ā01-06-2024 06:16 AM
Hey!
I'm trying to filter all the traffic for a subnet that I announce via BGP session.
Configuration:
- a switch L2+L3
- a server connected to the switch through two different ports
- three vlans: ISP1, ISP2 and servers
Ideally, traffic coming from ISP1 and ISP2 should be filtered through the dedicated server as a router and then send the traffic further to its vlan, where the other servers will receive/dispatch only filtered traffic.
Before filtering the traffic, on the "interface vlan 1000" I just assigned ip address .1 and everything was ok (all servers in that vlan had internet access). Now I want to put that IP address .1 on the router to make sure that absolutely all traffic is filtered but I don't have internet access on that vlan.
What am I missing?
How do I set on the switch where to expect to receive traffic to/from the advertised subnet?
Thanks!
ā01-06-2024 06:27 AM
you need to config two PBR
one in each VLAN interface PBR1
other in Interface connect to ISP PBR2
PBR1 the traffic from VLAN to ANY match ACL100 and the traffic direct to VLAN (filter server)
PBR2 the traffic from Internet will match ANT to VLAN ACL110 and the traffic direct to VLAN (filter server)
config ip nat inside in interface of filtering server
config ip nat outside in interface connect to ISP
try this way
MHM
ā01-06-2024 06:28 AM
Hey!
Thanks for answer but my switch does not have "ip nat" subcommand.
Thank you!
ā01-06-2024 06:32 AM
Hello @florinmarian
what is the Switch model please ?
ā01-06-2024 06:40 AM
the NAT is optional,
what important is config two PBR to redirect the traffic toward Server.
MHM
ā01-06-2024 06:43 AM
Hey!
Switch model is WS-C4948E-E.
Regarding PBR, can I have them written (if it's not too much), please?
I didn't configured any yet.
Vlans are:
10 ISP1
20 ISP2
1000 Servers
Announced subnet 188.241.XXX.0/24
Thank you very much!
ā01-06-2024 09:00 AM
There are several things about this environment that I do not understand. Perhaps I would start by asking about the statement that "server connected to the switch through two different ports". How does this work?
Am I correct in understanding that you are running BGP on the switch and peering with both ISP? And am I correct in understanding that you advertise 188.241.XXX.0/24 to both ISP? And would I be correct in assuming that this network is used in the server vlan?
Perhaps if I understood better how the server is connecting through 2 different ports I could see a solution. But if both ports of the server connect in vlan 1000 then I am puzzled how you would route/control the traffic.
Given what I think I understand I will suggest a somewhat different approach. I suggest that you add a fourth vlan to the config. Use the new vlan (perhaps vlan 30) as a transit connection from switch to special server with a new subnet. Configure a subnet for vlan 30 with one interface on switch connecting to one interface of server. Connect second port from switch to vlan 1000 on switch and remove the SVI for vlan 1000. You would need a route (perhaps static) on the switch forwarding traffic for 188.241.XXX.0/24 to the vlan 30 interface. And you would need some routing logic on the server to accept traffic from vlan 30 and forward to devices in vlan 1000, and logic to accept traffic from vlan 1000 and forward to the ISPs. If you do this then the general servers only see traffic that has passed through your special/screening server.
ā01-06-2024 11:22 PM
R2#show run
R2#show running-config
Building configuration...
Current configuration : 2021 bytes
!
! Last configuration change at 10:16:22 UTC Sun Jan 7 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 100.0.0.2 255.255.255.0
ip policy route-map OUT
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 20.0.0.2 255.255.255.0
ip policy route-map IN
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip any host 20.0.0.3
access-list 110 permit ip host 20.0.0.3 any
!
route-map IN permit 10
match ip address 110
set ip next-hop 10.0.0.1
!
route-map OUT permit 10
match ip address 100
set ip next-hop 10.0.0.1
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R2#
that the command you needs, I run lab and it work
NOTE:- R1,3,4 have default route toward the R2, in your case use default route or default GW
MHM
ā01-07-2024 05:19 AM
Hello,
I agree with @Richard Burts , it is not really clear what your topology looks like, and what exactly you are trying to achieve. Can you post a schematic drawing of your topology, showing exactly how the devices are connected, and then draw in the desired traffic flow ?
ā01-07-2024 07:47 AM
The topology is like this:
Cisco WS-C4948E:
- GigabitEthernet1/1 port configured with static IP with ISP1
- Port TenGigabitEthernet1/50 configured with static IP with ISP2
- Port TenGigabitEthernet1/51 connected only L2 with the dedicated server as a router
- The TenGigabitEthernet1/52 port connected only L2 with the dedicated server as a router
ISP1 is on vlan10, ISP2 on vlan 20 and all other ports are on vlan 1000.
The goal is not to configure any IP address at all on the switch in vlan1000, but still for it to have access to the Internet, having the IP 188.241.XXX.1/24 configured on the router, without any gateway.
The other devices in the network have the gateway 188.241.XXX.1 and have access to the Internet, but all their traffic can be found with "iptables" on the router in the "FORWARD" section.
With the current setup there is no router and on the "interface vlan 1000" I have statically assigned 188.241.XXX.1 but I cannot filter in this way the traffic entering from the Internet in vlan1000.
I hope it's clearer now.
Thanks everyone for your help!
ā01-07-2024 07:48 AM
If it creates confusion, we can treat the router as having a single network interface used both for traffic from and for traffic to the Internet.
ā01-08-2024 02:10 AM
Hello,
it is probably me, but I am still confused. Can you post that schematic drawing, and indicate the traffic flow you are trying to achieve ? Seeing the current running configuration of the switch would also be very helpful...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide