2 Replies Latest reply on Dec 5, 2014 1:47 PM by hcutechsupport

    Cannot get VLAN 1 to communicate over eth 0/1

    hcutechsupport New Member

      I have added new router at an existing location and have not been able to get it working as of yet.  We added the router due to switching from a T1 connection, to a Metro-E connection.  This location is on the 172.16.4.0 network and I have configured VLAN 1 on this network.  Eth 0/1 is on the 10.10.10.0 network because our existing Metro-E network is configured for that network.  From VLAN 1 I can communicate to the eth 0/1 interface but not any device after it.  From the eth 0/1 I can communicate to any device on the network but devices on the 172.16.4.0 network.  Below is my configuration.  Ask me any questions that may help.

       

      interface eth 0/1

        description Metro-E

        ip address 10.10.10.4 255.255.255.0

        ip flow ingress

        ip flow egress

        no shutdown

      !

      !

      interface vlan 1

        description LAN Uplink to Core Switch

        ip address 172.16.4.1 255.255.255.0

        ip flow ingress

        ip flow egress

        no shutdown

      !

      ip route 0.0.0.0 0.0.0.0 10.10.10.1

        • Re: Cannot get VLAN 1 to communicate over eth 0/1
          ss_daveh New Member

          hcutechsupport:

           

          Your interfaces have no access-policies on them. You would need to have an access list and policy class which allows the 172.16.4.0 network to be NAT'ed out of the 10.10.10.1 gateway. And have the corresponding access policies applied to the interfaces. Try something like this.

           

          ip access-list standard NAT-ICS

            permit any

          !

          ip access-list extended DEVICE

            permit ip any  any     log

          !

          ip access-list extended MANAGE

          permit <IP's you need to access device from outside>

          !

          ip policy-class Private

            allow list DEVICE self

            nat source list NAT-ICS interface eth 0/1 overload

          !

          ip policy-class Public

            allow list MANAGE self

           

           

          And then add the access policies to your interfaces

           

           

           

          interface eth 0/1

            description Metro-E

            ip address 10.10.10.4 255.255.255.0

            ip access-policy Public

            ip flow ingress

            ip flow egress

            no shutdown

          !

          !

          interface vlan 1

            description LAN Uplink to Core Switch

            ip address 172.16.4.1 255.255.255.0

            ip access-policy Private

            ip flow ingress

            ip flow egress

            no shutdown

            • Re: Cannot get VLAN 1 to communicate over eth 0/1
              hcutechsupport New Member

              I tried that but it did not seem to help, as I am still unable to ping out from 172.16.4.0

              !

              interface eth 0/1

                description Metro E

                ip address 10.10.10.4 255.255.255.0

                ip access-policy Public

                ip flow ingress

                ip flow egress

                no shutdown

              !

              interface vlan 1

                description LAN Uplink to Core Switch

                ip address 172.16.4.1 255.255.255.0

                ip access-policy Private

                ip flow ingress

                ip flow egress

                no shutdown

              !

              ip access-list standard NAT-ICS

                remark NAT list NAT-ICS

                permit any

              !

              !

              ip access-list extended DEVICE

                permit ip any any log

              !

              ip access-list extended MANAGE

                permit ip 172.16.0.0 0.0.255.255 any

              !

              ip policy-class Private

                allow list VPN-10-vpn-selectors stateless

                allow list DEVICE self

                nat source list NAT-ICS interface eth 0/1 overload policy Public

              !

              ip policy-class Public

                allow reverse list VPN-10-vpn-selectors stateless

                allow list MANAGE self

              !

              ip route 0.0.0.0 0.0.0.0 10.10.10.1