I cant my Connect ICX 7250 to ISP modem access

  • 1
  • Question
  • Updated 9 months ago
  • Acknowledged
I can't access the internet from my vlan's but can access all PC inside in VLAN's
Photo of Rumen Vachev

Rumen Vachev

  • 5 Posts
  • 0 Reply Likes

Posted 9 months ago

  • 1
Photo of Paul McGuire

Paul McGuire

  • 36 Posts
  • 15 Reply Likes
Without seeing your config it sounds like you need a default gateway set on the switch to the ISP modem. All devices in the vlans should have default gateway of IP address of the vlan interface.
Photo of Rumen Vachev

Rumen Vachev

  • 5 Posts
  • 0 Reply Likes
there are my configuration below. My ISP Router is connected on interface eth 1/1/1 and his IP is 192.168.1.1/24. i can route between vlans using ve interfaces bu i haven't internet in VLANs

ICX7250-24 Router(config-if-e1000-1/1/1)#sh running-config
Current configuration:
!
ver 08.0.91T213
!
stack unit 1
  module 1 icx7250-24-port-management-module
  module 2 icx7250-sfp-plus-8port-80g-module
  stack-port 1/2/3
!
!
global-stp
!
lag 3.1_floor dynamic id 1
 ports ethe 1/2/1 to 1/2/2
!
lag 3.2_floor dynamic id 2
 ports ethe 1/2/3 to 1/2/4
!
lag 7.1_level dynamic id 3
 ports ethe 1/2/5 to 1/2/6
!
lag 7.2_level dynamic id 4
 ports ethe 1/2/7 to 1/2/8
!
!
!
vlan 1 name DEFAULT-VLAN by port
 spanning-tree
!
vlan 10 by port
 tagged lag 1 to 4
 router-interface ve 10
 spanning-tree
!
vlan 232 by port
 tagged lag 1 to 4
 untagged ethe 1/1/2 to 1/1/24
 router-interface ve 232
 spanning-tree 802-1w
 loop-detection
!
vlan 233 by port
 tagged lag 1 to 4
 router-interface ve 233
 spanning-tree
 loop-detection
!
!
!
!
!
!
!
!
!
!
!
!
system-max ip-route-default-vrf 10000
system-max ip-route-vrf 500
!
vrf mem
exit-vrf
!
!
aaa authentication web-server default local
aaa authentication login default local
enable aaa console
ip dns domain-list missionbg.be
ip dns server-address 192.168.232.15 192.168.232.2
ip route next-hop-enable-default
ip route next-hop-recursion 5
ip route 0.0.0.0/0 192.168.1.1
ip route 192.168.1.0/24 192.168.232.234
ip route 192.168.1.0/24 192.168.1.2
ip route 192.168.1.0/24 192.168.232.254
ip route 192.168.1.0/24 192.168.232.1
ip route 192.168.232.0/24 192.168.1.2
ip router-id 1.1.1.1
no ip source-route
!
mac filter log-enable
no telnet server
username super password .....
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface loopback 1
 ip address 192.168.0.1 255.255.255.0
!
interface management 1
 ip address 192.168.254.254 255.255.255.0
!
interface ethernet 1/1/1
 route-only
 ip address 192.168.1.2 255.255.255.0
 no spanning-tree
 tag-profile enable
!
interface lag 1
 loop-detection shutdown-disable
 speed-duplex 1000-full
 no spanning-tree
!
interface lag 2
 loop-detection
 speed-duplex 1000-full
 no spanning-tree
!
interface lag 3
 loop-detection shutdown-disable
 speed-duplex 1000-full
!
interface lag 4
 loop-detection shutdown-disable
 speed-duplex 1000-full
!
interface ve 10
 ip access-group ACL_10 out
 ip address 10.10.1.254 255.255.255.0
!
interface ve 232
 ip address 192.168.232.254 255.255.255.0
!
interface ve 233
 ip address 192.168.233.254 255.255.255.0
!
!
!
!
!
no lldp run
!
!
!
!
!
!
!
end


Thank you in advance for help
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 115 Posts
  • 40 Reply Likes
Hi Rumen,

Are u saying that unable to reach 192.168.1.1 from your PC/vlan ? If not clarify which Ip address on internet is failing.



Thanks
Jijo 
(Edited)
Photo of Rumen Vachev

Rumen Vachev

  • 5 Posts
  • 0 Reply Likes
Yes, that's right. ip address for the modem is 192.168.1.1 and I connected to port eth 1/1/1 which I assign ip 192.168.1.2. i can't ping ip 192.168.1.1 and any other ip addresses in the internet but i can ping 192.168.1.2 for everywhere from any vlans. i think that i can't route traffic from ip 192.168.1.1 to vlans. But i can ping any outside ip address from the switch console. I am don't know exactly what should be config of the port eth 1/1/1
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 115 Posts
  • 40 Reply Likes
Hi Rumen,

Try removing ' tag-profile enable' from eth 1/1/1 and redo test.


Thanks
Jijo
Photo of Rumen Vachev

Rumen Vachev

  • 5 Posts
  • 0 Reply Likes
Hi Jijo
Not working again :(,

Photo of Jijo Panangat

Jijo Panangat, Employee

  • 115 Posts
  • 40 Reply Likes
Hi Rumen,

Sorry to hear that, Could you pls open a tac case so one of us can have a deeper look.


Thanks
Photo of Paul McGuire

Paul McGuire

  • 36 Posts
  • 15 Reply Likes
I don’t think you need all of the route lines. The only one you should need is the 0.0.0.0/0 192.168.1.1
Photo of Rumen Vachev

Rumen Vachev

  • 5 Posts
  • 0 Reply Likes
Hi
Are is it an obligation to use ip access-list ?
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 115 Posts
  • 40 Reply Likes
Hi Rumen,

No, Access-list perform packet filtering to control the flow of packets through a network.The packet filtering provides security by helping to limit the network traffic, restrict the access of users and devices to a network, and prevent the traffic from leaving a network etc..

Thanks
Photo of Jon Sands

Jon Sands

  • 3 Posts
  • 0 Reply Likes
You only have routes for traffic in one direction (from your vlans to the ISP modem). You need to create routes on the ISP modem/router so it knows how to get back to all your subnets. When it gets a packet from your 10.10.1.254 subnet for instance, it looks in it's routing table on how to reply, and it probably just has a default route out to the internet, so it sends that ping reply towards the internet and you never see it. You need to give it routes for your subnets with nexthop/gateway of the switch IP (192.268.1.2)