Solved: Internet access on the switch via VLAN from the provider

eugeneworon · ‎04-13-2025

Hello!
According to the diagram, the organization receives the Internet from the provider via Vlan 1200, which wraps two address pools (let's assume those in the diagram). The provider's equipment is connected to the C9300-24UX-A, then the Trunk goes to the FW and further inside the organization. Also, communication channels to other offices from different providers are connected to this switch.
I wonder if it is possible to somehow organize/route the Internet on the Cisco Catalyst C9300-24UX-Advantage switch or, as an option, extend it to the Catalyst WS-C3850-48TAdvantage switch in order to make NAT for the 192.168.1.0 pool created on the switch. So that devices connected to the switch receive the Internet bypassing the proxy.

M02@rt37 · ‎04-13-2025

@eugeneworon

Give Internet access to internal (private) IPs like 192.168.1.0/24 directly from the c9300 using NAT overload, since c9300 is connected to ISP with public IP address interface.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

eugeneworon · ‎04-15-2025

I did it like this, the Internet started working on the hosts, including via the Cisco WLC 3504 Wi-FI controller and AP connected to the C9300 switch. DHCP server with address pool 192.168.0.0/24 is also created on C9300.

C9300-24UX(config)# interface vl 101
C9300-24UX(config-if)# ip add 192.168.0.0 0.0.0.255
C9300-24UX(config-if)# ip nat inside

C9300-24UX(config)# interface VLAN 1200
C9300-24UX(config-if)# ip address 4.13.13.10 255.255.255.0
C9300-24UX(config-if)# ip nat outside

C9300-24UX(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 any
C9300-24UX(config)# ip nat inside source list 101 interface vlan 1200 overload

C9300-24UX(config)# ip route 0.0.0.0 0.0.0.0 4.13.13.1

View solution in original post

M02@rt37 · ‎04-13-2025

Hello @eugeneworon

I dont think NAT is not supported on the 3850.

On the other hand, C9000 series support NAT starting with 17.x.x version. Note that bug as concerned c9300 models with version 16.11.1 and 16.12.x onboarded: https://quickview.cloudapps.cisco.com/quickview/bug/CSCvp78589

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

eugeneworon · ‎04-13-2025

Ver. 17.12.04 is installed on the C9300. I wonder if something can be done to make external networks available directly on the C9300. As I understand, the Internet needs to be released beyond VLAN 1200? If you make an access port with VLAN 1200 on the C9300 and connect the host using static with a white address from the provider's address pool, then the Internet works on this end device.

M02@rt37 · ‎04-13-2025

@eugeneworon

Give Internet access to internal (private) IPs like 192.168.1.0/24 directly from the c9300 using NAT overload, since c9300 is connected to ISP with public IP address interface.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

eugeneworon · ‎04-14-2025

Spoiler

C9300-24UX(config)# interface Te1/1/1
C9300-24UX(config-if)# desc --ISP_Int--
C9300-24UX(config-if)# switchport mode trunk
C9300-24UX(config-if)# switchport nonegotiate
C9300-24UX(config-if)# ip nat outside

C9300-24UX(config)# interface VLAN 101
C9300-24UX(config-if)# ip address 192.168.0.1 255.255.255.0
C9300-24UX(config-if)# ip nat inside

C9300-24UX(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255
C9300-24UX(config)# ip nat inside source list 101 interface Te1/1/7 overload

C9300-24UX(config)# interface Te1/1/1C9300-24UX(config-if)# desc --ISP_Int--C9300-24UX(config-if)# switchport mode trunkC9300-24UX(config-if)# switchport nonegotiateC9300-24UX(config-if)# ip nat outsideC9300-24UX(config)# interface VLAN 101C9300-24UX(config-if)# ip address 192.168.0.1 255.255.255.0C9300-24UX(config-if)# ip nat insideC9300-24UX(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255C9300-24UX(config)# ip nat inside source list 101 interface Te1/1/7 overload

The configuration should look like this?

M02@rt37 · ‎04-14-2025

@eugeneworon

interface facing ISP should be i nacces mode no ?

Access mode vlan 1200 with SVI_1200 as public IP address (ISP range IP public space).

--And overload on that Interface Te1/1/1 (not 1/1/7).

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

eugeneworon · ‎04-14-2025

M02@rt37 написал (-а):
@eugeneworon
interface facing ISP should be i nacces mode no ?

No, there is a trunk because in addition to Vl1200 (Internet) there are several more wrapped there: VLAN 1210 (IPTV), VLAN1222/1333 communication channels to remote offices. Of course, I can set the restriction "sw trunk allowed vl xxx"

M02@rt37 написал (-а):
@eugeneworon
Access mode vlan 1200 with SVI_1200 as public IP address (ISP range IP public space).

If for SVI VLAN 1200 we assign ip addres of the format "ip add 4.13.13.10 255.255.255.0", will this not affect the operation of the Internet that is already running on FW?

M02@rt37 написал (-а):
@eugeneworon
--And overload on that Interface Te1/1/1 (not 1/1/7).

yes, typo

eugeneworon · ‎04-15-2025

I did it like this, the Internet started working on the hosts, including via the Cisco WLC 3504 Wi-FI controller and AP connected to the C9300 switch. DHCP server with address pool 192.168.0.0/24 is also created on C9300.

C9300-24UX(config)# interface vl 101
C9300-24UX(config-if)# ip add 192.168.0.0 0.0.0.255
C9300-24UX(config-if)# ip nat inside

C9300-24UX(config)# interface VLAN 1200
C9300-24UX(config-if)# ip address 4.13.13.10 255.255.255.0
C9300-24UX(config-if)# ip nat outside

C9300-24UX(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 any
C9300-24UX(config)# ip nat inside source list 101 interface vlan 1200 overload

C9300-24UX(config)# ip route 0.0.0.0 0.0.0.0 4.13.13.1