Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3519
Views
0
Helpful
32
Replies

Hi all, need advice on OSPF and private vlans

Go to solution
Ableton34
Level 1
Level 1

‎01-12-2014 02:40 PM - edited ‎03-07-2019 05:31 PM

Hi all.

I have a project to complete and need some help on the possible solution I can use.

Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.

I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.

My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.

Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!

I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.

Any help and advice would be greatly appreciated.

Cheers

Steve

Labels:
0 Helpful
32 Replies 32

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Ableton34

‎01-15-2014 06:23 AM

Steve

Please don't take this the wrong way but you need to read my answers more carefully ie.

1) you need to use "set ip next-hop recursive x.x.x.x"  because the next hop is not directly connected. That is assuming the recursive next hop feature is supported on the 4500.

2) if this is for traffic to the firewall then unless you were using dummy IPs in your initial posts the source IPs should be the area 7 user subnet ie. 10.2.1.0/24 but they aren't in your example (although they were in a previous example).

What is int gi3/12 connecting to. If it is the 6500 then you are applying the PBR to the wrong interface as well as the interface acl and could well affect other traffic.

If this is traffic to the firewall this config should be -

1) applied to interface connecting the 4500 to the 3550

2) the source subnets should be 10.2.1.x and what you have as the source subnets should presumably be the destination subnets.

If the gi3/12 interface is the one connecting to the 6500 and the 4500 is used by other people within your network if you had applied that configuration you would have effectively cut off all users that go via the 4500 to area 0.

Jon

0 Helpful

Go to solution
Ableton34
Level 1
Level 1
In response to Jon Marshall

‎01-15-2014 08:27 AM

Jon,

I must say you've been very helpful. I am quite new to networking at an engineering level so am learning all the time. Apologies if I have not read your replies properly.

All it took was your suggestion of using the recursive next hop command!!

It will not be tested in a live environment yet but in my virtual rig it works perfectly.

However i have just checked to see if the 4500 can do the recursive command it it is not available! Damn!

version is: "bootflash:cat4500-entservicesk9-mz.122-52.SG.bin"

Thanks so much

All the best

Steve

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-15-2014 08:57 AM

Steve

No need to apologise, i just didn't want you to apply the configuration and take down part of the network.

If the recursive next hop is not supported then you need to set the next hop to be the 6500 and do PBR there as well. Again you need to apply the PBR to the interface connecting back to the 4500. I don't think you need acls on the interface as you are controlling that on the 4500 interface and whereas the 4500 interface only connects to the 3550 i suspect the 6500 interface is for a lot of other users as well.

Couple of points -

1) i don't want to sound like a stuck record but you may or may not need PBR on the 6500. If the 6500 has a route to the remote subnets pointing the same next hop as the PBR next hop then it is of limited use. The control of the traffic from the 3550 has already been limited by the use of the interface acl and the PBR there. And also only having static routes on the 3550, i don't know whether you did that or not.

2) this is very important. I am assuming, and i think you confirmed, that the 4500 to 6500 link is used by more than just the area 7 users on the 3550. If so and you decide to do PBR on the 6500 for traffic to the firewall do not use the route map example you posted where in the second permit statement you sent traffic to null0.

You should only use the null0 statement in your PBR on the 4500 interface connecting to the 3550. If you used it on the 6500 you would effectively send all traffic that didn't come from users on the 3550 to null0 and i am pretty sure you don't want to do that

Anything else you need help with just let me know.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card