09-26-2012 04:32 AM - edited 03-07-2019 09:07 AM
Hi folks,
New to networking and first time to post here. Would be greatful if anyone could help me on this problem. I have just started a new job in a relatively big campus environment with approx 20 3750 routers and 70 switches and maybe a 50 AP's.
The network runs both ospf and eigrp. It seems a relatively simple network setup where user traffic is routed through ospf and management traffic of network devices is routed using eigrp. So each router would be configured as follows:
router eigrp 1
network 172.16.0.0 0.0.255.255
passive-interface default
no passive-interface GigabitEthernet1/0/12
!
router ospf 1
log-adjacency-changes
passive-interface default
no passive-interface GigabitEthernet1/0/12
network 10.0.0.0 0.0.0.255 area 1
So our desktop users would get an ip address of 10.0.0.50 etc, address ranges routed by ospf. Our routers, switches and APs get an IP address in the range 172.16.0.0/23 which is routed by eigrp. I think the idea of this is not to let normal users to be able to telnet/ssh access to our network equipment. We have a server in the 172.16.0.0/23 network to allow the IT department access the equipment.
To my surprise yesterday I was able to telnet from my desktop pc 10.0.0.100 to a network switch 172.16.0.50. I presume I shouldn't have been able to do this as there are two different routing protocols for these ranges? Could we have route distribution configured somewhere? Or am I totally on the wrong track here?
Any help at all would be greatly appreciated.
Thanks.
09-26-2012 05:01 AM
Hello Netter,
the use of two different routing protocols don't provide a complete separation between 10/8 and 172.16.0.0/23 IP networks. This would be provided by the use of VRFs that are separate routing and forwarding tables.
When the packet is sent with source 10.0.0.100 and destination 172.16.0.50 is routed via EIGRP (based on destination) on the management network. The return packet with source 172.16.0.50 DA= 10.0.0.100 is routed by OSPF in the user data network. if the target switch runs both OSPF and EIGRP.
If it is a L2 switch it can follow the path to the default route on the return path. The default route can be originated by a L3 device that runs both EIGRP and OSPF.
This is the reason why I have written that the use of two different routing protocols do not prevent communication between 10/8 and 172.16.0.0/23.
The communication can be achieved even without redistribution following the default route that for both routing domains may point to the same device of device pairs speaking both EIGRP and OSPF.
You can check if redistribution has been performed using
show ip eigrp topology 10.0.0.0
show ip ospf database external
You can check the path to default route using
show ip route 0.0.0.0
Hope to help
Giuseppe
09-26-2012 08:33 AM
Your answer makes since. It seems the thinking here was wrong about having two seperate routing protocols as the router will still use the one routing table. Is this true? All our routers run both protocols.
When I do a show ip eigrp topology command I get:
Routing entry for 172.16.10.0/24
Known via "eigrp 1", distance 90, metric 3072, type internal
Redistributing via eigrp 1
Is there redistributing happening here? I have omitted some of the answer for security reasons.
I guess the best way for me to stop users telneting to switches and AP's is to put a acl on the mgt vlan on each router.
Thanks,
Netter
09-26-2012 08:42 AM
The router will only have one routing table. If the router is running 2 routing protocols this does not mean you will have 2 separate routing tables. As Giuseppe said you can use vrfs which would mean 2 separate routing tables or you could use acls on certain interfaces to stop users accessing managment IP addresses.
But without vrfs a router will simply use one routing table and routes learnt by both EIGRP and OSPF can be used to populate it.
Jon
09-26-2012 08:42 AM
Hello Netter,
the routing table is only one and each device speaking both EIGRP and OSPF can route between 10/8 and management network
>> I guess the best way for me to stop users telneting to switches and AP's is to put a acl on the mgt vlan on each router.
I do agree
Hope to help
Giuseppe
09-26-2012 08:47 AM
Thanks Jon and Giuseppe for helping me out on this one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide