Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1883
Views
0
Helpful
11
Replies

Internet only routing solution

w38823
Level 1
Level 1

‎05-14-2018 10:53 PM - edited ‎03-08-2019 03:00 PM

Hi ,

I need some help in dividing the network to a different subnet and allow them to access internet only.

 

Currently we access internet via Palo Altos in the AWS. 

 

Connectivity is from Floor switches (4506) to Nexus (5K) at distribution to Cisco 7201(Edge) which have BGP with IPMAN of ISP and from there it goes to out Remote site in DC where it connects with Palos of AWS and it advertises default routes to us and we reach internet via this way.


I know this setup looks clumpsy but due to some Administrative and Contract Issues we had to follow this path.


We have decided to sub lease one of the Floors but need to separate them and allow them to access to internet only via our Infrastructure.

 

Hope i made it clear. 

 

 

Labels:
0 Helpful
11 Replies 11

Georg Pauwen
VIP
VIP

‎05-15-2018 12:09 AM

Hello,

 

which device is going to be the edge router on the new floor ? That is presumably where the new ISP connectivity will occur. 

Hard to give accurate advice without seeing an actual drawing of your future setup. It is not very complicated to direct traffic to two different destinations (AWS and Internet in your case). Do you already have the layout ?

0 Helpful

w38823
Level 1
Level 1
In response to Georg Pauwen

‎05-15-2018 03:16 AM

Let me explain again.

We have currently 3 floors and all have floor switches ( 4 on each floor )

all of them connect to Nexus 5K primary and secondary

From Nexus 5k it goes to Cisco 7201 which connects to ISP 

 

We have sub lease 1 floor and need to isolate that network now to access only internet and not other floor or our network in that floor.

 

In terms of internet access it is via AWS only where PALO ALTO Resides.

 

Please lert me know if something is unclear

0 Helpful

Georg Pauwen
VIP
VIP
In response to w38823

‎05-15-2018 03:46 AM

Hello,

 

so the first layer 3 device is the 7206. I guess the easiest solution is to create a separate VLAN for the new floor, and then simply use an access list on the 7206 to isolate that VLAN from the others...

0 Helpful

w38823
Level 1
Level 1
In response to Georg Pauwen

‎05-15-2018 03:49 AM

ACtually Floor switches are also Layer 3 and Nexus as well and we are using OSPF on floor switches.

Redistribution into BGP and and ospf so it is a bot tricky , may be i have to use acl on Nexus??

0 Helpful

Georg Pauwen
VIP
VIP
In response to w38823

‎05-15-2018 03:51 AM

Can you post the configuration of the Nexus that is connected to the new floor ?

0 Helpful

w38823
Level 1
Level 1
In response to Georg Pauwen

‎05-15-2018 03:55 AM 

aaa group server tacacs+ acs
  server 10.70.30.3
  server 10.70.30.4
  source-interface loopback0
ip access-list Bulk
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq pop3
 permit tcp any any eq smtp
 permit tcp any any eq 143
ip access-list Critical
ip access-list Transactional
 permit udp any any eq snmp
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any eq 22
 permit tcp any any eq telnet
 permit udp any any eq syslog
 permit tcp any any eq www
 permit tcp any any eq 443
ip access-list VTY_ALLOW
 remark VTY Access
 permit ip 10.66.248.0/21 any
 permit ip 10.68.0.0/14 any
 deny ip any any
ip access-list Video
 permit ip any any dscp af41
ip access-list Voice
 permit ip any any dscp ef
class-map type qos match-any Video
  match access-group name Video
class-map type qos match-any Voice
  match access-group name Voice
class-map type qos match-any Bulk-Data
  match access-group name Bulk
class-map type qos match-any Transactional-Data
  match access-group name Transactional
class-map type qos match-any Mission-Critical-Data
  match access-group name Critical
policy-map type qos DataMark
  class Bulk-Data
    set dscp 10
  class Transactional-Data
    set dscp 18
  class Mission-Critical-Data
    set dscp 26
  class Video
    set dscp 34
  class Voice
    set dscp 46
  class class-default
    set dscp 0
snmp-server contact IT Operations - Networks
snmp-server location QV Server Room - Level 6
snmp-server user admin network-admin auth md5 0xde8ffff9106ff8abe3d23cf2f234f567 priv 0xde8ffff9106ff8abe3d23cf2f234f567 localizedkey
snmp-server host 10.66.251.69 traps version 2c pacifica
rmon event 1 log trap public description FATAL(1) owner PMON@FATAL
rmon event 2 log trap public description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 log trap public description ERROR(3) owner PMON@ERROR
rmon event 4 log trap public description WARNING(4) owner PMON@WARNING
rmon event 5 log trap public description INFORMATION(5) owner PMON@INFO
snmp-server enable traps config ccmCLIRunningConfigChanged
snmp-server enable traps syslog message-generated
snmp-server enable traps vtp notifs
snmp-server enable traps vtp vlancreate
snmp-server enable traps vtp vlandelete
snmp-server community pacifica group network-operator
snmp-server community pacifica use-acl snmp-ro
ntp server 10.71.16.26
ntp server 10.71.17.26
ntp source-interface loopback0
aaa authentication login default group acs
aaa authentication login console group acs
aaa authorization config-commands default group acs
aaa authorization commands default group acs
aaa authentication login error-enable

vlan 1-2
vlan 20
  name Reception-LAN
vlan 30
  name Reception-Voice
vlan 130
  name Build-Servers1
vlan 141
  name Build-Servers2
vlan 154
vlan 608
  name QV-Server
vlan 630
  name QV-Lab
vlan 860
  name APF_IGEN_preprod
vlan 861
  name APF_IGEN_prod
vlan 1000
  name QV-Trust
vlan 1001
  name QV-DMZ
spanning-tree port type edge bpduguard default
spanning-tree vlan 1-2, 20, 30, 130, 141, 608, 630, 1000-1001 priority 12288
spanning-tree vlan 3-19, 21-29, 31-129, 131-140, 142-607, 609-629, 631-999, 1002-3967 priority 16384
route-map connected-to-ospf permit 200
  set tag 3
route-map static-to-ospf permit 200
  set tag 2
udld aggressive
service dhcp
ip dhcp relay
vrf context management
  ip route 0.0.0.0/0 10.12.13.254
vpc domain 20
  role priority 8192
  system-priority 8192
  peer-keepalive destination 172.16.254.14 source 172.16.254.13
  delay restore 150
  peer-gateway
  ip arp synchronize


interface Vlan1

interface Vlan20
  description VLAN20 - DATA VLAN QV Reception
  no shutdown
  no ip redirects
  ip address 10.70.60.124/25
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 10.70.60.126
  ip dhcp relay address 10.71.16.26
  ip dhcp relay address 10.71.17.26

interface Vlan30
  description VLAN30 - VOICE VLAN QV Reception
  no shutdown
  no ip redirects
  ip address 10.10.131.124/25
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 10.10.131.126
  ip dhcp relay address 10.71.16.26
  ip dhcp relay address 10.71.17.26

interface Vlan130
  description Network for File & Print Servers
  ip address 161.117.124.251/26
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 161.117.124.254

interface Vlan141
  description Network for Development Other
  ip address 161.117.126.59/26
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 161.117.126.62

interface Vlan154
  description APF Management Network
  no shutdown
  no ip redirects
  ip address 10.12.24.252/24
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 10.12.24.254

interface Vlan608
  description VLAN608 - Server Network
  no shutdown
  no ip redirects
  ip address 10.70.110.252/24
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 10.70.110.254

interface Vlan630
  description QV Build room
  no shutdown
  no ip redirects
  ip address 172.168.10.252/24
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 10.70.101.254

interface Vlan860
  description APF_IGEN_preprod
  no shutdown
  no ip redirects
  ip address 10.69.97.252/24
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 10.69.97.254

interface Vlan861
  description APF_IGEN_prod
  no shutdown
  no ip redirects
  ip address 10.69.98.252/24
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 10.69.98.254

interface Vlan1000
  description VLAN1000 - QV-Trust
  no shutdown
  no ip redirects
  ip address 10.70.33.100/29
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0
  hsrp 0
    preempt delay minimum 180
    priority 200
    ip 10.70.33.102

interface port-channel1
  description vPC Peer Link to qvcp-nexcor-0602
  switchport mode trunk
  spanning-tree port type network
  vpc peer-link

interface port-channel2
  description Transit Link to qvcp-nexcor-0602
  no switchport
  flowcontrol receive on
  flowcontrol send on
  no ip redirects
  ip address 10.70.2.113/30
  ip ospf network point-to-point
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface port-channel10
  description vPC to qvcp-panbdr-0601
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 1000-1001
  speed 1000
  vpc 10

interface port-channel11
  description - Port-channel to DRCCG07 LAN A
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 2,860-861
  speed 1000
  vpc 11

interface port-channel12
  description - Port-channel to DRCCG07 LAN B
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 2,860-861
  speed 1000
  vpc 12

interface port-channel301
  description qv-nt-hypv1
  switchport mode trunk
  switchport access vlan 608
  switchport trunk native vlan 608
  switchport trunk allowed vlan 2,608
  speed 10000
  vpc 301

interface Ethernet1/1
  description Interconnect Network with qv-rtr-51
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.1/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/2
  description Interconnect Network with qv-rtr-52
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.9/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/3
  description Interconnect Network with qv-rtr-53
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.17/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/4
  description Interconnect Network with qv-rtr-54
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.25/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/5
  description Interconnect Network with qv-rtr-81
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.33/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/6
  description Interconnect Network with qv-rtr-82
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.41/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/7
  description Interconnect Network with qv-rtr-83
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.49/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/8
  description Interconnect Network with qv-rtr-84
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.57/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/9
  description Interconnect Network with qv-rtr-91
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.65/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/10
  description Interconnect Network with qv-rtr-92
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.73/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/11
  description Interconnect Network with qv-rtr-93
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.81/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/12
  description Interconnect Network with qv-rtr-94
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.89/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/13
  description Connection to qvcp-rtripm-0601 G0/2
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.97/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/14
  description Connection to qvcp-rtripm-0602 G0/3
  no switchport
  speed 1000
  flowcontrol receive on
  flowcontrol send on
  udld aggressive
  ip address 10.70.2.105/30
  no ip ospf passive-interface
  ip router ospf 1 area 0.0.0.0

interface Ethernet1/15
  description qvcp-panbdr-0601 Eth1
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 1000-1001
  speed 1000
  channel-group 10 mode active

interface Ethernet1/16
  description qvcp-panbdr-0601 Mgt
  switchport access vlan 608
  spanning-tree port type edge
  speed 1000

interface Ethernet1/17
  description Link to qv-dev1-6500 - Lab 1
  switchport access vlan 630
  speed 1000

interface Ethernet1/18
  description qvcp-swtedg-0601 Te1/49
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 20,30,130,141,154,608

interface Ethernet1/19
  description DRCCG07-VC1-X2 - LAN A
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 2,860-861
  speed 1000
  channel-group 11 mode active

interface Ethernet1/20
  description DRCCG07-VC2-X2 - LAN B
  switchport mode trunk
  switchport trunk native vlan 2
  switchport trunk allowed vlan 2,860-861
  speed 1000
  channel-group 12 mode active

interface Ethernet1/21
  description QV-NT-HYPV1 Eth1
  switchport mode trunk
  switchport access vlan 608
  switchport trunk native vlan 608
  switchport trunk allowed vlan 2,608
  spanning-tree port type edge
  channel-group 301 mode active

interface Ethernet1/22
  description SPARE
  shutdown

interface Ethernet1/23
  description SPARE
  shutdown

interface Ethernet1/24
  description SPARE
  shutdown

interface Ethernet1/25
  description SPARE
  shutdown

interface Ethernet1/26
  description SPARE
  shutdown

interface Ethernet1/27
  description SPARE
  shutdown

interface Ethernet1/28
  description SPARE
  shutdown

interface Ethernet1/29
  description SPARE
  shutdown

interface Ethernet1/30
  description SPARE
  shutdown

interface Ethernet1/31
  description SPARE
  shutdown

interface Ethernet1/32
  description SPARE
  shutdown

interface Ethernet1/33
  description SPARE
  shutdown

interface Ethernet1/34
  description SPARE
  shutdown

interface Ethernet1/35
  description SPARE
  shutdown

interface Ethernet1/36
  description SPARE
  shutdown

interface Ethernet1/37
  description Transit Link qvcp-nexcor-0602 E1/37
  no switchport
  flowcontrol receive on
  flowcontrol send on
  channel-group 2 mode active

interface Ethernet1/38
  description VPC Peer Link Po1 - qvcp-nexcor-0602 E1/38
  switchport mode trunk
  channel-group 1 mode active

interface Ethernet1/39
  description SPARE
  shutdown

interface Ethernet1/40
  description SPARE
  shutdown

interface Ethernet1/41
  description SPARE
  shutdown

interface Ethernet1/42
  description SPARE
  shutdown

interface Ethernet1/43
  description SPARE
  shutdown

interface Ethernet1/44
  description SPARE
  shutdown

interface Ethernet1/45
  description SPARE
  shutdown

interface Ethernet1/46
  description SPARE
  shutdown
  speed 1000

interface Ethernet1/47
  description Transit Link qvcp-nexcor-0602 E1/47
  no switchport
  flowcontrol receive on
  flowcontrol send on
  channel-group 2 mode active

interface Ethernet1/48
  description VPC Peer Link Po1 - qvcp-nexcor-0602 E1/48
  switchport mode trunk
  channel-group 1 mode active

interface Ethernet3/1
  description SPARE
  shutdown

interface Ethernet3/2
  description SPARE
  shutdown

interface Ethernet3/3
  description SPARE
  shutdown

interface Ethernet3/4
  description SPARE
  shutdown

interface Ethernet3/5
  description SPARE
  shutdown

interface Ethernet3/6
  description SPARE
  shutdown

interface Ethernet3/7
  description SPARE
  shutdown

interface Ethernet3/8
  description SPARE
  shutdown

interface Ethernet3/9
  description SPARE
  shutdown

interface Ethernet3/10
  description SPARE
  shutdown

interface Ethernet3/11
  description SPARE
  shutdown

interface Ethernet3/12
  description SPARE
  shutdown

interface Ethernet3/13
  description SPARE
  shutdown

interface Ethernet3/14
  description SPARE
  shutdown

interface Ethernet3/15
  description SPARE
  shutdown

interface Ethernet3/16
  description SPARE
  shutdown

interface Ethernet4/1
  description SPARE
  shutdown

interface Ethernet4/2
  description SPARE
  shutdown

interface Ethernet4/3
  description SPARE
  shutdown

interface Ethernet4/4
  description SPARE
  shutdown

interface Ethernet4/5
  description SPARE
  shutdown

interface Ethernet4/6
  description SPARE
  shutdown

interface Ethernet4/7
  description SPARE
  shutdown

interface Ethernet4/8
  description SPARE
  shutdown

interface Ethernet4/9
  description SPARE
  shutdown

interface Ethernet4/10
  description SPARE
  shutdown

interface Ethernet4/11
  description SPARE
  shutdown

interface Ethernet4/12
  description SPARE
  shutdown

interface Ethernet4/13
  description SPARE
  shutdown

interface Ethernet4/14
  description SPARE
  shutdown

interface Ethernet4/15
  description SPARE
  shutdown

interface Ethernet4/16
  description SPARE
  shutdown

interface mgmt0
  description VPC Keep-Alive
  vrf member management
  ip address 172.16.254.13/30

interface loopback0
  description qvcp-nexcor-0601
  ip address 10.70.1.21/32
clock timezone AEST 10 0
clock summer-time AEST 1 Sun Oct 02:00 1 Sun April 02:00 60
cli alias name wr copy run start
line console
line vty
boot kickstart bootflash:/n5000uk0-kick.bin
boot system bootflash:/n5000-uk9.7.1.4.N1.1.bin
router ospf 1
  router-id 10.70.1.21
  redistribute direct route-map connected-to-ospf
  redistribute static route-map static-to-ospf
  log-adjacency-changes
  maximum-paths 1
  auto-cost reference-bandwidth 10000
  passive-interface default
poap transit
logging server 10.66.250.18
logging module 3
logging timestamp milliseconds
0 Helpful

Georg Pauwen
VIP
VIP
In response to w38823

‎05-15-2018 04:50 AM

Which VLAN belongs to the floor you are trying to isolate ?

0 Helpful

w38823
Level 1
Level 1
In response to Georg Pauwen

‎05-15-2018 06:22 AM

Hi,

I am particulary trying to isolate qv-rtr-51 and qv-rtr-54 to internet access only. VLans on qv-rtr-51 are as below as per config. i cant see that in Nexus config(I have not config Nexus myself, done by the guy before me)

qv-rtr-51#sh run int vlan 115
Building configuration...

Current configuration : 225 bytes
!
interface Vlan115
description VLAN115 - Level 5 North Data Network
ip address 10.70.115.254 255.255.255.0
ip helper-address 10.71.16.26
ip helper-address 10.71.17.26
no ip redirects
service-policy input DataMark
end

qv-rtr-51#sh run int vlan 151
Building configuration...

Current configuration : 210 bytes
!
interface Vlan151
description VLAN151 - Level 5 North Voice Network
ip address 10.10.151.254 255.255.255.0
ip helper-address 10.71.16.26
ip helper-address 10.71.17.26
service-policy input DataMark
end

 

Hope you can help. may be an access-list on Nexus or FLoor switches directly to restrict just for internet traffic

0 Helpful

w38823
Level 1
Level 1
In response to w38823

‎05-15-2018 06:48 AM

Just to clarify further ospf routing is used between floor switches and Nexus and Nexus to Edge.

 

so VLAN may not be seen in Nexus due to that as OSPF is serving the purpose of reachibility

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to w38823

‎05-15-2018 07:43 AM

Hello,

 

an extended access list like the one below (this one is for VLAN 115) might just be sufficient. Basically you deny all other networks access to VLAN 115, and permit everything else (which includes all Internet traffic):

 

access-list 101 deny ip 10.70.115.0 0.0.0.255 10.70.60.0 0.0.0.127
access-list 101 deny ip 10.70.60.0 0.0.0.127 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.10.131.0 0.0.0.127
access-list 101 deny ip 10.10.131.0 0.0.0.127 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 161.117.124.192 0.0.0.63
access-list 101 deny ip 161.117.124.192 0.0.0.63 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 161.117.126.0 0.0.0.63
access-list 101 deny ip 161.117.126.0 0.0.0.53 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.12.24.0 0.0.0.255
access-list 101 deny ip 10.12.24.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.70.110.0 0.0.0.255
access-list 101 deny ip 10.70.110.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 172.168.10.0 0.0.0.255
access-list 101 deny ip 172.168.10.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.69.97.0 0.0.0.255
access-list 101 deny ip 10.69.97.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.69.98.0 0.0.0.255
access-list 101 deny ip 10.69.98.0 0.0.0.255 10.70.115.0 0.0.0.255
access-list 101 deny ip 10.70.115.0 0.0.0.255 10.70.33.96 0.0.0.7
access-list 101 deny ip 10.70.33.96 0.0.0.7 10.70.115.0 0.0.0.255
access-list 101 permit ip any any

0 Helpful

w38823
Level 1
Level 1
In response to Georg Pauwen

‎05-15-2018 03:50 PM

so you mean if i am coming from Vlan 115 i can only access internet ??

 

Secondly if it like this is there a better way if we change the subnet on VLan 115 completely like give it 192.168.2.X/24 and advertise in ospf and then block all 10.0.0.0/8 ??

 

secondly where can we apply this access-list on 1) Floor switch 2) Nexus or Cisco edge router and how to apply.

 

sorry for asking details but i am only one here in Network so cant take risks to get network down

0 Helpful
Customers Also Viewed These Support Documents