Yes, only for Wi-Fi.

The switch is used as L3 (Cisco 3850).

The network works with one L3 and 10 L2 switches (2960).

I Have acces to the router, yes.

So I need a SVI for VLAN 16 (I think its the same as VLAN in L2 switch) and another SVI between router and switch?

I don't understand very well that point.

The NAT is in L3 switch.

Thanks a lot.

There is much that we do not know about this environment and that impacts our ability to give good advice. I believe that this is the essential part of the environment that has been described: There is an existing L3 switch (3850) with multiple vlans. The L3 switch connects to a router which provides Internet access to the existing vlans. This existing network is working. A new development is to be creation of a new vlan (vlan 16) which is for wifi on the L3 switch. They want the wifi network to connect through the L3 switch to a new router which will provide Internet access only for vlan 16. Is this understanding correct?

I can think of 2 approaches to implement this:

1) Configure vlan 16 and assign access ports to vlan 16. Do not configure an SVI for vlan 16 on the L3 switch. Connect the new router to an access port in vlan 16. Configure the DHCP scope used for vlan 16 to specify the IP address of the router interface as the default gateway for the devices connected to wifi in vlan 16. Note that in this approach the L3 switch will not do any L3 routing for vlan 16. Configure the new router with an interface connecting to the L3 switch. On the router configure routing logic for the subnet of vlan 16 to access the Internet. On the router configure the logic of address translation for the devices connected in vlan 16.

2) Configure vlan 16 and assign access ports to vlan 16. Configure an SVI with an IP address for vlan 16 on the L3 switch. Configure the DHCP scope used for vlan 16 to specify the IP address of the switch interface as the default gateway for the devices connected to wifi in vlan 16. Configure another vlan on the L3 switch (perhaps vlan 17) and assign a single access port to this vlan. Configure an SVI for this new vlan and assign an IP address for this interface (a subnet mask of 255.255.255.252 should be sufficient for this one). Connect the new router to the access port in vlan 17. Configure routing logic on the new router to reach the subnet of vlan 16 using the switch address in vlan 17 as the next hop. Configure routing logic on the new router to send vlan 16 traffic to the Internet and configure the logic for address translation of this traffic. On the L3 switch configure Policy Based Routing to take all traffic originating in vlan 16 and forward it to the new router using its IP address in vlan 17 as the next hop in PBR.

So for the first solution I put the the router in one access port of vlan 16.

Configure dhcp to send new gateway

This I got it, but the router dont have vlam config, only referent to network ip etc 

I put his ip like gateway of VLAN 16

What config I need?

For option 1 the router does not need vlan configuration. If the router were connected to a trunk port then it would need vlan configuration. But when the router is connected to an access port it simply receives a standard Ethernet frame (with no tag) and processes it. So if the router interface were G0/1 then you would just need

interface g0/1

ip address 192.168.16.1 255.255.255.0 

no shut

You would also need the DHCP scope configured on this router and the dhcp scope would set the default router as 192.168.16.1.

It occurs to me that there is one aspect of this implementation that you have not told us about: should the devices in the wifi subnet be able to communicate with the other devices in your network. I assumed that if wifi was to have separate Internet connection that wifi should be separated from the rest of the network. And option 1 does that. But perhaps you do want wifi to communicate with the rest of your network. If that is the case then option 1 does not do what you want since it keeps wifi completely separate. Option 2 with PBR could allow wifi to communicate with other subnets in your network but send Internet traffic separately. And in this case I need to make one change in my suggestion. I suggested this "On the L3 switch configure Policy Based Routing to take all traffic originating in vlan 16 and forward it to the new router". This would forward all traffic to new router but you want wifi to communicate with the other subnets. So PBR would need to set ip default next-hop rather than set ip next-hop.

Dont worry, I don't have a trouble if the network remains separatly.
This is perfect.

The things I do for that and didn't works are:

1- I put router IP in 192.168.16.10 connected to gi0/8 (vlan 16 port in access mode)

2- I put VLAN 16 with 192.168.16.1 255.255.252.0 

3- I put DHCP Pull 192.168.16.1 to 192.168.19.254 default gateway 192.168.16.10

4- IP route 192.168.16.0 255.255.252.0 192.168.16.10

But the network losses a lot of packet in the firts minutes and then stops working.

I dont know why...

Hello @Tanatorio1 ,

original suggestion from Richard for option 1 is to use the L3 switch C3850 only as L2 device for new VLAN 16.

So you shouldn't configure an SVI on C3850.

The second point is that you will have a second DHCP server configured on the second router with a single pool serving only the VLAN 16 clients and with DNS like google 8.8.8.8 and 8.8.4.4.

Finally second router will provide NAT for internet  access to VLAN 16 clients.

This provides total L3 separation between WIFI users and existing subnets and it is a good choice for a WIFI guest service.

I would suggest you to shut interface vlan 16 on the Cat 3850 and to configure DHCP server on the second router as you have access to it.

However, there is a doubt about WIFI : are your AP indipendent ( autonomous ) or they are controlled by a WLC ?

In the second case user traffic mayl reach the wired network on the WLC uplink ( beacuse of CAPWAP tunneling between APs and WLC)  that needs to permit VLAN 16.

The link is usually a L2 port channel trunk with a list of permitted VLANs vlan 16 needs to be added on switch side.

WLC would need to be configured with an SSID associated to VLAN 16.

I would suggest you to check if you have no losses with a wired client in Vlan 16, you will need further investigation on the WIFI part of the network.

If you have losses on wired clients on Vlan 16 you need to investigate what STP is doing for VLAN 16 or the issues may be related to DHCP options ( a not reachable DNS server  that is within the existing separate network)

Hope to help

Giuseppe

The DHCP of VLAN 16 is in C8350, is that correct or should be on the router?

Sorry, but there is a misunderstanding, the VLAN 16 already works in the network and the AP's have a WLC previusly configured and working.

Only need this already working VLAN 16 to go in the new router.

For that I do the following:

1- I put router IP in 192.168.16.10 connected to gi0/8 (vlan 16 port in access mode)

2- I put VLAN 16 with 192.168.16.1 255.255.252.0 

3- I put DHCP Pull 192.168.16.1 to 192.168.19.254 default gateway 192.168.16.10

4- IP route 192.168.16.0 255.255.252.0 192.168.16.10

If I correct the configuration to default, the wifi works in one minute (putting the previously gateway and erasing the ip route).

No DHCP on router beacause the C8350 have one for VLAN 16

I send the DNS in that DHCP pool to VLAN 16 devices

The router have a default config that allows the internet traffic doing anything.

There is something strange beacause the devices of VLAN 16 reaches Internet of second router but in a half of hour falls the whole wifi network and no data traffic reach Internet.

Yes there was certainly some misunderstanding. If vlan 16 already exists and is running then option 1 is not what you want to use. You should use the parts of option 2 about connecting the new router and configuring PBR on the vlan 16 interface. And the new router will need to have logic for reaching 192.168.16.0 and have logic for address translation as that traffic goes to the Internet.