No need to do NAT in SW' run NAT in routers connect to ISP.

Job of SW is forward traffic to edge router' in edge router you can do NAT.

MHM

Hi Paul and @MHM Cisco World 

here is the lab setup i have for this hope it helps point me in the right direction.

C3560

no aaa new-model
clock timezone Manila 8
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
ip routing
ip name-server 10.100.100.2
ip name-server 192.168.1.1

errdisable recovery cause psecure-violation
errdisable recovery interval 320
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 100
name PLDT-BACKUP

##F017 is where TPLINK Deco e4 is connected
interface FastEthernet0/17
switchport access vlan 100
switchport mode access
switchport port-security maximum 20
switchport port-security
spanning-tree portfast
!
#F0/18 is PC2
interface FastEthernet0/18
switchport access vlan 100
switchport mode access
switchport port-security maximum 5
switchport port-security
spanning-tree portfast

##f0/33 is PC1

interface FastEthernet0/33
switchport mode access
switchport port-security maximum 5
switchport port-security
spanning-tree portfast

##This is connected to G0/0 of Cisco 1921
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

interface Vlan1
ip address 10.100.100.3 255.255.255.0
!
interface Vlan100
ip address dhcp
!
router ospf 1
log-adjacency-changes
auto-cost reference-bandwidth 1000
network 10.0.0.0 0.255.255.255 area 0
network 15.15.15.15 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/33, Fa0/34, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47, Fa0/48, Gi0/2, Gi0/3, Gi0/4
100  PLDT-BACKUP                      active    Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32

####Cisco 1921

ip name-server 192.168.68.1

interface GigabitEthernet0/0
ip address 10.100.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed auto
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
router ospf 1
router-id 11.11.11.11
auto-cost reference-bandwidth 1000
passive-interface GigabitEthernet0/1
network 10.100.100.0 0.0.0.255 area 0
network 11.11.11.11 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
!
!
access-list 1 permit 10.0.0.0 0.255.255.255

There are several things I would like to address:

- you say "command IP nat on the switch doesnt seem to be available". That is a correct observation. You will need NAT for the second vlan but it can not be provided by the switch.

- I see that routing is enabled on the switch. It seems to be exchanging routing info with the router. Is there any other source of routing information for the switch?

- you have 2 vlans/2 subnets active on the switch. What is the default gateway for devices in both subnets? Is it the switch? the router? something else?

- the switch configures the connection to the router as a trunk, which would carry both vlans. But the router configuration treats the connection as access and not as trunk. So what happens with traffic from vlan 100?

- the switch OSPF configuration specifies 3 networks. Clearly one network is for vlan 1, one network is for vlan 100, what is the third network?

- it is unusual for a home lab setup to have 2 ISP. Do you exchange any routing information with either/both of the ISP?

- there is configuration on the router for NAT for vlan 1. If vlan 100 is to access Internet it would need NAT. Where is that NAT configured?

Hi Rick , thanks for your reply. Please below.

- you say "command IP nat on the switch doesnt seem to be available". That is a correct observation. You will need NAT for the second vlan but it can not be provided by the switch.

- I see that routing is enabled on the switch. It seems to be exchanging routing info with the router. Is there any other source of routing information for the switch?

Hi There are none to my knowledge

- you have 2 vlans/2 subnets active on the switch. What is the default gateway for devices in both subnets? Is it the switch? the router? something else?

DG for the 10.100.x network is the 1921 Router, the 192.168.1.x is from the TP Link e4

- the switch configures the connection to the router as a trunk, which would carry both vlans. But the router configuration treats the connection as access and not as trunk. So what happens with traffic from vlan 100?

didnt configure any sub interface on the router so what happened is vlan100 kept within the network any device plugs into the vlan100 ports get ip address from the tp link e4 commercial router

- the switch OSPF configuration specifies 3 networks. Clearly one network is for vlan 1, one network is for vlan 100, what is the third network?

its the loopback of the device, 11.11 is cisco1921 and i think i made 15.15.x is the switch

- it is unusual for a home lab setup to have 2 ISP. Do you exchange any routing information with either/both of the ISP?

no exchange going on for both these are typical commercial isp accounts i just happened to have access to both accnts

- there is configuration on the router for NAT for vlan 1. If vlan 100 is to access Internet it would need NAT. Where is that NAT configured?

there is no NAT configure for vlan100. i just plug in tplink router/modem to the port plug in pc2 on a vlan100 port it was assigned an ip address and could browse the internet using isp2 normally.

Thanks for the additional information. Here are my thoughts:

The switch needs some type of indication when one of the ISP has failed. If there was exchange of routing information that might have been one way to do it. If there is not routing information exchange then you probably needs something like IP SLA to detect failure of an ISP.

If there is not any processing on the router for vlan 100 then I suggest that you change the switch configuration to make the connection to the router an access port rather than a trunk.

It appears that what you have currently works ok but does not provide any redundancy/failover. To achieve redundancy you would need:

- a way to detect failure of an ISP. IP SLA could be used for that.

- a way to redirect traffic. PBR can be used for that.

- you would need to change the configuration of NAT on your router to translate addresses from vlan 100 if they are forwarded to the router. And you would need to change the NAT of tplink to translate addresses from vlan 1 if they are forwarded to tplink.

I have little time so I share with you idea if I not reply I hope you understand.

Now 

You have SW two vlan' 

Each vlan have one router do routing and NAT for one vlan' 

Each router IP is GW for host in it vlan

You can not manage both router <<- confirm that 

So here SW even with ip routing is l2 SW it cannot do anything if one edge router failed 

BUT 

You can use 

Ip sla to detect internet via each edge router 

And use EEM if ip sla is down then SW will change vlan assign to port' this force port to get new vlan and traffic forward to other edge router.

Note:- in eem make port up/down to force pc get new IP from dhcp server 

MHM