Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1966
Views
0
Helpful
34
Replies

Two VLANs - one VRF - with access to ISP

frederick.mercado
Spotlight
Spotlight

‎05-04-2022 06:57 AM - edited ‎10-19-2023 12:17 PM

Hi! So after trying to implement VLANs and ACLs on our 9300 catalysts it seems they may be limited or have issues with NAT. 

We have our MOBILE SSID  and it only needs to access DHCP. Otherwise it needs to get outside to the internet via VLANxxx on 207.xx.xxx.xx Sub .248.... I was advised I could create a VRF for this case, but I have not done one yet and need help on an ideal config.

 

Essentially I need to:

A) Create a VRF for VLANs 1xx (internal) and VLAN1xx (ISP) so they can inter-communicate.

B) Allow access to DHCP through a route leak.

0 Helpful
34 Replies 34

frederick.mercado
Spotlight
Spotlight
In response to paul driver

‎05-06-2022 08:34 AM - edited ‎10-19-2023 12:26 PM

circling around to this, just to get this up....I tried the above config...again on the core switch. 

I can ping to the IP and GW of the ISP but again cannot get out to 8.8.8.8 ICMP.

 

lslswmi-mdf-core01#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 207.xx.xxx.x:1024 10.74.xxx.x:30840 xxx.xx.xxx.xx:30840 xxx.xx.xxx.xx:1024

 

0 Helpful

paul driver
VIP
VIP
In response to frederick.mercado

‎05-06-2022 09:30 AM - edited ‎05-06-2022 09:31 AM

Hello

TBH I am a lost now as to where you are?

Are you using vrf or not and is the L3 on the 9300 or not.

 

If you apply the RACL on the 9300 without VRF then the configuration I recently supplied should work for NAT , DHCP and inter-vlan isolation, however is you have now relocated the L3 for vlan 126 off the 9300 and onto the a WLC then VRF NAT should work and we can work on the dhcp allocation.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

frederick.mercado
Spotlight
Spotlight
In response to paul driver

‎05-06-2022 09:59 AM - edited ‎10-19-2023 12:26 PM

For simplicity I went back to the 9300 switch. I figured uncomplicated NAT should work according to Configure and Verify NAT on Catalyst 9000 Switches - Cisco for dynamic NAT/PAT
I did connect my laptop once again to verify I could get straight out....PASSED.
I put the internet on an L3 interface directly connected...no ACL at all...

0 Helpful

paul driver
VIP
VIP
In response to frederick.mercado

‎05-07-2022 12:30 AM

Hello

Okay let leave the access-list off for nowe and focus on the routing.
Is vlan 126 L2 propagated to all other switch's in your LAN and allowed to traverse all trunk interconnects.


As a test:
Can you ping an internet address directly from this switch, you should be able to has it has a directly connect interface to the public wan? 
Remove HSRP from vlan 126 for the time being and test NAT from a client again.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

frederick.mercado
Spotlight
Spotlight
In response to paul driver

‎05-09-2022 01:18 PM - edited ‎10-19-2023 12:27 PM

Yes VLAN xxx is propagated by checking show vlan. I can ping the internet directly from the L3 switch.

I remove HSRP again, and no change.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card