layer 3 switch internet

TimMees60387 · ‎08-09-2025

I have a layer 3 switch with different VLANs but I have no internet

Enes Simnica · ‎08-09-2025

@TimMees60387 I think i saw the same question here before, but idk if it was from u or from another member. But still i have some minutes today, so I will answer ur question...

ALright usually, if ur Layer 3 switch has multiple VLANs but no internet, first verify inter-VLAN routing by pinging between VLANs and their SVI IPs, and ensure ip routing is enabled. Add a default route so the switch knows where to send external traffic, like ip route 0.0.0.0 0.0.0.0 192.168.1.1 if ur upstream router/firewall is 192.168.1.1. The upstream device must perform NAT and know all VLAN subnets via static routes or a routing protocol. Don’t forget DNs, without it, browsing won’t work. You can set DNS on clients (like 8.8.8.8) or use the switch’s DHCP. SO for sure ull have to test with ping 8.8.8.8 to check routing, then a hostname to confirm DNS.....

and here u have some basic config for l3 or multilayer switch vlan config and stuff;

ip routing

int vlan 10
 ip address 192.168.10.1 255.255.255.0
 no shut

int vlan 20
 ip address 192.168.20.1 255.255.255.0
 no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip dhcp pool VLAN10
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 8.8.8.8

ip dhcp pool VLAN20
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 8.8.8.8

and if u want me to adjust this config for nat and stuff, let me know....

hope it helps =

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

TimMees60387 · ‎08-10-2025

I have added,
aaa session-id common
system mtu routing 1500
ip routing
ip domain-name local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 195.130.130.1
ip name-server 195.130.131.1
ip name-server 195.130.131.4
ip name-server 195.130.130.4
!
!
ip dhcp pool VLAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN6
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 8.8.8.8

interface FastEthernet0/6
switchport access vlan 6
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 8
switchport mode access
!
interface GigabitEthernet0/1
no switchport
ip address dhcp
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
ip address 192.168.20.1 255.255.255.0
!
interface Vlan6
ip address 192.168.60.1 255.255.255.0
!
ip http server
ip http secure-server

shambhu.kumar · ‎08-10-2025

How your ISP is connected with your network? There is no routing information and where NAT is happening? Could you provide the details information.

TimMees60387 · ‎08-10-2025

layeer3 swichs is connected to the modem has public as private ip adress 192.168.0.1

Mark Elsen · ‎08-09-2025

- @TimMees60387 Not enough info's , you need to post the configuration tried.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ZaynFow · ‎08-10-2025

But how is your layer 3 switch connected to the internet gateway or Router??

TimMees60387 · ‎08-10-2025

with the ISP modem/router

M02@rt37 · ‎08-10-2025

Hello @TimMees60387

I see ip routing command, do show ip route command please and share the output.

You need a static route pointing your modem/router (192.168.1.1 ?):

ip route 0.0.0.0 0.0.0.0 192.168.1.1

You also need NAT configuration. On interface facing the modem/router, add ip nat outside command and on SVIs add ip nat inside command. Under config terminal, add ip nat inside source list 1 interface Gi0/1 overload command...Gi0/1 = the interface facing your modem/router and list 1 referencing access-list 1:

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.60.0 0.0.0.255

--this standard acl match the LANs in order to be processed by your NAT rule command.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

TimMees60387 · ‎08-10-2025

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.0.1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/1
L 192.168.0.252/32 is directly connected, GigabitEthernet0/1
192.168.60.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.60.0/24 is directly connected, Vlan6
L 192.168.60.1/32 is directly connected, Vlan6

M02@rt37 · ‎08-10-2025

Thinks @TimMees60387

So static route is OK...

Check the NAT config as I explained to you.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Burts · ‎08-10-2025

Pending any further information we might receive, I believe that M02@rt37 has correctly identified the issue as not having NAT. The OP needs to provide more detail about the configuration so that we can determine if this is the case.

HTH

Rick

paul driver · ‎08-10-2025

Hello
You dont mention what type of L3 switch you have but only high end l3 switchs support Network Translation (NAT)
So unless you have another router you can attach in between the isp/modem and your switch or have admin access to you ISP/modem to include your L3 vlans to be network translated users in those vlans wont be able to reach the internet.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jens Albrecht · ‎08-10-2025

Hello @TimMees60387,

your modem has no idea where to send the packets for your vlans. Your modem only knows the internal network 192.168.0.0/24 and has a default route to send anything else to the internet. So your internal vlans are unknown to your modem which means that it will never send traffic back to the switch for these vlans.

There are several possible solutions to this problem:

First, the best solution is to configure return routes for your internal vlans on your ISP modem/router if possible. So you need to check whether you can create such routes on your modem. Some modems offer this possibility, some don't. Check the documentation of your modem and see whether it supports adding routes for your internal vlans.

In case your modem does not support adding routes, then the next option is to configure NAT on your L3 switch if the switch supports it. You did not mention the exact model of your switch and what software you are running.
On a 3560CX with ipservice license running IOS version 15.2(7)E12, the necessary config looks like this:

interface GigabitEthernet0/1
ip nat outside
!
interface Vlan1
ip nat inside
!
interface Vlan2
ip nat inside
!
interface Vlan6
ip nat inside
!
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.20.0 0.0.0.255
access-list 10 permit 192.168.60.0 0.0.0.255
!
ip nat inside source list 10 interface gi0/1 overload

The disadvantage of this solution is the fact that you use NAT two times, i.e. on your switch and on your modem, which can affect the performance and might cause problems e.g. with VPN protocols.

If your switch does not support NAT or you want to avoid double-natting, then you need to place a router between your switch and ISP modem. In that case the configuration of your modem should be changed to pass-through to avoid double-natting.
In case of a cisco router the config would look very similar to the one for the switch.

Hence you need to check your options and then decide the best way to go. Let us know if you need further help.

HTH!

Joseph W. Doherty · ‎08-10-2025

BTW, older low-end L3 switched, commonly, don't support NAT.

Also, although we say you need NAT, if you have more hosts that public IP addresses, you either need to limit yourself to how many active NAT session you can run concurrently (i.e. the number of public IPs) or you need PAT. The trouble with earlier versions of Cisco PAT, it often wouldn't correctly handle some applications. So, that too can be a problem.