Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
6
Replies

Cisco 2821 - Stop Inter-vLan Routing

leacho73
Level 1
Level 1

‎04-14-2018 09:44 AM - edited ‎03-08-2019 02:39 PM

 

Hi Everyone,

 

I have a number of subinterfaces on my Cisco 2821 router - and I was wondering if there was any way to stop routing between the different interfaces - here is an example:

 

G0/1.1 - 192.168.0.254/24

G0/1.2 - 10.10.10.254/24

 

G0/0.1 - 10.10.20.2/30

G0/0.2 - 10.10.30.2/30

 

G0/0.1 connects to an ASA5520 firewall with an address of 10.10.20.1

G0/0.2 connects to a separate port on the same firewall with an address of 10.10.30.1

 

I want to be able to route all traffic destined for a sub interface - up to my ASA for firewall inspection, and then route it back down to the correct sub-interface. I would expect the traffic to route as follows:

 

192.168.0.1 -> 192.168.0.254 -> 10.10.20.2 -> 10.10.20.1 -> Firewall Rule Inspection -> 10.10.30.1 -> 10.10.30.2 -> 10.10.10.254 -> 10.10.10.1

 

Hope that makes sense?

 

Thanks
Matt

Labels:
0 Helpful
6 Replies 6

marce1000
VIP
VIP

‎04-14-2018 10:01 AM

 

  - No it doesn't make sense, a firewall should be a 'full hop' in the routing-path , preferably at either edge ( w.r.t incoming or outgoing traffic).

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

leacho73
Level 1
Level 1
In response to marce1000

‎04-14-2018 10:09 AM

Basically, I want to separate out traffic steams that naturally land on the 2821 - but forward them up to the firewall for inspection - hint the 2 port's on the firewall.

 

I have tried subinterfaces on the firewall, but I found that I was getting packet drops all the time, so wanted to stick with physical interfaces.

 

Thanks

Matt

0 Helpful

Georg Pauwen
VIP
VIP
In response to leacho73

‎04-14-2018 02:18 PM

Hello Matt,

 

I am not really clear on what you are asking. All interfaces are directly connected, so routing between them is automatic. You can use access lists on the (sub) interfaces to allow/disallow one to talk to another...

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎04-14-2018 08:26 PM

Hi,

All interfaces are directly connected so routing is the default behavior of "Router". But you can use "ACL" to block traffic between your subinterfaces with deny statements. 

 

Regards,

Deepak Kumar

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

mlund
Level 7
Level 7

‎04-16-2018 04:59 AM

Hi

If you split your router into two logical routers by using vrf:s, you can accomplish what you want.

First create 2 vrf , for example vrf inside and vrf outside ( inside and outside is just names, you can call them adam and brian if you want).

Then assign interface g0/1.1 and g0/0.1 to vrf inside

Assign interface g0/1.2 and g0/0.2 to vrf outside.

Then put in routing into each vrf for example

ip route vrf inside 10.10.10.0/24 10.10.20.1

ip route vrf outside 192.168.0.0/24 10.10.30.1

/Mikael

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mlund

‎04-16-2018 06:04 AM

As Mikael has described, VRFs are probably the solution you're looking for.

BTW, by default, when you use VRFs (sort of the L3 equivalent of VLANs), you already have a "global" unnamed VRF, i.e. you don't actually need to define two, you could do similar to what Mikael suggests just by defining an additional VRF.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card