Internet only routing solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-14-2018 10:53 PM - edited 03-08-2019 03:00 PM
Hi ,
I need some help in dividing the network to a different subnet and allow them to access internet only.
Currently we access internet via Palo Altos in the AWS.
Connectivity is from Floor switches (4506) to Nexus (5K) at distribution to Cisco 7201(Edge) which have BGP with IPMAN of ISP and from there it goes to out Remote site in DC where it connects with Palos of AWS and it advertises default routes to us and we reach internet via this way.
I know this setup looks clumpsy but due to some Administrative and Contract Issues we had to follow this path.
We have decided to sub lease one of the Floors but need to separate them and allow them to access to internet only via our Infrastructure.
Hope i made it clear.
- Labels:
-
Other Switching

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 12:09 AM
Hello,
which device is going to be the edge router on the new floor ? That is presumably where the new ISP connectivity will occur.
Hard to give accurate advice without seeing an actual drawing of your future setup. It is not very complicated to direct traffic to two different destinations (AWS and Internet in your case). Do you already have the layout ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 03:16 AM
Let me explain again.
We have currently 3 floors and all have floor switches ( 4 on each floor )
all of them connect to Nexus 5K primary and secondary
From Nexus 5k it goes to Cisco 7201 which connects to ISP
We have sub lease 1 floor and need to isolate that network now to access only internet and not other floor or our network in that floor.
In terms of internet access it is via AWS only where PALO ALTO Resides.
Please lert me know if something is unclear
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 03:46 AM
Hello,
so the first layer 3 device is the 7206. I guess the easiest solution is to create a separate VLAN for the new floor, and then simply use an access list on the 7206 to isolate that VLAN from the others...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 03:49 AM
ACtually Floor switches are also Layer 3 and Nexus as well and we are using OSPF on floor switches.
Redistribution into BGP and and ospf so it is a bot tricky , may be i have to use acl on Nexus??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 03:51 AM
Can you post the configuration of the Nexus that is connected to the new floor ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 03:55 AM
aaa group server tacacs+ acs server 10.70.30.3 server 10.70.30.4 source-interface loopback0 ip access-list Bulk permit tcp any any eq ftp permit tcp any any eq ftp-data permit tcp any any eq pop3 permit tcp any any eq smtp permit tcp any any eq 143 ip access-list Critical ip access-list Transactional permit udp any any eq snmp permit udp any any eq domain permit tcp any any eq domain permit tcp any any eq 22 permit tcp any any eq telnet permit udp any any eq syslog permit tcp any any eq www permit tcp any any eq 443 ip access-list VTY_ALLOW remark VTY Access permit ip 10.66.248.0/21 any permit ip 10.68.0.0/14 any deny ip any any ip access-list Video permit ip any any dscp af41 ip access-list Voice permit ip any any dscp ef class-map type qos match-any Video match access-group name Video class-map type qos match-any Voice match access-group name Voice class-map type qos match-any Bulk-Data match access-group name Bulk class-map type qos match-any Transactional-Data match access-group name Transactional class-map type qos match-any Mission-Critical-Data match access-group name Critical policy-map type qos DataMark class Bulk-Data set dscp 10 class Transactional-Data set dscp 18 class Mission-Critical-Data set dscp 26 class Video set dscp 34 class Voice set dscp 46 class class-default set dscp 0 snmp-server contact IT Operations - Networks snmp-server location QV Server Room - Level 6 snmp-server user admin network-admin auth md5 0xde8ffff9106ff8abe3d23cf2f234f567 priv 0xde8ffff9106ff8abe3d23cf2f234f567 localizedkey snmp-server host 10.66.251.69 traps version 2c pacifica rmon event 1 log trap public description FATAL(1) owner PMON@FATAL rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL rmon event 3 log trap public description ERROR(3) owner PMON@ERROR rmon event 4 log trap public description WARNING(4) owner PMON@WARNING rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO snmp-server enable traps config ccmCLIRunningConfigChanged snmp-server enable traps syslog message-generated snmp-server enable traps vtp notifs snmp-server enable traps vtp vlancreate snmp-server enable traps vtp vlandelete snmp-server community pacifica group network-operator snmp-server community pacifica use-acl snmp-ro ntp server 10.71.16.26 ntp server 10.71.17.26 ntp source-interface loopback0 aaa authentication login default group acs aaa authentication login console group acs aaa authorization config-commands default group acs aaa authorization commands default group acs aaa authentication login error-enable vlan 1-2 vlan 20 name Reception-LAN vlan 30 name Reception-Voice vlan 130 name Build-Servers1 vlan 141 name Build-Servers2 vlan 154 vlan 608 name QV-Server vlan 630 name QV-Lab vlan 860 name APF_IGEN_preprod vlan 861 name APF_IGEN_prod vlan 1000 name QV-Trust vlan 1001 name QV-DMZ spanning-tree port type edge bpduguard default spanning-tree vlan 1-2, 20, 30, 130, 141, 608, 630, 1000-1001 priority 12288 spanning-tree vlan 3-19, 21-29, 31-129, 131-140, 142-607, 609-629, 631-999, 1002-3967 priority 16384 route-map connected-to-ospf permit 200 set tag 3 route-map static-to-ospf permit 200 set tag 2 udld aggressive service dhcp ip dhcp relay vrf context management ip route 0.0.0.0/0 10.12.13.254 vpc domain 20 role priority 8192 system-priority 8192 peer-keepalive destination 172.16.254.14 source 172.16.254.13 delay restore 150 peer-gateway ip arp synchronize interface Vlan1 interface Vlan20 description VLAN20 - DATA VLAN QV Reception no shutdown no ip redirects ip address 10.70.60.124/25 hsrp 0 preempt delay minimum 180 priority 200 ip 10.70.60.126 ip dhcp relay address 10.71.16.26 ip dhcp relay address 10.71.17.26 interface Vlan30 description VLAN30 - VOICE VLAN QV Reception no shutdown no ip redirects ip address 10.10.131.124/25 hsrp 0 preempt delay minimum 180 priority 200 ip 10.10.131.126 ip dhcp relay address 10.71.16.26 ip dhcp relay address 10.71.17.26 interface Vlan130 description Network for File & Print Servers ip address 161.117.124.251/26 hsrp 0 preempt delay minimum 180 priority 200 ip 161.117.124.254 interface Vlan141 description Network for Development Other ip address 161.117.126.59/26 hsrp 0 preempt delay minimum 180 priority 200 ip 161.117.126.62 interface Vlan154 description APF Management Network no shutdown no ip redirects ip address 10.12.24.252/24 hsrp 0 preempt delay minimum 180 priority 200 ip 10.12.24.254 interface Vlan608 description VLAN608 - Server Network no shutdown no ip redirects ip address 10.70.110.252/24 hsrp 0 preempt delay minimum 180 priority 200 ip 10.70.110.254 interface Vlan630 description QV Build room no shutdown no ip redirects ip address 172.168.10.252/24 hsrp 0 preempt delay minimum 180 priority 200 ip 10.70.101.254 interface Vlan860 description APF_IGEN_preprod no shutdown no ip redirects ip address 10.69.97.252/24 hsrp 0 preempt delay minimum 180 priority 200 ip 10.69.97.254 interface Vlan861 description APF_IGEN_prod no shutdown no ip redirects ip address 10.69.98.252/24 hsrp 0 preempt delay minimum 180 priority 200 ip 10.69.98.254 interface Vlan1000 description VLAN1000 - QV-Trust no shutdown no ip redirects ip address 10.70.33.100/29 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 hsrp 0 preempt delay minimum 180 priority 200 ip 10.70.33.102 interface port-channel1 description vPC Peer Link to qvcp-nexcor-0602 switchport mode trunk spanning-tree port type network vpc peer-link interface port-channel2 description Transit Link to qvcp-nexcor-0602 no switchport flowcontrol receive on flowcontrol send on no ip redirects ip address 10.70.2.113/30 ip ospf network point-to-point no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface port-channel10 description vPC to qvcp-panbdr-0601 switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 1000-1001 speed 1000 vpc 10 interface port-channel11 description - Port-channel to DRCCG07 LAN A switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 2,860-861 speed 1000 vpc 11 interface port-channel12 description - Port-channel to DRCCG07 LAN B switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 2,860-861 speed 1000 vpc 12 interface port-channel301 description qv-nt-hypv1 switchport mode trunk switchport access vlan 608 switchport trunk native vlan 608 switchport trunk allowed vlan 2,608 speed 10000 vpc 301 interface Ethernet1/1 description Interconnect Network with qv-rtr-51 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.1/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/2 description Interconnect Network with qv-rtr-52 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.9/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/3 description Interconnect Network with qv-rtr-53 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.17/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/4 description Interconnect Network with qv-rtr-54 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.25/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/5 description Interconnect Network with qv-rtr-81 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.33/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/6 description Interconnect Network with qv-rtr-82 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.41/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/7 description Interconnect Network with qv-rtr-83 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.49/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/8 description Interconnect Network with qv-rtr-84 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.57/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/9 description Interconnect Network with qv-rtr-91 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.65/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/10 description Interconnect Network with qv-rtr-92 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.73/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/11 description Interconnect Network with qv-rtr-93 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.81/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/12 description Interconnect Network with qv-rtr-94 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.89/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/13 description Connection to qvcp-rtripm-0601 G0/2 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.97/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/14 description Connection to qvcp-rtripm-0602 G0/3 no switchport speed 1000 flowcontrol receive on flowcontrol send on udld aggressive ip address 10.70.2.105/30 no ip ospf passive-interface ip router ospf 1 area 0.0.0.0 interface Ethernet1/15 description qvcp-panbdr-0601 Eth1 switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 1000-1001 speed 1000 channel-group 10 mode active interface Ethernet1/16 description qvcp-panbdr-0601 Mgt switchport access vlan 608 spanning-tree port type edge speed 1000 interface Ethernet1/17 description Link to qv-dev1-6500 - Lab 1 switchport access vlan 630 speed 1000 interface Ethernet1/18 description qvcp-swtedg-0601 Te1/49 switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 20,30,130,141,154,608 interface Ethernet1/19 description DRCCG07-VC1-X2 - LAN A switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 2,860-861 speed 1000 channel-group 11 mode active interface Ethernet1/20 description DRCCG07-VC2-X2 - LAN B switchport mode trunk switchport trunk native vlan 2 switchport trunk allowed vlan 2,860-861 speed 1000 channel-group 12 mode active interface Ethernet1/21 description QV-NT-HYPV1 Eth1 switchport mode trunk switchport access vlan 608 switchport trunk native vlan 608 switchport trunk allowed vlan 2,608 spanning-tree port type edge channel-group 301 mode active interface Ethernet1/22 description SPARE shutdown interface Ethernet1/23 description SPARE shutdown interface Ethernet1/24 description SPARE shutdown interface Ethernet1/25 description SPARE shutdown interface Ethernet1/26 description SPARE shutdown interface Ethernet1/27 description SPARE shutdown interface Ethernet1/28 description SPARE shutdown interface Ethernet1/29 description SPARE shutdown interface Ethernet1/30 description SPARE shutdown interface Ethernet1/31 description SPARE shutdown interface Ethernet1/32 description SPARE shutdown interface Ethernet1/33 description SPARE shutdown interface Ethernet1/34 description SPARE shutdown interface Ethernet1/35 description SPARE shutdown interface Ethernet1/36 description SPARE shutdown interface Ethernet1/37 description Transit Link qvcp-nexcor-0602 E1/37 no switchport flowcontrol receive on flowcontrol send on channel-group 2 mode active interface Ethernet1/38 description VPC Peer Link Po1 - qvcp-nexcor-0602 E1/38 switchport mode trunk channel-group 1 mode active interface Ethernet1/39 description SPARE shutdown interface Ethernet1/40 description SPARE shutdown interface Ethernet1/41 description SPARE shutdown interface Ethernet1/42 description SPARE shutdown interface Ethernet1/43 description SPARE shutdown interface Ethernet1/44 description SPARE shutdown interface Ethernet1/45 description SPARE shutdown interface Ethernet1/46 description SPARE shutdown speed 1000 interface Ethernet1/47 description Transit Link qvcp-nexcor-0602 E1/47 no switchport flowcontrol receive on flowcontrol send on channel-group 2 mode active interface Ethernet1/48 description VPC Peer Link Po1 - qvcp-nexcor-0602 E1/48 switchport mode trunk channel-group 1 mode active interface Ethernet3/1 description SPARE shutdown interface Ethernet3/2 description SPARE shutdown interface Ethernet3/3 description SPARE shutdown interface Ethernet3/4 description SPARE shutdown interface Ethernet3/5 description SPARE shutdown interface Ethernet3/6 description SPARE shutdown interface Ethernet3/7 description SPARE shutdown interface Ethernet3/8 description SPARE shutdown interface Ethernet3/9 description SPARE shutdown interface Ethernet3/10 description SPARE shutdown interface Ethernet3/11 description SPARE shutdown interface Ethernet3/12 description SPARE shutdown interface Ethernet3/13 description SPARE shutdown interface Ethernet3/14 description SPARE shutdown interface Ethernet3/15 description SPARE shutdown interface Ethernet3/16 description SPARE shutdown interface Ethernet4/1 description SPARE shutdown interface Ethernet4/2 description SPARE shutdown interface Ethernet4/3 description SPARE shutdown interface Ethernet4/4 description SPARE shutdown interface Ethernet4/5 description SPARE shutdown interface Ethernet4/6 description SPARE shutdown interface Ethernet4/7 description SPARE shutdown interface Ethernet4/8 description SPARE shutdown interface Ethernet4/9 description SPARE shutdown interface Ethernet4/10 description SPARE shutdown interface Ethernet4/11 description SPARE shutdown interface Ethernet4/12 description SPARE shutdown interface Ethernet4/13 description SPARE shutdown interface Ethernet4/14 description SPARE shutdown interface Ethernet4/15 description SPARE shutdown interface Ethernet4/16 description SPARE shutdown interface mgmt0 description VPC Keep-Alive vrf member management ip address 172.16.254.13/30 interface loopback0 description qvcp-nexcor-0601 ip address 10.70.1.21/32 clock timezone AEST 10 0 clock summer-time AEST 1 Sun Oct 02:00 1 Sun April 02:00 60 cli alias name wr copy run start line console line vty boot kickstart bootflash:/n5000uk0-kick.bin boot system bootflash:/n5000-uk9.7.1.4.N1.1.bin router ospf 1 router-id 10.70.1.21 redistribute direct route-map connected-to-ospf redistribute static route-map static-to-ospf log-adjacency-changes maximum-paths 1 auto-cost reference-bandwidth 10000 passive-interface default poap transit logging server 10.66.250.18 logging module 3 logging timestamp milliseconds
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 04:50 AM
Which VLAN belongs to the floor you are trying to isolate ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 06:22 AM
Hi,
I am particulary trying to isolate qv-rtr-51 and qv-rtr-54 to internet access only. VLans on qv-rtr-51 are as below as per config. i cant see that in Nexus config(I have not config Nexus myself, done by the guy before me)
qv-rtr-51#sh run int vlan 115
Building configuration...
Current configuration : 225 bytes
!
interface Vlan115
description VLAN115 - Level 5 North Data Network
ip address 10.70.115.254 255.255.255.0
ip helper-address 10.71.16.26
ip helper-address 10.71.17.26
no ip redirects
service-policy input DataMark
end
qv-rtr-51#sh run int vlan 151
Building configuration...
Current configuration : 210 bytes
!
interface Vlan151
description VLAN151 - Level 5 North Voice Network
ip address 10.10.151.254 255.255.255.0
ip helper-address 10.71.16.26
ip helper-address 10.71.17.26
service-policy input DataMark
end
Hope you can help. may be an access-list on Nexus or FLoor switches directly to restrict just for internet traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 06:48 AM
Just to clarify further ospf routing is used between floor switches and Nexus and Nexus to Edge.
so VLAN may not be seen in Nexus due to that as OSPF is serving the purpose of reachibility
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 07:43 AM
Hello,
an extended access list like the one below (this one is for VLAN 115) might just be sufficient. Basically you deny all other networks access to VLAN 115, and permit everything else (which includes all Internet traffic):
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.70.60.0 0.0.0.127
access-list 101 deny ip 10.70.60.0 0.0.0.127 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.10.131.0 0.0.0.127
access-list 101 deny ip 10.10.131.0 0.0.0.127 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 161.117.124.192 0.0.0.63
access-list 101 deny ip 161.117.124.192 0.0.0.63 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 161.117.126.0 0.0.0.63
access-list 101 deny ip 161.117.126.0 0.0.0.53 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.12.24.0 0.0.0.255
access-list 101 deny ip 10.12.24.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.70.110.0 0.0.0.255
access-list 101 deny ip 10.70.110.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 172.168.10.0 0.0.0.255
access-list 101 deny ip 172.168.10.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.69.97.0 0.0.0.255
access-list 101 deny ip 10.69.97.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.69.98.0 0.0.0.255
access-list 101 deny ip 10.69.98.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.70.33.96 0.0.0.7
access-list 101 deny ip 10.70.33.96 0.0.0.7 10.70.115.0 0.0.0.255
access-list 101 permit ip any any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2018 03:50 PM
so you mean if i am coming from Vlan 115 i can only access internet ??
Secondly if it like this is there a better way if we change the subnet on VLan 115 completely like give it 192.168.2.X/24 and advertise in ospf and then block all 10.0.0.0/8 ??
secondly where can we apply this access-list on 1) Floor switch 2) Nexus or Cisco edge router and how to apply.
sorry for asking details but i am only one here in Network so cant take risks to get network down
