Solved: Re: Vlans on layer 3 switch not capable of accessing ISP modem/r

cdubbcisco1 · ‎04-06-2013

I have a Cisco 3560 switch with IP routing and multiple vlans setup.

Hosts can communicate between vlans like I want but hosts within these different vlans have to be able to access the INTERNET and they cannot access the ISP's VDSL router/modem.

here is the switch config.

no aaa new-model
system mtu routing 1500
vtp domain Church
vtp mode transparent
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name Management
!
vlan 20
name Church_Office
!
vlan 30
name School
!
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/18
description To ISP_Modem_Router
no switchport
ip address 192.168.99.2 255.255.255.0
!
!
interface FastEthernet0/31
switchport access vlan 30
switchport mode access
spanning-tree portfast
!
!
interface FastEthernet0/47
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.200.1 255.255.255.0
!
interface Vlan20
ip address 192.168.1.1 255.255.255.0
!
interface Vlan30
ip address 192.168.0.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.99.1
ip http server
!
!
control-plane
!
!
line con 0
password 7 104A281724033D065C52
login
line vty 0 4
password 7 104A281724033D065C52
login
line vty 5 15
password 7 104A281724033D065C52
login
!
end

Interface Fast Ethernet 0/18 on the Cisco 3560 switch is plugged into the ISP's modem/router which is basically just a switch LAN ports on the back of the

DSL modem/router.

I can ping the ISP modem/router from the 3560 switch and the hosts within the Vlans can ping 192.168.99.1 interface on the switch with is the uplink to the ISP's modem/router but they cannot ping the modem itself.

The problem I believe is that there are no static route statements back to the 3560 from the ISP router and also the fact that the port on the ISP router is not actually a routed port but just a LAN port and this is why it is not working.

Does this sound correct and if so......what are my options?

I am assuming I would need a cisco router in between the ISP's modem/router and the 3560 cisco switch:.... and I would have to setup either subinterfaces and dot1q trunking to the 3560 switch or static route statements back to the 3560 switch for this to work.

Do this sound correct or is there some how some way to make this work with the equipment I currently have?

Thanks in advance.

Bilal Nawaz · ‎04-06-2013

Hello, you are correct, there is no route back as the modem does not know about your internal networks.

You need to set up NAT on your router/switch. Not sure if the switch can do NAT, I'm assuming it can't hence you would need a router. You don't necessarily have to do a router on a stick with creating a trunk etc...

On the switch you can set a default route to the router and from the router a default to the modem. So all could be layer 3 routing.

Then the router can do the NAT.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/260-cisco-router-nat-overload.html

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Bilal Nawaz · ‎04-06-2013

Hello, you are correct, there is no route back as the modem does not know about your internal networks.

You need to set up NAT on your router/switch. Not sure if the switch can do NAT, I'm assuming it can't hence you would need a router. You don't necessarily have to do a router on a stick with creating a trunk etc...

On the switch you can set a default route to the router and from the router a default to the modem. So all could be layer 3 routing.

Then the router can do the NAT.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/260-cisco-router-nat-overload.html

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

cdubbcisco1 · ‎04-06-2013

I know the switch won't do NAT so when you say that the router would need to do NAT I would need to purchase a router to put between my cisco 3560 and the ISP's modem/router?

Does that sound correct?

Thanks

Bilal Nawaz · ‎04-06-2013

Yes. This is what I would do and seems the only way to do NAT, which is required in this scenario.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

abidpandhakkil · ‎12-07-2013

Dear cdubb,

How did u resolve this issue?

I am having the same setup with a 3560-x and am stuck.

Do you mind giving me the setup commands?

Thanks

paul driver · ‎04-07-2013

Seems your isp modem/router is natting already given the ip adrress you have setup on the 3650 wan interface(isp lan interface) so my question is - are you able to confiure this modem/router to cider off private address into different subnets

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vlans on layer 3 switch not capable of accessing ISP modem/router