cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
247
Views
0
Helpful
7
Replies
timodare2002
Beginner

InterVlan routing issue

I need help configuring my Switch (3560X) to route users of Various Vlan that I configure to the internet.

Here is what I have and did:

Router: 2911

Switch: 3560X (48 Ports)

Configured VLANs: vlan10, vlan20, vlan30, vlan40 and vlan50

Issue: users on vlans could not access the internet but can ping each other, only vlan1 (native) could browse the internet.

I really don't know what am missing in the configuration.

Need help from the scratch on what and steps without using router-on-a-stick which I don't want because my switch is capable of routing.

Thanks all for helping.

7 REPLIES 7
Jon Marshall
VIP Community Legend

Couple of things to check -

1) does the 2911 have routes back to your L3 switch for the non directly connected subnets ?

2) have you setup NAT on the 2911 for the non directly connected subnets ?

Jon

Yes.Native Vlan can access internet which is VLAN1 but the others cannot.

Not sure what you mean as that doesn't answer either of the points I mentioned.

Is it working now ?

Jon

Mark Malone
VIP Mentor

Just an example may help , route between the 2 devices  make sure switch has default route to router for all traffic it does not have a destination for.

Layer 3 switch
router eigrp 1
net    10.0.0.0
net    20.0.0.0
net    30.0.0.0
net    40.0.0.0
net    50.0.0.0
net    192.168.10.1 0.0.0.3-----link to router to form IGP neighbor
no auto

ip route 0.0.0.0 0.0.0.0 192.168.10.2

2911
router eigrp 1
net    192.168.10.2 0.0.0.3
no auto

 

Done

William Benson
Beginner

Hello friend.  My first guess without looking at your configuration is that you probably need to implement NAT translations on your Vlans that are trying to get out.  If the VLans can talk to each other than it sounds like your intervlan routing is fine.  The problem you're having is that your gateway doesn't know how to return traffic.

Try putting in an overload NAT translation so your Vlan clients nat to a static IP on your Vlan1 when they try to route through your outside interface.

assuming your on a serial WIC for your internet connection:

Serial interface should have:

nat outside

Inside fastethernet interface should have:

nat inside

 

Now you'll need to first make an access list to identify traffic you need to NAT

Something like:

ip access-list extended NATVlan20

    permit ip 192.168.20.0 0.0.0.255 any

This will tag any traffic from VLan20 assuming it's using 192.168.20.0 as it's subnet (change ACL as needed to match your addressing scheme)

 

Now to create the overloaded NAT

First create a NAT pool with the overloaded static IP you want to use.  I would suggest a different NAT pool for each Vlan to help monitor which vlan is sending traffic as well helping with any policies you want to put in later for those vlans.  You can overload all of your vlans under one IP but you'll be limited later if you want to put in any policies for those networks (your call here).

So overloaded NAT:

ip nat pool VLan20Pool 192.168.1.50 192.168.1.50 prefix-length 24

So here I have created a nat pool with a range of 50 to 50 on 192.168.1.0/24 network.  We're going to use the host address of 50 on our native VLan's subnet as the address we're going to NAT to for traffic traversing from VLan20 out our serial interface on our router.  Next we need to tell the router how to apply that NAT.  We're going to tell it to apply it to traffic coming from inside that matches the ACL we created earlier.

Simply done that is like this:

ip nat inside source list NATVlan20 pool VLan20Pool overload

Here we tell the router to overload (PAT) all traffic from inside going out that matches the ACL we created earlier to the address range of the VLan20Pool which is 50 to 50.

 

If your problem is that your ISP is receiving a source address that it doesn't know how to get back to, then by NAT'ing (PAT'ing) traffic on your VLANs going out to a static IP from your network that is working, should fix the problem.

 

It's a shot in the dark, but I've got a sneaking suspicion that is what you're running into.

After though, just as an FYI.

If you don't already, you also need to make sure each subinterface for each of your Vlans on the router, should also need to have "ip nat inside" enabled on them.