Solved: Need help (L3 on a C3560-8PC-S)

Bjerremann · ‎08-31-2019

Hi!

I'm trying to get my switch to route traffic from my WAN (Vlan 1), to the INSIDE (Vlan 2) and can't seem to get it working.

-i'm still quite new to playing around with Cisco L3, and I feel that I have hit a dead end here.

Hope someone here is able to help me understand, what i'm doing wrong.

Here is my output of "show run":

S1-3560#show run
Building configuration...

Current configuration : 2555 bytes
!
! Last configuration change at 00:05:57 UTC Mon Mar 1 1993 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname S1-3560
!
boot-start-marker
boot-end-marker
!
!
username admin privilege 15 password 7 XXXXXXXXXXXXXXXXXX
no aaa new-model
system mtu routing 1500
ip routing
ip domain-name S1-3560
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool LAN/INSIDE
network 10.0.0.0 255.255.255.128
default-router 10.0.0.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip address-pool dhcp-pool
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Loopback0
ip address 10.0.0.254 255.255.255.128
!
interface FastEthernet0/1
description LAN/INSIDE
switchport access vlan 2
switchport mode access
power inline never
!
interface FastEthernet0/2
description LAN/INSIDE
switchport access vlan 2
switchport mode access
power inline never
!
interface FastEthernet0/3
description LAN/INSIDE
switchport access vlan 2
switchport mode access
power inline never
!
interface FastEthernet0/4
description LAN/INSIDE
switchport access vlan 2
switchport mode access
power inline never
!
interface FastEthernet0/5
description LAN/INSIDE
switchport access vlan 2
switchport mode access
power inline never
!
interface FastEthernet0/6
description LAN/INSIDE
switchport access vlan 2
switchport mode access
power inline never
!
interface FastEthernet0/7
description LAN/INSIDE
switchport access vlan 2
switchport mode access
power inline never
!
interface FastEthernet0/8
description LAN/INSIDE
switchport access vlan 2
switchport mode access
power inline never
!
interface GigabitEthernet0/1
description WAN/OUTSIDE
!
interface Vlan1
description WAN/OUTSIDE
ip address dhcp
ip access-group 100 in
ip access-group 100 out
!
interface Vlan2
description LAN/INSIDE
ip address 10.0.0.1 255.255.255.128
ip access-group 100 in
ip access-group 100 out
!
ip default-gateway 10.0.0.1
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
logging esm config
access-list 100 permit ip any any
access-list 100 permit udp any eq domain any
access-list 100 permit udp any any eq domain
access-list 100 permit icmp any any
!
!
line con 0
logging synchronous
login local
length 0
line vty 0 4
logging synchronous
login local
length 0
line vty 5 15
logging synchronous
login local
length 0
!
end

S1-3560#

Thanks in advance

-Bjerremann

balaji.bandi · ‎08-31-2019

you need to have below statement :

ip route 0.0.0.0 0.0.0.0 dhcp

you do not need loopback interface(until you need any other purpose)

no interface Loopback0
ip address 10.0.0.254 255.255.255.128 <<-- this is wrong subnet

To reach internet you need to have NAT in place ? for your LAN, so you have any other device doing NAT ?

since you are allowing all you do not need ACL ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Reza Sharifi · ‎08-31-2019

Hi,

I see this in your config

p name-server 8.8.8.8
ip name-server 8.8.4.4

nterface Vlan1
description WAN/OUTSIDE
ip address dhcp

Does this mean this switch is connecting to the Internet? If yes, your internal IP is private and you need to do NAT but this switch does not support NAT.

Can you confirm?

HTH

Bjerremann · ‎08-31-2019

Thank you, for the reply HTH.

That is correct.

But maybe I misunderstood something then?

I read somewhere that you could use the "ip routing" on this switch, instead of "ip nat" - and then use this switch almost as a router with fewer options.

That's why I conf'ed the switch with the "ip route 0.0.0.0 0.0.0.0 dhcp".

Reza Sharifi · ‎08-31-2019

You need a router to do the NAT for you. Almost all switches (except the 6500 and 6800 series) don't support NAT.

HTH

balaji.bandi · ‎08-31-2019