02-16-2006 01:33 PM - edited 03-03-2019 01:52 AM
Hi,
I'm running, Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(25)SG, RELEASE SOFTWARE (fc2), on my 4503's.
I've setup intervlan routing which works perfectly.
Now i have an Netscreen firewall for connection to the internet.
Now i want setup the 4503's as the default gw and decide there where routes should go.
All non rfc 1918 ip's need to go to the internet.
Alll rfc 1918 ip's should be routed between the VLANs.
Any got an idea how to set this up?
02-16-2006 01:47 PM
Not likely that you will use all available rfc1918 adresses in your local network. Best is therfore to use an acl or route map that prevents rfc1918 to go out to the Internet.
It should do something like:
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 deny ip any 172.16.0.0 0.0.255.255
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
Apply this to your outbound interfaces using an access-group 101 out
Regards,
Leo
02-16-2006 01:55 PM
RFC 1918 or Private IP addresses will not get routed to the Internet anyway. In addition, I am assuming that the vlans will have the private IP addresses? If this the case, then all you need is a default route to the PIX and PIX should have a route to the private vlans pointing the common network between the 4503 and the PIX. The 4503 will forward any packet that is not in it's routing table to the default route which would be Internet destined packet, right? Traffic destine to other vlans will be seen as directly connected and not go to the PIX.
02-16-2006 11:00 PM
This is correct indeed but I have a slightly diferent view on this:
One may send out rfc1918 traffic over the net and expect that it is dropped somewhere, no doubts about that.
However, doing this, one is leaving the responsibility for dropping this traffic with the provider(s).
I know for sure that they are using rfc1918 adresses for their own internal use as well as their customers. Also it would be unwise to assume that PE-routers are always correctly configured. Hence you cannot be 100% certain that your traffic will be dropped at the first router. In other words: you will never know where it goes.
Implementing RFC1918 is in my opinion a mutual resposibility, at least if take security seriously.
Regards,
Leo
02-16-2006 02:53 PM
I forgot one important thing... I've got 2 Internet connections(they are cheap in holland).
And i want to redirect by vlan the route for which connection to use.
Can i set this up in the 4503? because this is best place for it.
02-16-2006 03:43 PM
Yes, I think PBR will be the solution:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/pbroute.htm
PBR gives you a flexible means of routing packets by allowing you to configure a defined policy for traffic flows, lessening reliance on routes derived from routing protocols. To this end, PBR gives you more control over routing by extending and complementing the existing mechanisms provided by routing protocols. PBR allows you to specify a path for certain traffic, such as priority traffic over a high-cost link.
You can set up PBR as a way to route packets based on configured policies. For example, you can implement routing policies to allow or deny paths based on the identity of a particular end system, an application protocol, or the size of packets.
PBR allows you to perform the following tasks:
Classify traffic based on extended access list criteria. Access lists, then establish the match criteria.
Route packets to specific traffic-engineered paths.
Policies can be based on IP address, port numbers, or protocols. For a simple policy, you can use any one of these descriptors; for a complicated policy, you can use all of them.
Understanding PBR
All packets received on an interface with PBR enabled are passed through enhanced packet filters known as route maps. The route maps used by PBR dictate the policy, determining to where the packets are forwarded.
Route maps are composed of statements. The route map statements can be marked as permit or deny, and they are interpreted in the following ways:
If a statement is marked as deny, the packets meeting the match criteria are sent back through the normal forwarding channels and destination-based routing is performed.
If the statement is marked as permit and a packet matches the access-lists, then the first valid set clause is applied to that packet.
You specify PBR on the incoming interface (the interface on which packets are received), not outgoing interface.
02-28-2006 01:58 AM
Hi,
I've been realy busy setting up the network overhere and hadn't the time to look into this until now.
What i understand is that you need to make route-maps and put acl's on them.
But some of the commands shown in the "http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/pbroute.htm
document are not available in my version of my IOS.
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(25)SG, RELEASE SOFTWARE (fc2)
what i've got so far right now.
route-map 1 permit 10
description DCN_Routing
match ip address 102
set ip next-hop 192.168.3.1
route-map 2 permit 20
match ip address 103
set interface FastEthernet2/48
set ip next-hop 192.168.2.254
How to go forward on with acl's.
Thx for your halp so far.
Greetz,
Cristian.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide