Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
3
Replies

Private-Public routing in a layered LAN

hetene_kaz
Level 1
Level 1

‎05-22-2011 07:10 AM - edited ‎03-06-2019 05:11 PM

Hi all.

Making a total re-design of existing network at the company i work for.

I use a standard three-layer structure (core-distribution-access) to get a normal looking and manageable network.

I came up with 7 blocks connected to a redundant core, running OSPF everywhere.

There is no problem with blocks where public IPs are used, traffic between them is going with no NAT. Private->public is also ok when i make NAT prior to entering the core.

Problems start with private IPs, when they need to get access to private in a neighbor block. I don't want to see any routes with private IPs in the core. The reason is that existing of private IPs in the core will allow public IPs to have an access to private IPs causing a mess that is an obstacle when troubleshoouting. The normal model is also stops to be normal in such a case

I don't want to complicate configs with ACLs that prevent public->private and vice-versa.

What options i came to:

1) Connect all private blocks to an intermediate sub-core first, keeping all private traffic in it, then sub-core will guide to a main core. Expensive and complicated in structure but alive option.

2) Use tunnels (messy due to a need to have full-mesh routing);

3) MPLS could be a solution but it isn't an option as not all router support it;

4) any ideas?

Or tell me if i am too strict on keeping private routes outside of my core.

Please refer to my designed structure where the private routes in the core are inevitable as for now.

Thanks in advance to all for your time and advices.

Labels:
Preview file
162 KB
0 Helpful
3 Replies 3

IAN WHITMORE
Level 4
Level 4

‎05-22-2011 08:19 AM

What about using different OSPF processes? Is that an option?

Or VRF's with route leaking (if you need to leak any routes)?

0 Helpful

hetene_kaz
Level 1
Level 1
In response to IAN WHITMORE

‎05-22-2011 09:52 AM

Thanks for reply.

Different OSPF process will not make sense since routes still will mix in core...

I thought of VRFs as well, it might be the most good way to solve it.

The only thing is a configuration and troubleshooting complexity... VRF traffic isn't visible in a usual way, routes - as well...

How do you solve this issue in your network?

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to hetene_kaz

‎05-22-2011 10:53 AM

I was just thinking out loud. The internal LAN is a VPN so ALL internal clients can access everything except for the DMZs which are controlled obviously by firewalls. Public users from the internet only have access to DMZ servers. If the DMZ servers need access to internal network we use a reverse proxy.

We don't actually mix public and private IPs on the company LAN. All external offices are connected to VPN by telco provider. All external companies that connect use Lan-to-lan over IPSec and are also firewalled.

I think in your case VRF-Lite  would be the way to go...but then I don't have all the details I haven't used VRFs yet myself outside a lab though it's something I'd love to do (as well as work with VoIP, CallManager and Nexus switches). Damn there is just so much out there!!

Regards,

Ian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card