Hello,

post the full configs of the router and the layer 3 switch...

this is the config of my router:

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
!
!
!
!
!

!
no ip dhcp use vrf connected
ip dhcp excluded-address 190.191.192.101
ip dhcp excluded-address 190.191.192.199
ip dhcp excluded-address 190.191.192.1 190.191.192.10
!
ip dhcp pool 1
network 190.191.192.0 255.255.255.0
default-router 190.191.192.101
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C887VA-K9 sn FTX190582E5
!
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
crypto dynamic-map dynmapL2L 10
!
!
crypto map clientmap 10 ipsec-isakmp dynamic dynmapL2L
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 0/33
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 190.191.192.101 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
mtu 1492
ip access-group 10 in
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp pap sent-username *************password 0 ************
no cdp enable
crypto map clientmap
!
interface Dialer1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface Dialer0 overload
i
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
snmp-server community public RO
snmp-server community private RW
access-list 10 permit any
access-list 100 permit ip 190.191.192.0 0.0.0.255 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip any any
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
l
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
!
!
end

and config of my layer 3 switch:

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet1
vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport trunk allowed vlan 2-4094
switchport mode trunk
!
interface GigabitEthernet1/2
switchport trunk allowed vlan 2-4094
switchport mode trunk
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface GigabitEthernet1/5
switchport trunk allowed vlan 1,101,199,208
switchport mode trunk
!
interface GigabitEthernet1/6
!
interface GigabitEthernet1/7
switchport mode trunk
!
interface GigabitEthernet1/8
switchport mode trunk
!
interface GigabitEthernet1/9
!
interface GigabitEthernet1/10
switchport trunk allowed vlan 1,101
switchport mode trunk
!
interface GigabitEthernet1/11
switchport trunk allowed vlan 1,101,199,208
switchport mode trunk
!
interface GigabitEthernet1/12
!
interface GigabitEthernet1/13
!
interface GigabitEthernet1/14
!
interface GigabitEthernet1/15
!
interface GigabitEthernet1/16
switchport trunk allowed vlan 195,202
switchport mode trunk
!
interface GigabitEthernet1/17
!
interface GigabitEthernet1/18
!
interface GigabitEthernet1/19
!
interface GigabitEthernet1/20
switchport access vlan 199
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/21
!
interface GigabitEthernet1/22
!
interface GigabitEthernet1/23
!
interface GigabitEthernet1/24
!
interface GigabitEthernet1/25
!
interface GigabitEthernet1/26
!
interface GigabitEthernet1/27
!
interface GigabitEthernet1/28
!
interface GigabitEthernet1/29
!
interface GigabitEthernet1/30
!
interface GigabitEthernet1/31
!
interface GigabitEthernet1/32
!
interface GigabitEthernet1/33
!
interface GigabitEthernet1/34
!
interface GigabitEthernet1/35
!
interface GigabitEthernet1/36
!
interface GigabitEthernet1/37
!
interface GigabitEthernet1/38
switchport access vlan 199
switchport mode access
!
interface GigabitEthernet1/39
!
interface GigabitEthernet1/40
!
interface GigabitEthernet1/41
!
interface GigabitEthernet1/42
!
interface GigabitEthernet1/43
!
interface GigabitEthernet1/44
!
interface GigabitEthernet1/45
!
interface GigabitEthernet1/46
!
interface GigabitEthernet1/47
!
interface GigabitEthernet1/48
!
interface TenGigabitEthernet1/49
!
interface TenGigabitEthernet1/50
!
interface TenGigabitEthernet1/51
!
interface TenGigabitEthernet1/52
!
interface Vlan1
no ip address
!
interface Vlan101
ip address 190.191.101.2 255.255.255.224
!
interface Vlan208
ip address 190.191.208.1 255.255.255.240
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
!
!
!
!
!
vstack
!

!
!
end

thanks,

You need to have static routes to route the traffic and do require NAT to reach internet.

Make sure you have routing from south to north and vice versa for PCO to reach internet

Best way to post the each device configuration.

BB

Hello,

I can't do nat from layer 3 switch.

Hello,

is this the full configuration of the layer 3 switch ? I don't see any 'ip routing' or static routes configured.

Either way, is it a hard requirement for the switch to be layer 3 ? The entire topology would be a lot easier if you would configure all the layer 3 routing on the router.

Yes, because I will do access list and also ip slat, then the router will be force. I dont want, that's way I prefer use layer 3 switch.

I did the config of the static route, but it not work.

Thanks,

Hello,

you can do access lists and IP SLA on the router as well. I put together a config that should work (important parts marked in bold). Make sure the link between the switch and the router is configured as a trunk on both sides:

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no aaa new-model
memory-size iomem 10
!
no ip dhcp use vrf connected
ip dhcp excluded-address 190.191.192.101
ip dhcp excluded-address 190.191.192.199
ip dhcp excluded-address 190.191.192.1 190.191.192.10
!
ip dhcp pool 1
network 190.191.192.0 255.255.255.0
default-router 190.191.192.101
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
license udi pid C887VA-K9 sn FTX190582E5
!
controller VDSL 0
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 0/33
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description Link to Switch
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 190.191.192.101 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan101
ip address 190.191.101.2 255.255.255.224
ip nat inside
!
interface Vlan208
ip address 190.191.208.1 255.255.255.240
ip nat inside
!
interface Dialer0
mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp pap sent-username *************password 0 ************
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
i
ip route 0.0.0.0 0.0.0.0 Dialer0
!
snmp-server community public RO
snmp-server community private RW

!
access-list 1 permit 190.191.192.0 0.0.0.255
access-list 1 permit 190.191.101.0 0.0.0.31
access-list 1 permit 190.191.208.0 0.0.0.15
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
end

Switch

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet1
vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
description Link to Router
switchport mode trunk
!
interface GigabitEthernet1/2
switchport trunk allowed vlan 2-4094
switchport mode trunk
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface GigabitEthernet1/5
switchport trunk allowed vlan 1,101,199,208
switchport mode trunk
!
interface GigabitEthernet1/6
!
interface GigabitEthernet1/7
switchport mode trunk
!
interface GigabitEthernet1/8
switchport mode trunk
!
interface GigabitEthernet1/9
!
interface GigabitEthernet1/10
switchport trunk allowed vlan 1,101
switchport mode trunk
!
interface GigabitEthernet1/11
switchport trunk allowed vlan 1,101,199,208
switchport mode trunk
!
interface GigabitEthernet1/12
!
interface GigabitEthernet1/13
!
interface GigabitEthernet1/14
!
interface GigabitEthernet1/15
!
interface GigabitEthernet1/16
switchport trunk allowed vlan 195,202
switchport mode trunk
!
interface GigabitEthernet1/17
!
interface GigabitEthernet1/18
!
interface GigabitEthernet1/19
!
interface GigabitEthernet1/20
switchport access vlan 199
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/21
!
interface GigabitEthernet1/22
!
interface GigabitEthernet1/23
!
interface GigabitEthernet1/24
!
interface GigabitEthernet1/25
!
interface GigabitEthernet1/26
!
interface GigabitEthernet1/27
!
interface GigabitEthernet1/28
!
interface GigabitEthernet1/29
!
interface GigabitEthernet1/30
!
interface GigabitEthernet1/31
!
interface GigabitEthernet1/32
!
interface GigabitEthernet1/33
!
interface GigabitEthernet1/34
!
interface GigabitEthernet1/35
!
interface GigabitEthernet1/36
!
interface GigabitEthernet1/37
!
interface GigabitEthernet1/38
switchport access vlan 199
switchport mode access
!
interface GigabitEthernet1/39
!
interface GigabitEthernet1/40
!
interface GigabitEthernet1/41
!
interface GigabitEthernet1/42
!
interface GigabitEthernet1/43
!
interface GigabitEthernet1/44
!
interface GigabitEthernet1/45
!
interface GigabitEthernet1/46
!
interface GigabitEthernet1/47
!
interface GigabitEthernet1/48
!
interface TenGigabitEthernet1/49
!
interface TenGigabitEthernet1/50
!
interface TenGigabitEthernet1/51
!
interface TenGigabitEthernet1/52
!
interface Vlan1
no ip address
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
vstack

You way is ok. But I have a lot of things. 

Check the picture attached. This is just the beggining

I just want to use the router to route.

Hello,

you need a layer 3 link between your 800 router and the layer 3 switch. Depending on your model of 800, configure one of the FastEthernet ports with an IP address and then one of the ports of the switch as 'no switchport' and assign an IP address from the same subnet as the one you assigned to the FastEthernet port on the router. Then just run a  routing protocol such as EIGRP.

You still need to include all the networks that need NAT in access list 1 on the router.

Thanks for your reply.

Trying to configure in router cisco 800 I get the error: ip address may not be configured on l2 links.

Other idea?

You cannot put an address on the L2 switchport, you must create a layer 3 SVI and then put the ports into that vlan. (depends on the model and IOS).

or convert the port to L3 routed port.

what interface in 800 you try to configure.

paste the exiting configuration of the port to understand.

BB

Hello,

the ports on the 800 are layer 2 ports. Use Vlan 1 for layer 3 connectivity:

Router

interface FastEthernet0
description Link to Switch
switchport mode trunk
no ip address
!
interface Vlan1
ip address 190.191.192.101 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
router eigrp 1
network 0.0.0.0
no auto-summary

Switch

interface GigabitEthernet1/1
description Link to Router
switchport mode trunk
!
interface Vlan1
ip address 190.191.192.102 255.255.255.0
!
router eigrp 1
network 0.0.0.0
no auto-summary

Thanks for you reply.

If vlan 1 in the router is the vlan to route to Internet, no matter that I have other vlan in my network that will route to Internet too? Also, Do I need to put all my network as you said before in access list 1 in router?

Thanks,