.68.99
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer lte
no exec
line 0/0/1
no exec
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

RAdamWilliams · ‎04-16-2024

It looks like you still need an outside NAT interface and an associated access list. If you are just trying to test connectivity before getting that far remember that even though you have a route to get to 192.168.68.1 it doesn't have a route for return traffic.

cdcremin · ‎04-16-2024

Hi Thanks I have added a return route on the TP-Link Deco LAN interface (10.0.0.0 255.255.0.0 192.168.68.99) and that allowed PCs on the VLANS (ie:10.0.10.0 network) to ping the Deco gateway (192.168.68.1) but still not able to reach the beyond that. I did implement the NAT settings that you suggested but had no success get past the 192.168.68.99 (G0/0) interface.

The Deco units are very restrictive and don't allow you to view what's going on or allow any advance configurations, so I'm thinking I might configure the 1941 as the main gateway and configure it to connect to the ISP using PPOE on G0/0. Create a dedicated VLAN for the Deco units and configure a trunk to a Cisco 3850 switch I have in my lab. That way the rest of my clients can continue to use the Deco mesh network and I will have better control over the entry point. Your thoughts ?

By the way thank you for your support. It's been a while since I played with this stuff and the brain is a bit slower these days, but things are starting to come back.

chrihussey · ‎04-16-2024

Hello,

Could you post your current config and just curious as to how you are testing connectivity to the Internet. Are you relying on DNS which may not be working? Perhaps if you trace route to a web site's IP instead of the name that would indicate all is working and it's a DNS issue.

cdcremin · ‎04-16-2024

Hi Chris,

Please find below current router startup-config, Info from PC 1 on vlan 10 for ping, ifconfig /all, arp -a results and router output. Router>sh ip route, show arp and show ip nat translations verbose. Thanks Colin

chrihussey · ‎04-16-2024

There are plenty of open questions still, but here are some observations:

The “ip nat outside source static 192.168.68.1 14.203.48.101” won’t do anything. The statement is saying to only translate the IP 192.168.68.1 to 14.203.48.101 and the DECO gateway won’t know what to do with packets source with its own outside address. Suggest trying edited versions of the NAT config in my first response with the proper changes for your current configuration.
The G0/0.1 interface has “ip nat outside” and you also have a VLAN 1 interface with “ip nat inside”. Possible conflict there. Remove the NAT from the VLAN interface.
Still think the default route should be “ip route 0.0.0.0 0.0.0.0 dhcp”.

Finally, taking things in a different direction, is the DECO gateway already doing NAT? Perhaps you just need to get the routing correct and allow it to NAT for your networks.

cdcremin · ‎04-16-2024

Hi Chris,

Mate thanks for your support. I have implemented your suggested changes and not helping at this stage. As I said to RAdamsWilliams, I will have a go at moving the Deco further back in the network and connect the 1941 directly to the NBN interface. Unless your got anymore ideas.

chrihussey · ‎04-17-2024

Just to make sure, NBN is the Internet provider which connects to the DECO which provides the rest of your home wired and wifi Internet access. From the last config you sent it looked like the 1941’s connectivity to the DECO and lab VLANs was all through the G0/0 interface via a trunk configuration. If that’s the case I would not suggest connecting the lab to NBN and have the DECO behind that. The DECO provides the NAT and more importantly firewall features.

My only suggestion would be to break it down to a simpler configuration and get it to work without the NAT:

Connect the 1941 to the DECO using a dedicated interface, I assume the G0/0 would work?
Give the G0/0 interface a static IP in the DECO’s network, so you will always know what it is and eliminate the DHCP variable.
Configure the DECO to route to the 1941’s IP for the 10.x.x.x networks
Configure the default route on the 1941 to route to the DECO IP which I assume is 192.168.68.1.
Configure the connectivity to the 10.x.x.x networks using the VLAN interfaces and EHWIC ports. (Never used this but assume that’s how it works)
Remove all NAT configuration on the 1941.
Eliminate any unnecessary residual configs so as not to confuse things.
Verify connectivity between 10.x.x.x hosts and 192.168.68.x devices as well as the 14.203.48.101 on the DECO.

What this accomplishes is packet flow is in one interface and out another in the 1941 instead of multiple sub-interfaces and having to process packets in and out of the same interface.

As the DECO performs the NAT functionality for the 192.168.68.x network, will it automatically do the same for the 10.x.x.x because it knows how to route to them or does that have to be allowed in the DECO?
If the DECO can do the NAT, then you’re off to the races.
If it can’t do it for the 10.x.x.x for whatever reason we can then muddle our way through NATing on the 1941.

Simple is best. Again, just my thought.

RAdamWilliams · ‎04-16-2024

I think what you actually want for the NAT configuration is

ip access-list standard 1

permit 10.0.0.0 0.0.255.255

ip nat inside source list 1 int g0/1.10 overload

also remove

ip nat outside source static 192.168.68.1 14.203.48.101

cdcremin · ‎04-16-2024

Het mate thanks for your support. I have implemented your suggested changes and not helping at this stage. I will have a go at removing the Deco further back in the network and connect the 1941 directly to the NBN interface. Unless your got anymore ideas.