Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1627
Views
10
Helpful
4
Replies

Dynamic NAT on 3560CX Switch - Internet Sharing Over VLANs

Go to solution
tadkov
Level 1
Level 1

‎11-06-2022 09:59 PM

tadkov_0-1667800190916.png

Hi all, just wanting to confirm whether or not this solution is possible - the switch is unable to do "ip nat pool...." which a router can do and that might be what is preventing me from getting this to work.

The Brief:
I am trying to get 4 x Outdoor AP's work with a WLC and a switch regardless of what type of internet source is connected to the WAN port of the switch.

Fortunately, both my test internet device and the final device being connected will have the IP address of 192.168.100.1 - however I would prefer if that port could operate on DHCP *just in case*.

Notes:

  • Internal routing works on the switch - no issues with inter VLAN pinging and the switch can access the internet.
  • Devices are getting assigned an IP from the DHCP pool and can ping inter VLAN - no internet.
  • WLC has been configured and an AP has successfully joined and broadcast SSID which is joinable but no internet.
  • The router is not configurable.

Config on Switch:

Building configuration...

Current configuration : 6057 bytes
!
! Last configuration change at 04:41:23 UTC Mon Nov 7 2022
! NVRAM config last updated at 22:56:03 UTC Sun Nov 6 2022
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
!
ip routing
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.20.254
!
ip dhcp pool DATA-POOL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
domain-name domain
dns-server 8.8.8.8
lease 7
!
ip dhcp pool WIFI-POOL
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
domain-name domain
dns-server 8.8.8.8
!
ip dhcp pool AP-POOL
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
domain-name domain
dns-server 8.8.8.8
lease 7
!
ip name-server 8.8.8.8
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
auto qos srnd4
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport mode trunk
mls qos trust cos
spanning-tree portfast edge trunk
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
mls qos trust dscp
spanning-tree portfast edge
!
interface GigabitEthernet0/3
switchport access vlan 30
switchport mode access
mls qos trust dscp
spanning-tree portfast edge
!
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
mls qos trust dscp
spanning-tree portfast edge
!
interface GigabitEthernet0/5
switchport access vlan 30
switchport mode access
mls qos trust dscp
spanning-tree portfast edge
!
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
mls qos trust dscp
spanning-tree portfast edge
!
interface GigabitEthernet0/7
switchport access vlan 10
switchport mode access
mls qos trust dscp
spanning-tree portfast edge
!
interface GigabitEthernet0/8
no switchport
ip address 192.168.100.2 255.255.255.0
ip nat outside
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address dhcp
ip nat outside
shutdown
!
interface Vlan10
description Data
ip address 192.168.10.254 255.255.255.0
ip nat inside
!
interface Vlan20
description Wireless
ip address 192.168.20.254 255.255.255.0
ip nat inside
!
interface Vlan30
description Management
ip address 192.168.30.254 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet0/8 overload
ip forward-protocol nd
!
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
ip access-list extended NAT
permit ip 192.168.0.0 0.0.255.255 any
!
!
!
!
line con 0
logging synchronous
stopbits 1
line vty 0 4
login
transport input ssh
line vty 5 15
login
transport input ssh
!
!
end

 

Let me know what I've missed or if I just need to be using a router instead.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-07-2022 03:18 AM

I have not tested on Cisco 3560CX , and Switch has NAT - as per the commands if that accepted, that means its support.

I only think for now your NAT ACL subnet  192.168.0.0/16 (which covers WAN Address also)

So for testing just try below :

ip access-list extended NAT
no permit ip 192.168.0.0 0.0.255.255 any

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.30.0 0.0.0.255 any

Give a Try and let us know the outcome.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
tadkov
Level 1
Level 1
In response to balaji.bandi

‎11-07-2022 02:31 PM

Hi Balaji,

I applied the change to the ACL but still no luck with the internet share.

Should I just redesign this setup and have the switch effectively be a L2 switch just working with the internet source?

I have an 819 router which I can use instead.  I'll see if that will work.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to tadkov

‎11-07-2022 02:41 PM - edited ‎11-07-2022 02:42 PM

Then most of the switches as mentioned earlier support not there, until the new models of IOS XE.

so NAT not working on switches.

sure if you move that config to Router that works for sure.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card