Solved: OSPF - Backup Network

ronald.ramzy · ‎06-15-2009

Hi,

LAN Users are on VLAN#5

Web-Server on VLAN#10

Backup Network on VLAN#25

Lan_Users : 192.168.100/24

Web_server : 10.10.10.1/24

Backup Network : 192.168.1.0/24

OSPF configured

nework 10.10.10.0 0.0.0.255

network 192.168.100.0 0.0.0.255

Backup Network is not configured on OSPF still LAN_Users are able to access the Backup_Network and ping it.

We dont want Backup_Network VLAN to communicate with Other VLAN.

Can someone help on this.

dario.didio · ‎06-15-2009

Hi,

you would need to configure your C4500 using the command:

interface vlan 25

ip address ....

only if the devices that are in VLAN25 need to communicate with devices outside VLAN 25.

If devices in VLAN25 only need to communicate with device inside VLAN25, you do not need to configure an interface vlan 25.

Regarding the question about what the reason is that other devices can communicate with devices in VLAN 25; Because you configured an IP address on you C4500, the subnet is put into the routing table as "directly connected". This means that the C4500 has an IP address in VLAN 25 (directly connected).

Devices in other VLANs on your C4500 have this C4500 as default gateway. When they try to connect to an IP Address inside VLAN25, they use their default gateway, reach the C4500 which performs a routing table lookup, and finds that VLAN25 is directly connected and forwards traffic.

If you delete the interface VLAN 25

no interface vlan 25

the subnet is erased from the routing table and nobody outside VLAN25 is cabapble of communicating with devices inside VLAN25, like you want.

HTH,

Dario

View solution in original post

Jon Marshall · ‎06-15-2009

Ronald

If the backup network L3 vlan interface is on the same switch as the LAN users L3 vlan interface then it doesn't matter what you advertise into OSPF, they will still be able to communicate.

If you don't want the backup LAN to talk to anything else you have 2 choices -

1) remove the L3 vlan interface for vlan 25. But you don't say whether you need to access this vlan remotely ?

2) use an acl on the backup network SVI eg.

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

int vlan 25

ip access-group 101 out

Jon

dario.didio · ‎06-15-2009

Hi,

You can reach it because it is directly connected on your router.

If your Backup VLAN shouldn't be routed (if traffic is only Layer 2 local, if the devices in this VLAN don't need a default gateway to communicate outside this VLAN), just remove the layer3 interface from your router:

no interface vlan 25

Otherwhise, put an ACL on interface 25 to block traffic entering this VLAN.

HTH,

Dario

ronald.ramzy · ‎06-15-2009

Hi,

The Switch is Cisco 4500 Series ( L3 )

all VLAN is configured on this switch.

configuration on Switch is:-

Interface vlan 25

description #BACKUP NETWORK#

ip address 192.168.1.1 255.255.255.0

Interface vlan 5

description #USER_Network#

ip address 192.168.100.1 255.255.255.0

Interface vlan 10

description #WEB_SERVER#

ip address 10.10.10.1 255.255.255.0

Router OSPF 15

nework 10.10.10.0 0.0.0.255 area 0

network 192.168.100.0 0.0.0.255 area 0

Under router OSPF process there is no network define for 192.168.1.0 0.0.0.255

So why LAN Users can access Backup_Network

Harold Ritter · ‎06-15-2009

Ronald,

The router doesn't need any routing protocol to forward packets from one interface to another as these subnets are directly connected. Why do you need an ip address on interface vlan 25 if you don't need ip connectivity on this subnet, or do you?

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

ronald.ramzy · ‎06-15-2009

Hi,

I am not really an expert, but reading from cisco documentation CD, I managed to fix bits and pieces.

So you mean to avoid communication between VLAN ; I should not have ip on the VLAN 25.

dario.didio · ‎06-15-2009

Hi,

you would need to configure your C4500 using the command:

interface vlan 25

ip address ....

only if the devices that are in VLAN25 need to communicate with devices outside VLAN 25.

If devices in VLAN25 only need to communicate with device inside VLAN25, you do not need to configure an interface vlan 25.

Regarding the question about what the reason is that other devices can communicate with devices in VLAN 25; Because you configured an IP address on you C4500, the subnet is put into the routing table as "directly connected". This means that the C4500 has an IP address in VLAN 25 (directly connected).

Devices in other VLANs on your C4500 have this C4500 as default gateway. When they try to connect to an IP Address inside VLAN25, they use their default gateway, reach the C4500 which performs a routing table lookup, and finds that VLAN25 is directly connected and forwards traffic.

If you delete the interface VLAN 25

no interface vlan 25

the subnet is erased from the routing table and nobody outside VLAN25 is cabapble of communicating with devices inside VLAN25, like you want.

HTH,

Dario