another vlan question - 3560, 2 hosts, 2 vlans, 1 gateway to interwebs

jcoreybmw · ‎02-29-2016

Thanks to all the folks that have helped me get the 3560 up and running on the latest IOS, etc. - starting to really understand these little boxes now and what they can do!

Here is my current issue:

I have a comcast router on 10.0.0.1, my gateway to the internet

was using the 3560 as a nice POE switch for my 3cx phone test server, works just fine. Have 3 or 4 ip phones on the switch and they can all make calls to the outside.

I have the default vlan addressed as 10.0.0.212 ( vlan 1 ) and have vlan 3 addressed as 192.168.1.100

as you can see, 0.0.0.0 0.0.0.0 route is to 10.0.0.1, comcast. 3cx server (10.0.0.215) on vlan 1 can talk to the outside.

I put a win 7 workstation on vlan 3 ( 192.168.1.3),it can talk just fine to 3cx BUT cannot ping comcast on 10.0.0.1, or talk to the outside

3cx server - 10.0.0.215, class c sm, def gateway 10.0.0.212 ( vlan 1 address in 3560)

workstation - 192.168.1.3, class c sm, def. gateway 192.168.1.100 ( vlan 3 in 3560 )

the workstation and 3cx server can ping each other.

I am looking for the step i must have missed so the workstation can get out to the internet. My comcast router is currently hooked up to GI0/1, which I have defined as a trunk. Same results if I connect comcast to any free FA0/x switch port.

Here is my running-config=

ip subnet-zero
ip routing
!
!
macro global description cisco-global
errdisable recovery cause link-flap
errdisable recovery interval 60
no file verify auto
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3
switchport mode access
macro description cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface Vlan1
ip address 10.0.0.212 255.255.255.0
!
interface Vlan3
ip address 192.168.1.100 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!

Any help would be appreciated, once I get this going I am going to extend my little test lab to another 3560 I picked up via the trunk port. most of the ports on this switch are connected to ip phones and work great on the default vlan. My ultimate goal is to separate the phones on their own voice vlan, which in this case will be vlan 3 on the other side of the trunk on the second 3560.

Jeff

Reza Sharifi · ‎02-29-2016

It could be that you need to configure NAT for 192.168.1.100 255.255.255.0 subnet on Comcast router.

HTH

jcoreybmw · ‎02-29-2016

thanks Jon and Reza, so I guess my plan of rolling out a 3cx phone server and Vlan'ing the phones for QOS will require some more equipment, as the phones need to get to the internet to do periodic firmware updates. that does make sense now if the 3560 doesnt do NAT, the 192.168.1.x packets will never hit the modem as they are not on the same subnet. Maybe we can put a firewall in front of the comcast router and put a route back to 192.x.x.x in there.

the trunk was in there for future connections to another 3560, I just hooked the comcast modem up to a free switch port on the 3560.

If I have multiple VLAN's, the final router before the internet would need routes back to all the VLAN's ? Guess I need to watch some more cisco vlan videos and pay closer attention.

thanks!

Jeff

Jon Marshall · ‎02-29-2016

Jeff

The 192.168.1.x packets will get to the modem because of your default route on the switch.

The question is can you setup NAT on the modem for those IPs ie. some modems will and some won't.

You also need to able to add a route to the modem and again some do and some don't.

So not saying it won't work because the 3560 doesn't support NAT, just saying your modem needs to be able to do those things mentioned which it may or may not be able to do.

If you used a firewall or router then yes your 3560 switch could connect using a L3 routed port and then -

3560 would have default route pointing to firewall/router

firewall/router would have default route pointing to modem and routes for the subnets on your 3560 switch.

Jon

jcoreybmw · ‎03-01-2016

Thanks again. I tried putting a static route back to the 192 subnet via the vlan ip, and I was able to ping the comcast modem from 192 subnet, but couldnt get out past that. I have a dray tek firewall we are configuring for a customer site and noticed that has vlan capability on the lan side, so will try to test that as it does the required NAT.

Thanks for helping me understand the 3560, it would have taken me a while to realize it does not do NAT.....

Jeff

Jon Marshall · ‎03-01-2016

Jeff

The firewall does not need vlan capability because all your vlans are defined and routed on the L3 switch.

You simply need a device that can NAT subnets that are not directly connected and that you can add routes to.

Then you would connect your 3560 to the firewall with a L3 link and just setup routing.

Jon

Jon Marshall · ‎02-29-2016

If the default gateways are on the 3560 not sure why you have used a trunk to connect to the modem ?

Anyway your modem needs a route back to the 192.168.1.x subnet ie in Cisco syntax -

"ip route 192.168.1.0 255.255.255.0 10.0.0.212"

and your modem also needs to be able to do NAT for non connected networks which it may or may not do.

If it doesn't there is nothing you can do because the 3560 does not support NAT.

Jon

pashtet13 · ‎03-01-2016

Looks like you have interface G0/1 defined as access port

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3
switchport mode access

Can you try issuing:

no switchport mode access

switchport mode trunk

Deshklok88 · ‎03-07-2016

Definitely this. Get rid of access mode and make it a trunk. Also you need to define vlan 3 on your comcast router. It has no idea you're trying to do intervlan routing and will just drop those packets. The switch will not send packets to other vlans without a router.