12-16-2017 04:59 AM - edited 03-05-2019 09:39 AM
Hi,
I have 7 (Catalyst 2960-X Seires Switch) as Access Switches and one Layer 3 (Catalyst 3850 XS 10G SFP+) as Distribution Switch.
Each Access Switch is connected to the Distribution Switch with SFP port.
I have 5 VLANs, and certain ports of each Access Switch are assigned to those VLANs.
Inter-VLAN Routing, and DHCP is applied and working fine.
I need to Connect ISP Connection to L3 Switch (Cisco Catalyst 3850 Switch) and I don't have any Cisco Router.
Internet Modem is connected to the L3 Switch with SFP-Ethernet port. I have tried to configure NATing in L3 switch but I can not ping 8.8.8.8 from any switch.
I am newbie in this field, please assist me.
Running Configuration is attached for reference.
QM-CM-SWC#sh run
Building configuration...
Current configuration : 7184 bytes
!
! Last configuration change at 11:19:06 UTC Sat Dec 16 2017 by admin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname QM-CM-SWC
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$7szj$NkQu93Fu1.VSHwRbXJlTi0
!
username admin privilege 15 secret 5 $1$CHjI$4EsSvCRCRoOcKhX0R8hKt/
no aaa new-model
switch 1 provision ws-c3850-12xs
!
!
!
!
!
coap http enable
!
!
!
!
!
!
ip routing
!
no ip domain-lookup
ip dhcp excluded-address 192.168.3.1 192.168.3.9
ip dhcp excluded-address 192.168.4.1 192.168.4.9
ip dhcp excluded-address 192.168.5.1 192.168.5.9
ip dhcp excluded-address 192.168.6.1 192.168.6.9
ip dhcp excluded-address 192.168.7.1 192.168.7.9
ip dhcp excluded-address 192.168.3.245 192.168.3.254
!
ip dhcp pool DATA
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 8.8.8.8
!
ip dhcp pool LIGHTING
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 8.8.8.8
!
ip dhcp pool BMS
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 8.8.8.8
!
ip dhcp pool POWERMETRE
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
dns-server 8.8.8.8
!
ip dhcp pool FIREALARM
network 192.168.7.0 255.255.255.0
default-router 192.168.7.1
dns-server 8.8.8.8
!
!
qos queue-softmax-multiplier 100
!
crypto pki trustpoint TP-self-signed-4147162465
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4147162465
revocation-check none
rsakeypair TP-self-signed-4147162465
!
!
crypto pki certificate chain TP-self-signed-4147162465
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313437 31363234 3635301E 170D3137 31303235 31353439
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31343731
36323436 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A1FD 9906D27D 43FF4DAD 90E6F1D7 E38AEADE 60EE9ADA 64E43C02 943114A2
B138A671 84A39E3D A9904E12 F8123926 6EA4981B B25DB4B8 9BDB5D29 12114059
E5824AAF 3EA60663 1A96E2F1 A2C2058A AFFD605F 3077B8EB E5BF00C8 C9F3D7A1
DDC81DDA 94C51257 B8A39872 A637F28E E87B6B6B 50F86049 A788C7F9 FA7B167A
1DD10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14753EE4 47B15B4B 55262258 0D69EB2E C73F633E 03301D06
03551D0E 04160414 753EE447 B15B4B55 2622580D 69EB2EC7 3F633E03 300D0609
2A864886 F70D0101 05050003 8181003C 171D745E 17B3BA56 43CB93F1 722C54C1
27285253 59B4B186 2BD977AA BC00406B B19FC397 6F7F69AA E82C6224 113E5F4D
7151E8E6 B49011FA B921D659 72244C5F E25DF333 790F81F7 B9BD1776 596564F1
F8FCCE51 71866A02 54FC6FF3 63B2928C 9C672F13 50669A58 5CA5144C C057BF33
305654F4 C9D7A279 EEE00CDC 01BDF3
quit
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 192.168.1.2 255.255.255.0
negotiation auto
!
interface TenGigabitEthernet1/0/1
switchport mode trunk
!
interface TenGigabitEthernet1/0/2
switchport mode trunk
!
interface TenGigabitEthernet1/0/3
switchport mode trunk
!
interface TenGigabitEthernet1/0/4
switchport mode trunk
!
interface TenGigabitEthernet1/0/5
switchport mode trunk
!
interface TenGigabitEthernet1/0/6
switchport mode trunk
!
interface TenGigabitEthernet1/0/7
switchport mode trunk
!
interface TenGigabitEthernet1/0/8
switchport mode trunk
!
interface TenGigabitEthernet1/0/9
switchport mode trunk
!
interface TenGigabitEthernet1/0/10
switchport mode trunk
!
interface TenGigabitEthernet1/0/11
switchport mode trunk
!
interface TenGigabitEthernet1/0/12
no switchport
ip address 192.168.8.1 255.255.255.0
ip nat outside
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface Vlan40
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface Vlan50
ip address 192.168.5.1 255.255.255.0
ip nat inside
!
interface Vlan60
ip address 192.168.6.1 255.255.255.0
ip nat inside
!
interface Vlan70
ip address 192.168.7.1 255.255.255.0
ip nat inside
!
interface Vlan80
no ip address
ip nat inside
!
ip nat inside source list 101 interface TenGigabitEthernet1/0/12 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 TenGigabitEthernet1/0/12
!
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
access-list 101 permit ip 192.168.7.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
!
!
!
line con 0
password QMM56789
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
no login
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end
QM-CM-SWC#
QM-CM-SWC#
QM-CM-SWC#
QM-CM-SWC#sh int TenGigabitEthernet1/0/12
TenGigabitEthernet1/0/12 is up, line protocol is up (connected)
Hardware is Ten Gigabit Ethernet, address is 701f.5380.f3e6 (bia 701f.5380.f3e6)
Internet address is 192.168.8.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 6000 bits/sec, 7 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
96519 packets input, 14345817 bytes, 0 no buffer
Received 59439 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
5 input errors, 5 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 29076 multicast, 0 pause input
0 input packets with dribble condition detected
23864 packets output, 2869457 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
QM-CM-SWC#
QM-CM-SWC#
Solved! Go to Solution.
12-16-2017 07:37 AM
Hi
Unfortunately the most of the switches (except 6500 or others) dont support NAT to translate the internal traffic to public IP address. You need a firewall or router to achieve this task.
12-19-2017 04:10 AM
As confirmed from Cisco:
The cisco 3850 series does not support NAT, It might accept the commands, but it does not do NAT.
https://supportforums.cisco.com/t5/lan-switching-and-routing/3850-nat/m-p/2479858#M294574
Unfortunately the platform does not support NAT. The ios-xe is a modular ios. This means that inside the ios-XE we have a regular ios. This regular ios has the commands and that is the problem. There is already an internal bug to remove this CLI commands from the ios release.
But again. NAT is not supported on the 3850.
.:|:.:|:.
CISCO
Eliel Garcia Leyva
ENGINEER.CUSTOMER SUPPORT
You need a router or ASA to do NAT
12-22-2017 10:11 PM
In fact, the NAT commands I entered are accepted but i couldn't see their effect.
Without confirmation from Cisco, I supposed that there might be some bug or problem, so I sacrificed InterVLAN routing for DATA VLAN 30, and put;
!
interface TenGigabitEthernet1/0/12
switchport access vlan 30
switchport mode access
!
by this, internet started working in DATA VLAN but I couldn't use internet in any other VLAN.
Thank you all for your support and help
12-16-2017 07:37 AM
Hi
Unfortunately the most of the switches (except 6500 or others) dont support NAT to translate the internal traffic to public IP address. You need a firewall or router to achieve this task.
12-16-2017 11:21 AM
I heard some member saying that if following three NAT commands are accepted then this L3 switch can connect to the internet; which are accepted in this switch. Can you please be more specific if possible?
ip nat inside source list 101 interface TenGigabitEthernet1/0/12 overload
ip nat inside
ip nat outside
12-16-2017 11:39 AM - edited 12-19-2017 04:12 AM
Hi
This model does not support NAT but the switches like 6500 and 6800 does. Please check this link:
https://supportforums.cisco.com/t5/lan-switching-and-routing/3850-nat/td-p/2479841
01-22-2019 01:43 PM
I have a Cisco SG 500 Layer 3 switch and have a Fortinet 100d firewall. I have several vlans and ip routing is enabled and intervlan is working fine. All the hosts in the vlan use private address ranged 192.168.xxx.xxx . I have a interface on my firewall with an IP 10.254.xxx.xxx which has access to the Internet. What do I need to do to access Internet from all the hosts in my vlan. Please help me I am stuck in this for quite a long time now.
12-18-2017 10:33 AM - edited 12-18-2017 10:38 AM
T
12-18-2017 10:37 AM
Try these things:
12-19-2017 04:10 AM
As confirmed from Cisco:
The cisco 3850 series does not support NAT, It might accept the commands, but it does not do NAT.
https://supportforums.cisco.com/t5/lan-switching-and-routing/3850-nat/m-p/2479858#M294574
Unfortunately the platform does not support NAT. The ios-xe is a modular ios. This means that inside the ios-XE we have a regular ios. This regular ios has the commands and that is the problem. There is already an internal bug to remove this CLI commands from the ios release.
But again. NAT is not supported on the 3850.
.:|:.:|:.
CISCO
Eliel Garcia Leyva
ENGINEER.CUSTOMER SUPPORT
You need a router or ASA to do NAT
12-22-2017 10:11 PM
In fact, the NAT commands I entered are accepted but i couldn't see their effect.
Without confirmation from Cisco, I supposed that there might be some bug or problem, so I sacrificed InterVLAN routing for DATA VLAN 30, and put;
!
interface TenGigabitEthernet1/0/12
switchport access vlan 30
switchport mode access
!
by this, internet started working in DATA VLAN but I couldn't use internet in any other VLAN.
Thank you all for your support and help
12-19-2017 07:00 AM - edited 11-22-2019 11:08 AM
Hello
As stated if NAT isn’t support on these switches, what would be applicable as Julio stated would to add a FW or RTR between the L3 switch and the ISP modem, Unless that is the ISP modem is configurable so it could NAT for you?
res
Paul
01-22-2019 02:48 PM
Some of the Modems ISP provide nowadays support VLANs(XFinity for example) so you could get it to work, poke around in the config of the modem maybe you can get a way to get it to work even if the L3 switch doesnt support NAT by simply trunking the VLANs to the Modem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide