Please help! Using a Catalyst 3560-CX with a home modem/router

[Gaijin]

Hi guys,

Hoping someone can help - i'm in IT but far removed from my networking days.

I currently have a standard home setup with a wireless modem/router (Asus RT-AC52U) which does my wireless and wired connectivity for my home.

The internet connection is a point-to-point line of sight Wimax-esque connection. I believe it uses double NAT. This will be changing in the coming months to a FTTH connection.

I have a Cisco 3560-CX IP-base that I would like to use for a number of reasons including:

• integrated PoE
  
• general lab environment for my learning
  
• VLAN demarcation using ACL's (not configured yet)

I'm trying to set this up to work with my home modem/router but am falling short.

Here's what i've done so far:

1. Enabled IP routing on the 3560-CX
   
2. Created multiple vlans with their own /24 subnets (10.10.10.x/10.10.20.x etc.)
3. Created SVI's for the vlans
   
4. Created DHCP pools where necessary for the vlans and confirmed working
5. Set gateway of last resort on the 3560-CX to the Asus modem/router (192.168.1.1)
   
6. Configured port 14 as a routed uplink port to the Asus modem/router (no switchport, set ip address 192.168.1.239 on the asus subnet 192.168.1.x/24)
7. Static routes have been set up on the Asus modem/router

PC's connected to the different vlans can see each other (ping), and can obviously ping the respective vlan gateways, but any attempt to ping onto the 192.168.1.x/24 modem/router subnet times out. Traceroutes stop at the gateway of the respective subnet that the PC resides on. If pinging from the 3560-CX itself in the CLI I can ping both the port 14 IP address and the asus modem/router.

It's probably something stupid but i'm trying to ascertain the following:

1. Why can't I ping / connect to the 192.168.1.x subnet from any of my created vlans?
2. Do I need to do additional configuration on the Asus modem/router? Does it need to be in bridged mode?
3. Looking for generally connectivity first but all vlans will need internet connectivity - haven't looked at NAT yet.

Obligatory network diagram:



Thanks in advance!

 

[Gaijin]

Thanks for your help guys - I don't have access from here but will try your suggestions tonight and/or get the information you've requested.

What happens if you connect a PC in the 192.168.1.0/24 subnet and try and ping one of the subnets configured on your switch? Do you see the traffic arriving on Gi0/14?

When you say "Do I see it arriving?" How would I check this please?

Even if you just chuck a laptop onto that port and tell it to use 192.168.1.239 as the gateway, can you then ping into your LAN?

So disconnect the Asus from Port 0/14, connect 0/14 to a laptop, give it an IP in the 192.168.1.x range with .239 as the gateway and ping a host in a 10.10.x.x subnet?

Sorry if these are silly questions - just want to be 100% sure before I do this tonight.

Thanks again.

 

[Gaijin]

Hi guys,

Sorry - had a busy couple of days.

So i've made some progress even though I don't recall making any changes.......

So to answer questions:

Yep. I missed that. Screenshot of Asus config showing route and output of show IP route from switch would be helpful

Ignore the 10.100.40.x entries, they are from connected Wireless Access Points with an old IP configuration that i've yet to change

Are you sure the static route configuration has been applied to the Asus router, because it doesn't sound like it's working. What happens if you connect a PC in the 192.168.1.0/24 subnet and try and ping one of the subnets configured on your switch? Do you see the traffic arriving on Gi0/14?

Ok, so my main PC is on the existing home network (192.168.1.179) and can now ping a laptop (10.10.30.2) I put in VLAN 30:

Even if you just chuck a laptop onto that port and tell it to use 192.168.1.239 as the gateway, can you then ping into your LAN?

I've assuming this isn't relevant due to the above but can absolutely do this if necessary?

Can you ping 192.168.1.239 from any of the PCs?

I can ping 192.168.1.239 from the laptop mentioned above (10.10.30.2)


So basically, i'm pretty sure I have connectivity between then VLAN's and the home/legacy subnet (192.168.1.x/24) - HOWEVER:

1. Whereas I can ping other devices on the 192.168.1.x/24 subnet, I can't ping the default gateway/Asus Home modem/router (192.168.1.1) from any hosts on the 10.10.x.x VLAN's. It times out.
   
2. I can't access the internet from any hosts on the 10.10.x.x VLANs.

Can you guys please advise on the above two points?

Thanks so much for the advice so far.

 

[Gaijin]

Thanks guys, will do so over the weekend. Have a good weekend yourselves!

 

[Gaijin]

Hi guys,

Just to say that altering the GW on the static routes did the trick - internet access all working. Thanks for all the help.

Will probably post back in a few weeks once I start tinkering with ACL's to restrict access between the VLAN's, but i'm focusing on getting my wireless mesh network up and running for now.

Thanks again!

 

[Gaijin]

Hi guys,

Apologies for the necro.

I'm having to change this setup due to getting FTTH at home (from a 8Mb Wimax - godsend as we live in the middle of nowhere). The architecture is largely the same however, the modem/router (Vodafone Gigabox) does not allow me to configure routes on it, which i assume will break internet connectivity.

• Can you advise if there's any way I can retain the current functionality of the multiple VLAN's on the 3560-CX?
  
• Could I set the Gigabox to bridged mode? If so, what changes would I need to make? I don't need the gigabox for anything other than for managing the WAN connection - no VPN, no VOIP functionality, no DHCP and not even wireless is needed as I have Aruba AP's connected to the 3560-CX for wireless.
• Or would it be better to buy another modem/router such as an Asus RT-AC-87U or similar (i believe you can configure the PPPoE details manually):
  

  "Not Supported" doesnt mean dropping the vodafone kit is not possible (as long as you arent using their phone or tv service), just means they wont help you.
  
  Connection = PPOE
  Username = <modemserialnumber>@vfieftth.ie - serial number can be found on the router itself
  Password = either "broadband" or "vodafone" (cant remember which)
  
  vlanid = 10

Would greatly appreciate any assistance.

Thanks again

 

[Gaijin]

Yeah - needs to be tagged VLAN 10 on the WAN interface.

So from what i'm reading bridged mode disables NAT on the Gigabox, so looks like i need a 3rd party device such as the aforementioned Asus RT-AC87U for PPPoE and NAT?

 

[Gaijin]

I think you're right - haven't really stepped back and looked at the big picture - just been looking at solutions that others have tried. Just keen to get it up and running reasonably quickly.

 

[Gaijin]

Sorted for now - just got a cheap Ubiquiti Edgerouter-X which can handle the PPPoE WAN negotiation for the ONT and also hand-off to the 3560-CX. It has basic firewall and NAT functionality.

This will do until I have the time to research an appropriate firewall solution.

Thanks for your help.