I need help configuring my Switch (3560X) to route users of Various Vlan that I configure to the internet.
Here is what I have and did:
Switch: 3560X (48 Ports)
Configured VLANs: vlan10, vlan20, vlan30, vlan40 and vlan50
Issue: users on vlans could not access the internet but can ping each other, only vlan1 (native) could browse the internet.
I really don't know what am missing in the configuration.
Need help from the scratch on what and steps without using router-on-a-stick which I don't want because my switch is capable of routing.
Thanks all for helping.
Couple of things to check -
1) does the 2911 have routes back to your L3 switch for the non directly connected subnets ?
2) have you setup NAT on the 2911 for the non directly connected subnets ?
Just an example may help , route between the 2 devices make sure switch has default route to router for all traffic it does not have a destination for.
Layer 3 switch
router eigrp 1
net 192.168.10.1 0.0.0.3-----link to router to form IGP neighbor
ip route 0.0.0.0 0.0.0.0 192.168.10.2
router eigrp 1
net 192.168.10.2 0.0.0.3
Hello friend. My first guess without looking at your configuration is that you probably need to implement NAT translations on your Vlans that are trying to get out. If the VLans can talk to each other than it sounds like your intervlan routing is fine. The problem you're having is that your gateway doesn't know how to return traffic.
Try putting in an overload NAT translation so your Vlan clients nat to a static IP on your Vlan1 when they try to route through your outside interface.
assuming your on a serial WIC for your internet connection:
Serial interface should have:
Inside fastethernet interface should have:
Now you'll need to first make an access list to identify traffic you need to NAT
ip access-list extended NATVlan20
permit ip 192.168.20.0 0.0.0.255 any
This will tag any traffic from VLan20 assuming it's using 192.168.20.0 as it's subnet (change ACL as needed to match your addressing scheme)
Now to create the overloaded NAT
First create a NAT pool with the overloaded static IP you want to use. I would suggest a different NAT pool for each Vlan to help monitor which vlan is sending traffic as well helping with any policies you want to put in later for those vlans. You can overload all of your vlans under one IP but you'll be limited later if you want to put in any policies for those networks (your call here).
So overloaded NAT:
ip nat pool VLan20Pool 192.168.1.50 192.168.1.50 prefix-length 24
So here I have created a nat pool with a range of 50 to 50 on 192.168.1.0/24 network. We're going to use the host address of 50 on our native VLan's subnet as the address we're going to NAT to for traffic traversing from VLan20 out our serial interface on our router. Next we need to tell the router how to apply that NAT. We're going to tell it to apply it to traffic coming from inside that matches the ACL we created earlier.
Simply done that is like this:
ip nat inside source list NATVlan20 pool VLan20Pool overload
Here we tell the router to overload (PAT) all traffic from inside going out that matches the ACL we created earlier to the address range of the VLan20Pool which is 50 to 50.
If your problem is that your ISP is receiving a source address that it doesn't know how to get back to, then by NAT'ing (PAT'ing) traffic on your VLANs going out to a static IP from your network that is working, should fix the problem.
It's a shot in the dark, but I've got a sneaking suspicion that is what you're running into.
After though, just as an FYI.
If you don't already, you also need to make sure each subinterface for each of your Vlans on the router, should also need to have "ip nat inside" enabled on them.