Re: Internet for VLAN - Page 3

frederick.mercado · ‎05-03-2022

We are running a 9300 switch that is doing L3 inter vlan/ip routing. I have tried multiple configurations but cannot seem to get clients to get out to the internet. We would like to get our internet only VLAN xxx to allow users in VLAN xxx to go out.

Essentially NATing (masquerading?) their internal IPs of 10.74.xxx.x (Gw .250 and .0 sub) to a single external IP (207.xx.xx.x /.248 sub) to get out to the internet. I connected a cable from our ISP switch to our L3 switch and need a good example port configuration. Clients are connecting via MOBILE SSID and getting DHCP and RADIUS successfully internally, but we want their internet traffic to use the ISP.

frederick.mercado · ‎05-03-2022

Tried this, still cannot get out

MHM Cisco World · ‎05-03-2022

Your config not include ACL and still not work??

I think the issue now clear not the ACL it routing.

in WLC you config the GW ip which is SVI of HSRP Peer, are this HSRP peer is active for Wifi Client VLAN ??
if not then you need to check both HSRP connect via Wifi Client VLAN, if you connect WLC to one HSRP peer and use for example VLAN 10,
you must config L2 link between two HSRP peer for this VLAN or allow it in trunk between two HSRP even if you only use VLAN 10 in HSRP connect to WLC.

frederick.mercado · ‎05-03-2022

Right now I have BOTH VLAN configs on switches. That the mobile clients use.

For testing and simplicity I have VLAN for ISP connection (since it connects to CORE) only configured on that switch as you can see.

MHM Cisco World · ‎05-03-2022

Yes But are Core 1 is Active for HSRP vlan 126 ???

shut down SVI in other HSRP peer, keep SVI up for VLAN 126 in Core 1 and see result.

frederick.mercado · ‎05-03-2022

I am VPN into net right now, will have to wait until tomorrow for more troubleshooting, but this is what I have on core

frederick.mercado · ‎05-04-2022

shutdown HSRP Vlan on Core , but no change. Cannot ping outside of gateway.

frederick.mercado · ‎05-03-2022

In the WLC the SVI for VLANxxx is configured at 10.74.x.x, or a random IP on the VLAN for client access. You are saying I should change this to the GW (10.74.x.x) that points to CORE ? Both HSRP peers have the same virtual IP with different standby routers.

MHM Cisco World · ‎05-03-2022

171831-SVI Directions.png

ip access-list extended MOBILE_SSID_ALL<- no issue with ISP interVLAN, the issue is this ACL it apply to IN/OUT direction and even if IN permit but return traffic will deny with OUT you must config two separate ACL one for IN and other for OUT.
10 remark Control Access from Secure Network
10 remark Allow DNS to designated servers
10 permit udp 10.74.126.0 0.0.0.255 host 8.8.8.8 eq domain
20 permit udp 10.74.126.0 0.0.0.255 host 8.8.4.4 eq domain
30 remark Deny to all other unregistered addresses
30 permit ip 10.74.126.0 0.0.0.255 10.74.126.0 0.0.0.255
40 permit udp any any eq bootps
50 deny ip any 10.0.0.0 0.255.255.255
60 deny ip any 172.16.0.0 0.15.255.255
70 deny ip any 192.168.0.0 0.0.255.255
80 remark Allow everything else from valid IPs
80 permit ip any any
90 permit tcp any any eq www
100 permit tcp any any eq 443

frederick.mercado · ‎05-03-2022

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/217419-configure-and-verify-nat-on-catalyst-900.html

I saw this article, however I believe others have done dynamic PAT with VLANs correct? Would it work via VRF if this is the case?

MHM Cisco World · ‎05-05-2022

http://www.netprojnetworks.com/cisco-9800-high-availability-on-ios-xe-17-x/

take look on this link

MHM Cisco World · ‎05-05-2022

This My Total ALL topology I design by my self I make it easy to me to understand the issue.

NOW you have HSRP and WLC is connect to one HSRP through trunk allow all VLAN for wifi,
we need to interconnect both HSRP via trunk and allow all vlan for wifi and config both HSRP peer SVI of these vlan.