05-26-2015 07:48 AM - edited 03-08-2019 12:11 AM
I need help configuring my Switch (3560X) to route users of Various Vlan that I configure to the internet.
Here is what I have and did:
Router: 2911
Switch: 3560X (48 Ports)
Configured VLANs: vlan10, vlan20, vlan30, vlan40 and vlan50
Issue: users on vlans could not access the internet but can ping each other, only vlan1 (native) could browse the internet.
I really don't know what am missing in the configuration.
Need help from the scratch on what and steps without using router-on-a-stick which I don't want because my switch is capable of routing.
Thanks all for helping.
05-26-2015 08:13 AM
Couple of things to check -
1) does the 2911 have routes back to your L3 switch for the non directly connected subnets ?
2) have you setup NAT on the 2911 for the non directly connected subnets ?
Jon
05-26-2015 12:12 PM
Yes.Native Vlan can access internet which is VLAN1 but the others cannot.
05-26-2015 12:16 PM
Not sure what you mean as that doesn't answer either of the points I mentioned.
Is it working now ?
Jon
05-26-2015 08:13 AM
Just an example may help , route between the 2 devices make sure switch has default route to router for all traffic it does not have a destination for.
Layer 3 switch
router eigrp 1
net 10.0.0.0
net 20.0.0.0
net 30.0.0.0
net 40.0.0.0
net 50.0.0.0
net 192.168.10.1 0.0.0.3-----link to router to form IGP neighbor
no auto
ip route 0.0.0.0 0.0.0.0 192.168.10.2
2911
router eigrp 1
net 192.168.10.2 0.0.0.3
no auto
05-26-2015 12:09 PM
Done
05-26-2015 02:30 PM
Hello friend. My first guess without looking at your configuration is that you probably need to implement NAT translations on your Vlans that are trying to get out. If the VLans can talk to each other than it sounds like your intervlan routing is fine. The problem you're having is that your gateway doesn't know how to return traffic.
Try putting in an overload NAT translation so your Vlan clients nat to a static IP on your Vlan1 when they try to route through your outside interface.
assuming your on a serial WIC for your internet connection:
Serial interface should have:
nat outside
Inside fastethernet interface should have:
nat inside
Now you'll need to first make an access list to identify traffic you need to NAT
Something like:
ip access-list extended NATVlan20
permit ip 192.168.20.0 0.0.0.255 any
This will tag any traffic from VLan20 assuming it's using 192.168.20.0 as it's subnet (change ACL as needed to match your addressing scheme)
Now to create the overloaded NAT
First create a NAT pool with the overloaded static IP you want to use. I would suggest a different NAT pool for each Vlan to help monitor which vlan is sending traffic as well helping with any policies you want to put in later for those vlans. You can overload all of your vlans under one IP but you'll be limited later if you want to put in any policies for those networks (your call here).
So overloaded NAT:
ip nat pool VLan20Pool 192.168.1.50 192.168.1.50 prefix-length 24
So here I have created a nat pool with a range of 50 to 50 on 192.168.1.0/24 network. We're going to use the host address of 50 on our native VLan's subnet as the address we're going to NAT to for traffic traversing from VLan20 out our serial interface on our router. Next we need to tell the router how to apply that NAT. We're going to tell it to apply it to traffic coming from inside that matches the ACL we created earlier.
Simply done that is like this:
ip nat inside source list NATVlan20 pool VLan20Pool overload
Here we tell the router to overload (PAT) all traffic from inside going out that matches the ACL we created earlier to the address range of the VLan20Pool which is 50 to 50.
If your problem is that your ISP is receiving a source address that it doesn't know how to get back to, then by NAT'ing (PAT'ing) traffic on your VLANs going out to a static IP from your network that is working, should fix the problem.
It's a shot in the dark, but I've got a sneaking suspicion that is what you're running into.
05-27-2015 08:21 AM
After though, just as an FYI.
If you don't already, you also need to make sure each subinterface for each of your Vlans on the router, should also need to have "ip nat inside" enabled on them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide