Please help! Using a Catalyst 3560-CX with a home modem/router

Soldato
Joined
18 Feb 2003
Posts
8,612
Location
Brighton/West Wicklow
Hi guys,

Hoping someone can help - i'm in IT but far removed from my networking days.

I currently have a standard home setup with a wireless modem/router (Asus RT-AC52U) which does my wireless and wired connectivity for my home.

The internet connection is a point-to-point line of sight Wimax-esque connection. I believe it uses double NAT. This will be changing in the coming months to a FTTH connection.

I have a Cisco 3560-CX IP-base that I would like to use for a number of reasons including:
  • integrated PoE
  • general lab environment for my learning
  • VLAN demarcation using ACL's (not configured yet)
I'm trying to set this up to work with my home modem/router but am falling short.

Here's what i've done so far:
  1. Enabled IP routing on the 3560-CX
  2. Created multiple vlans with their own /24 subnets (10.10.10.x/10.10.20.x etc.)
  3. Created SVI's for the vlans
  4. Created DHCP pools where necessary for the vlans and confirmed working
  5. Set gateway of last resort on the 3560-CX to the Asus modem/router (192.168.1.1)
  6. Configured port 14 as a routed uplink port to the Asus modem/router (no switchport, set ip address 192.168.1.239 on the asus subnet 192.168.1.x/24)
  7. Static routes have been set up on the Asus modem/router
PC's connected to the different vlans can see each other (ping), and can obviously ping the respective vlan gateways, but any attempt to ping onto the 192.168.1.x/24 modem/router subnet times out. Traceroutes stop at the gateway of the respective subnet that the PC resides on. If pinging from the 3560-CX itself in the CLI I can ping both the port 14 IP address and the asus modem/router.

It's probably something stupid but i'm trying to ascertain the following:
  1. Why can't I ping / connect to the 192.168.1.x subnet from any of my created vlans?
  2. Do I need to do additional configuration on the Asus modem/router? Does it need to be in bridged mode?
  3. Looking for generally connectivity first but all vlans will need internet connectivity - haven't looked at NAT yet.
Obligatory network diagram:

syGbYV8.jpg

Thanks in advance!
 
Man of Honour
Joined
20 Sep 2006
Posts
33,887
I'm pretty ill at the moment so brain isn't working right, but have you told the ASUS router how to get traffic onto those VLANs at all? If it doesn't know it'll drop the traffic. Edit just read you have.

Are you using proper L3 switching or are you going to route on a stick?
 
Associate
Joined
20 Jan 2013
Posts
140
The router doesn't know anything about your 10.10.x.x networks. You need to add a route(s) for those networks and point it to your switch .
 
Man of Honour
Joined
20 Sep 2006
Posts
33,887
The router doesn't know anything about your 10.10.x.x networks. You need to add a route(s) for those networks and point it to your switch .
He's set static routes on the router.

If L3 routing isn't functioning or set up right then the link between the ASUS and the switch would need to be a trunk.
 
Caporegime
Joined
18 Oct 2002
Posts
26,053
Are you sure the static route configuration has been applied to the Asus router, because it doesn't sound like it's working. What happens if you connect a PC in the 192.168.1.0/24 subnet and try and ping one of the subnets configured on your switch? Do you see the traffic arriving on Gi0/14?

Even if you just chuck a laptop onto that port and tell it to use 192.168.1.239 as the gateway, can you then ping into your LAN?
 
Associate
Joined
20 Jan 2013
Posts
140
Yep. I missed that. Screenshot of Asus config showing route and output of show IP route from switch would be helpful
 
Soldato
OP
Joined
18 Feb 2003
Posts
8,612
Location
Brighton/West Wicklow
Thanks for your help guys - I don't have access from here but will try your suggestions tonight and/or get the information you've requested.

What happens if you connect a PC in the 192.168.1.0/24 subnet and try and ping one of the subnets configured on your switch? Do you see the traffic arriving on Gi0/14?

When you say "Do I see it arriving?" How would I check this please?

Even if you just chuck a laptop onto that port and tell it to use 192.168.1.239 as the gateway, can you then ping into your LAN?

So disconnect the Asus from Port 0/14, connect 0/14 to a laptop, give it an IP in the 192.168.1.x range with .239 as the gateway and ping a host in a 10.10.x.x subnet?

Sorry if these are silly questions - just want to be 100% sure before I do this tonight.

Thanks again.
 
Soldato
OP
Joined
18 Feb 2003
Posts
8,612
Location
Brighton/West Wicklow
Hi guys,

Sorry - had a busy couple of days.

So i've made some progress even though I don't recall making any changes.......

So to answer questions:

Yep. I missed that. Screenshot of Asus config showing route and output of show IP route from switch would be helpful

878iEBL.jpg

NhNmC09.jpg

Ignore the 10.100.40.x entries, they are from connected Wireless Access Points with an old IP configuration that i've yet to change

Are you sure the static route configuration has been applied to the Asus router, because it doesn't sound like it's working. What happens if you connect a PC in the 192.168.1.0/24 subnet and try and ping one of the subnets configured on your switch? Do you see the traffic arriving on Gi0/14?

Ok, so my main PC is on the existing home network (192.168.1.179) and can now ping a laptop (10.10.30.2) I put in VLAN 30:

ZK0KFDJ.jpg

Even if you just chuck a laptop onto that port and tell it to use 192.168.1.239 as the gateway, can you then ping into your LAN?

I've assuming this isn't relevant due to the above but can absolutely do this if necessary?

Can you ping 192.168.1.239 from any of the PCs?

I can ping 192.168.1.239 from the laptop mentioned above (10.10.30.2)


So basically, i'm pretty sure I have connectivity between then VLAN's and the home/legacy subnet (192.168.1.x/24) - HOWEVER:

  1. Whereas I can ping other devices on the 192.168.1.x/24 subnet, I can't ping the default gateway/Asus Home modem/router (192.168.1.1) from any hosts on the 10.10.x.x VLAN's. It times out.
  2. I can't access the internet from any hosts on the 10.10.x.x VLANs.

Can you guys please advise on the above two points?

Thanks so much for the advice so far.
 

Attachments

  • upload_2019-3-8_15-1-26.png
    upload_2019-3-8_15-1-26.png
    346.6 KB · Views: 2
Soldato
Joined
11 Apr 2004
Posts
19,807
On the Asus, should the gateway for all the 10.x.x.x subnets not be the next hop router, i.e. 192.168.1.239?

You're basically telling the Asus that to get to 10.10.10.0/24, forward the traffic to the interface on the Cisco switch in the same subnet. The switch knows about the other VLANs and will route the traffic.
 
Man of Honour
Joined
20 Sep 2006
Posts
33,887
On the Asus, should the gateway for all the 10.x.x.x subnets not be the next hop router, i.e. 192.168.1.239?

Correct, the ASUS has no knowledge of the VLANs as it isn't a trunk, so the traffic needs to go to the switch interface on the same subnet that the ASUS is on.
 
Soldato
OP
Joined
18 Feb 2003
Posts
8,612
Location
Brighton/West Wicklow
Hi guys,

Just to say that altering the GW on the static routes did the trick - internet access all working. Thanks for all the help.

Will probably post back in a few weeks once I start tinkering with ACL's to restrict access between the VLAN's, but i'm focusing on getting my wireless mesh network up and running for now.

Thanks again!
 
Soldato
OP
Joined
18 Feb 2003
Posts
8,612
Location
Brighton/West Wicklow
Hi guys,

Apologies for the necro.

I'm having to change this setup due to getting FTTH at home (from a 8Mb Wimax - godsend as we live in the middle of nowhere). The architecture is largely the same however, the modem/router (Vodafone Gigabox) does not allow me to configure routes on it, which i assume will break internet connectivity.
  • Can you advise if there's any way I can retain the current functionality of the multiple VLAN's on the 3560-CX?
  • Could I set the Gigabox to bridged mode? If so, what changes would I need to make? I don't need the gigabox for anything other than for managing the WAN connection - no VPN, no VOIP functionality, no DHCP and not even wireless is needed as I have Aruba AP's connected to the 3560-CX for wireless.
  • Or would it be better to buy another modem/router such as an Asus RT-AC-87U or similar (i believe you can configure the PPPoE details manually):
    "Not Supported" doesnt mean dropping the vodafone kit is not possible (as long as you arent using their phone or tv service), just means they wont help you.

    Connection = PPOE
    Username = <modemserialnumber>@vfieftth.ie - serial number can be found on the router itself
    Password = either "broadband" or "vodafone" (cant remember which)

    vlanid = 10

Would greatly appreciate any assistance.

Thanks again
 
Caporegime
Joined
18 Oct 2002
Posts
26,053
You need something to do NAT and PPPoE, because your switch won't. I *think* Gigafast also uses a VLAN tag on the WAN.
 
Soldato
OP
Joined
18 Feb 2003
Posts
8,612
Location
Brighton/West Wicklow
Yeah - needs to be tagged VLAN 10 on the WAN interface.

So from what i'm reading bridged mode disables NAT on the Gigabox, so looks like i need a 3rd party device such as the aforementioned Asus RT-AC87U for PPPoE and NAT?
 
Man of Honour
Joined
20 Sep 2006
Posts
33,887
Why don't you get a proper firewall instead of consumer stuff? Something like a pfSense firewall, or UniFi dream machine etc.
 
Soldato
OP
Joined
18 Feb 2003
Posts
8,612
Location
Brighton/West Wicklow
Sorted for now - just got a cheap Ubiquiti Edgerouter-X which can handle the PPPoE WAN negotiation for the ONT and also hand-off to the 3560-CX. It has basic firewall and NAT functionality.

This will do until I have the time to research an appropriate firewall solution.

Thanks for your help.
 
Back
Top Bottom