Solved: Configuration

Charlie Jones · ‎05-08-2017

I have a lab which consists of a broadband connection attached to a 2950 switch. DHCP runs from the 2950 and it works perfectly. Hosts connected to this switch can communicate with one another and access the Internet (there is a single VLAN on this switch). I need to keep this environment intact, but I need to hang another switch off of this for testing.

The new switch is a 3850. I have it running the IP services license. On this switch, I have several VLAN's and hosts are able to communicate with one another. What I can't figure out is how to get them to access the Internet. Currently, the link between the 2950 and 3850 is a trunk. From the 3850 switch, I can ping the various SVI IP addresses , and I can ping external Internet hosts. If I plug a laptop into a port configured for one of the VLAN's, I can ping the other SVI's, but I can't get out to the internet.

From the 2950 switch, I cannot ping any of the SVI IP's that are on the 3850.

Julio E. Moisa · ‎05-08-2017

Thank you Charlie,

I think the ISP is providing you the network 192.168.10.1 through a device, you have connected the ISP device to the 2950 using the vlan 200. If it is correct the ISP is handling the NAT on their end.

So you need to include the subnets related to the vlans on the 3850 on the NAT, or install a router to make NAT on your end but you need to re-design your topology.

Internet --- Router (NAT) --- 3850 (Default route to Router and gateways) ---trunk -- 2950

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎05-08-2017

Hi

To get Internet access you need a router running NAT. The switches dont support NAT.

If you are able to communicate the hosts on the 3850 with other VLAN you should only add the subnets to a NAT, you will probably modify the network design, it could be:

Internet --- Router (NAT) --- 3850 (Default route to Router and gateways) ---trunk -- 2950

Could you please share your current topology.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Charlie Jones · ‎05-08-2017

This is what I have. The DG when plugged into the 2950 is 192.168.10.1. I have a static route on the 3850 "ip route 0.0.0.0 0.0.0.0 192.168.10.1"

From the 3850 switch I can ping 8.8.88 sourcing from any of the SVI's I have on the 3850.

Julio E. Moisa · ‎05-08-2017

Thank you Charlie,

I think the ISP is providing you the network 192.168.10.1 through a device, you have connected the ISP device to the 2950 using the vlan 200. If it is correct the ISP is handling the NAT on their end.

So you need to include the subnets related to the vlans on the 3850 on the NAT, or install a router to make NAT on your end but you need to re-design your topology.

Internet --- Router (NAT) --- 3850 (Default route to Router and gateways) ---trunk -- 2950

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Charlie Jones · ‎05-08-2017

Thanks for pointing me in the right direction. I was getting stuck on how I was able to ping and traceroute to external IP's from the 3850 switch, but not from a laptop plugged into that same switch. I'll see what hardware we have laying around and see if I can add a router into the mix.

Julio E. Moisa · ‎05-08-2017

Hi Charlie,

It was a pleasure :-)

Please keep me posted if you need additional assistance.

Have a good day!

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Charlie Jones · ‎05-16-2017

Here I am again...

We were going to attempt to do NAT on the 3850 because we were seeing <ip nat inside/outside> commands on the 3850. I have learned through Cisco TAC that I can't do this on a 3850 because it doesn't support NAT. So now I have a 3945 and I'm not sure where to start because the 3945 can only do L3 interfaces. Should I move the SVI's I created on the 3850 onto the 3945 and do the "router on a stick"? Can I do NAT from that so that devices connected on that 3850 will be able to route to the 2950 for internet access?

I aplogize in advance, morning coffee has not kicked in yet.

Julio E. Moisa · ‎05-16-2017

Hi Charlie, Good morning,

Yes 3850 does not support NAT. About the question, you could keep the SVI on the 3850 (it will be your root STP and distribution layer) but just please share with me the show version output in order to see the kind of license you have on the 3850 switch. So we can start from there to verify the proper config.

I think all the 3850 support static route, so please let me share the config for this scheme.

Thank you in advance.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎05-16-2017

Configuration

SWITCH 3850

choose any port to be layer 3, example

configure terminal

ip routing

interface g1/0/48
description TO-ROUTER-3945
no switchport
ip address 10.0.0.2 255.255.255.252
no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.0.1 name DEFAULT-ROUTE

ROUTER 3945

Int g0/0
description TO-ISP-INTERNET
ip add <public IP and the subnet mask provided by ISP>
ip nat outside
no shutdown

int g0/1
description TO-INTERNAL-NETWORK
ip add 10.0.0.1 255.255.255.252
ip nat inside
no shutdown

ip access-list standard PRIVATE-NETS
<here you will include the networks that will be translated to get Internet access, example:>
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255

ip nat inside source list PRIVATE-NETS interface g0/0 overload

ip route 0.0.0.0 0.0.0.0 < next hop public IP / ISP router>

Then you need to create the routes to know how to return the packets from Internet.

ip route 192.168.1.0 255.255.255.0 10.0.0.2 name INTERNAL-SUBNET-1
ip route 192.168.2.0 255.255.255.0 10.0.0.2 name INTERNAL-SUBNET-2

Please let me know if you need any additional assistance.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Assistance with inter-vlan routing