BestHub
Sign in
Operations 7 min read

Configuring a Cisco 3560G Layer 3 Switch for Dual Internet Access with VLANs, ACLs, and Policy Routing

This guide details how to set up a Cisco 3560G three‑layer switch to support two groups with separate internet exits by defining VLANs, assigning IP addresses, creating ACLs, configuring route‑maps, and applying policy routing to direct traffic through the appropriate upstream routers.

Practical DevOps Architecture
Practical DevOps Architecture
Practical DevOps Architecture
Configuring a Cisco 3560G Layer 3 Switch for Dual Internet Access with VLANs, ACLs, and Policy Routing

The environment consists of two groups (Group1 and Group2) that each need to access the Internet through separate external links. The core device is a Cisco 3560G three‑layer switch with four VLANs: VLAN10/VLAN20 for Group1 and VLAN30/VLAN40 for Group2. The two access routers have LAN IPs 10.10.10.254 (Group1) and 10.10.20.254 (Group2).

VLAN interfaces are created with the following IP subnets:

VLAN10 ip address 172.16.10.1/24

VLAN20 ip address 172.16.20.1/24

VLAN30 ip address 172.16.30.1/24

VLAN40 ip address 172.16.40.1/24

Layer‑3 (routed) ports are configured on the switch:

3560#conf t

3560(config)#int g0/1

3560(config-if)#no switchport // define as routed port

3560(config-if)#ip address 10.10.10.1 255.255.255.0 // IP for Group1

3560(config-if)#int g0/2

3560(config-if)#no switchport

3560(config-if)#ip address 10.10.20.1 255.255.255.0 // IP for Group2

Extended ACLs are defined for each VLAN to block traffic destined for the internal 172.16.0.0/16 network and the opposite group's subnet, while permitting all other traffic. Example for VLAN10:

3560(config)#ip access-list extended vlan10acl2map

3560(config-ext-nacl)#deny ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.255.255

3560(config-ext-nacl)#deny ip 172.16.10.0 0.0.0.255 10.10.0.0 0.0.255.255

3560(config-ext-nacl)#permit ip 172.16.10.0 0.0.0.255 any

Similar ACLs (vlan20acl2map, vlan30acl2map, vlan40acl2map) are created for the other VLANs.

Route‑maps are then defined to match the corresponding ACL and set the next‑hop address. For VLAN10 and VLAN20 the next hop is 10.10.10.254 (Group1’s router); for VLAN30 and VLAN40 the next hop is 10.10.20.254 (Group2’s router):

3560(config)#route-map vlan10map

3560(config-route-map)#match ip address vlan10acl2map

3560(config-route-map)#set ip next-hop 10.10.10.254

... (similar commands for vlan20map, vlan30map, vlan40map) ...

Finally, policy routing is applied to each VLAN interface to bind the appropriate route‑map:

3560(config)#int vlan 10

3560(config-if)#ip policy route-map vlan10map

3560(config)#int vlan 20

3560(config)#ip policy route-map vlan20map

3560(config)#int vlan 30

3560(config)#ip policy route-map vlan30map

3560(config)#int vlan 40

3560(config)#ip policy route-map vlan40map

These configurations enable each group’s traffic to be routed out through its designated Internet gateway while keeping internal traffic isolated.

operationsACLnetwork configurationCiscoVLANPolicy Routing
Practical DevOps Architecture
Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment