[c-nsp] Fwd: VLAN 1 through routed ports
On Fri, Jan 9, 2009 at 2:22 AM, Justin Shore jus...@justinshore.com wrote: And by all means DO NOT USE VLAN 1. That's what bit me in the ass last night. An unconfigured 7600 LAN port with switchport, mode access and no access vlan defined was a piece in the puzzle of the cluster that was my evening last night. VLAN 1 is evil and anyone that uses it intentionally is a fool. agreed. ours always shutdown vlan 1 and define other vlan as native in trunk ports. this we can sure that user traffic is not using vlan 1. On a related side note, can VLAN 1 be disabled? If the state is set to suspended or the vlan is 'shutdown' in vlan sub-config mode, would that actually shutdown VLAN 1? If you shutdown vlan 1, the control traffic is still tagged with vlan 1, eg CDP, VTP. But your user traffic will not tagged with vlan 1 if you defined other vlan as native If a default config access-mode switchport in VLAN by default receives a packet, does it drop it? I believe control traffic (CDP, VTP) will not be dropped from the port. I'm looking for ways to prevent what happened last night and since I can't remove VLAN 1 from the trunk ports in question I'd like to figure out how to disable the VLAN. The other option would be to change the VLAN used by default for the access VLAN when one isn't configured on a port. Is there a config option for that? I think best practice is an access port must belong to a vlan other than default (vlan 1 in cisco). This is simple with command interface range and switchport access vlan XXX. HTH Engel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Procurve DHCP relay question
On Thu, 8 Jan 2009, Eric Cables wrote: I'm in the middle of a transition from HP - Cisco, with an HP 2848 as the core, so sorry if this e-mail is off topic. I am having a hard time getting DHCP relay to work, and was hoping someone with HP experience could chime in with some assistance. I've created a new VLAN, and have specified a helper-address to point to a DHCP server that manages dozens of scopes. The new VLAN functions fine, assuming users are given a static address, but DHCP does not appear to work at all. Hi Eric, I'm not sure how helpful this might be (it seems you've already taken the necessary steps), but here's a cut and paste from a production switch doing the same thing (a 5400 in this case): vlan 4071 name VLAN4071 ip helper-address 10.144.16.2 ip address 10.144.1.65 255.255.255.192 tagged A1-A4,Trk1 exit HTH, -j -- Jeremy L. Gaddis http://evilrouters.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 and VSS
So, I'm building this 6509/VSS in the configuration tool on cisco's web site, and I'm getting an error that concerns me. Whenever I select advance ip services, sxi, I think it's telling me I must also have a secondary supervisor, basically for anything other than ip base? Is this other's experience, those of you using aip services and higher, do you all have redundant sup's in a single chassis? My hope was for aipservices and a single 10G sup in each chassis. Thanks! Nick Griffin On Mon, Dec 29, 2008 at 12:45 PM, Tim Durack tdur...@gmail.com wrote: On Mon, Dec 29, 2008 at 1:40 PM, Murphy, William william.mur...@uth.tmc.edu wrote: I was told by Cisco that SXI support both v6 and MPLS with VSS... Can anyone else confirm this, and if so is anyone using VSS with these features in a production network? Thanks... SXI does not. SXI(n) might. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] TLU/PLU memory on engine 2 line card (12000)
I know that the packet RAM and route RAM are different but what is the difference between TLU/PLU memory and packet memory? I was just upgrading an E2 card and noticed that on the diagram it specifically indicates that slot 7 (PLU) and slot 8 (TLU) are not user serviceable but all 6 of the DIMMS (appear to be) identical. By user serviceable do they mean that you just can't upgrade them? Thanks, -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fwd: VLAN 1 through routed ports
From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Engelhard Labiro On Fri, Jan 9, 2009 at 2:22 AM, Justin Shore jus...@justinshore.com wrote: And by all means DO NOT USE VLAN 1. That's what bit me in the ass last night. An unconfigured 7600 LAN port with switchport, mode access and no access vlan defined was a piece in the puzzle of the cluster that was my evening last night. VLAN 1 is evil and anyone that uses it intentionally is a fool. agreed. ours always shutdown vlan 1 and define other vlan as native in trunk ports. this we can sure that user traffic is not using vlan 1. [...] If you shutdown vlan 1, the control traffic is still tagged with vlan 1, eg CDP, VTP. But your user traffic will not tagged with vlan 1 if you defined other vlan as native Either I'm misunderstanding what you are saying, or this is incorrect. The native VLAN identifier just dictates what frames are tagged, it doesn't control whether they are sent. So if the native vlan is 999, with a default config port is in vlan 1, if the port receives traffic it will still be sent over the trunk, but tagged with vlan 1 (rather than untagged if vlan 1 was native). Changing the native VLAN would not have prevented the problem that Justin is describing. The only solution to that is making sure that vlan 1 isn't used in production, so even if frames are generated there is no destination. Shutting down the vlan 1 SVI will make sure that no traffic from VLAN 1 is routed, which is a way of enforcing the policy restriction described above. Thanks, Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PIX question
Hi all I enable the http and snmp community in dmz 192 network http server enable http 192.168.0.0 255.255.255.0 dmz snmp-server community aaa but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 network What am I doing wrong? Thank you - Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX question
On 1/9/09 1:05 PM, chloe K chloekcy2...@yahoo.ca wrote: Hi all I enable the http and snmp community in dmz 192 network http server enable http 192.168.0.0 255.255.255.0 dmz snmp-server community aaa but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 network What am I doing wrong? What you have done is enable the PIX itself to be managed via HTTP and allowed host on the 192.168.0.0 DMZ to manage the PIX with HTTP. You have also tuned on SNMP management of the PIX itself. If you want the PIX to pass HTTP and SNMP traffic to the hosts on the 192.168.0.0 network you will need to allow that traffic in an access list applied to the appropriate interfaces. Like this: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/nwacc ess.html Hope this helps. Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX question
Could be a routing issue on the pix; do you get any syslog msgs about no route . . . ; traffic could be coming in on the dmz interface but leaving out the default route to say like the outside interface. If this is indeed the case then create a route statement: route your_ip_addr 255.255.255.255 dmz Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services chloe K wrote: Hi all I enable the http and snmp community in dmz 192 network http server enable http 192.168.0.0 255.255.255.0 dmz snmp-server community aaa but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 network What am I doing wrong? Thank you - Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX question
Thank you for your doc info You mean I have to put access-list before http and snmp can work access-list ANY extended permit ip any any access-group ANY in interface dmz ls it OK? One question, Why the telnet and ssh are working now? Thank you again Brad Hedlund brhed...@cisco.com wrote: On 1/9/09 1:05 PM, chloe K wrote: Hi all I enable the http and snmp community in dmz 192 network http server enable http 192.168.0.0 255.255.255.0 dmz snmp-server community aaa but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 network What am I doing wrong? What you have done is enable the PIX itself to be managed via HTTP and allowed host on the 192.168.0.0 DMZ to manage the PIX with HTTP. You have also tuned on SNMP management of the PIX itself. If you want the PIX to pass HTTP and SNMP traffic to the hosts on the 192.168.0.0 network you will need to allow that traffic in an access list applied to the appropriate interfaces. Like this: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/nwacc ess.html Hope this helps. Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org - Looking for the perfect gift? Give the gift of Flickr! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX question
Thank you for your doc info You mean I have to put access-list before http and snmp can work access-list ANY extended permit ip any any access-group ANY in interface dmz ls it OK? One question, Why the telnet and ssh are working? Thank you again Brad Hedlund brhed...@cisco.com wrote: On 1/9/09 1:05 PM, chloe K wrote: Hi all I enable the http and snmp community in dmz 192 network http server enable http 192.168.0.0 255.255.255.0 dmz snmp-server community aaa but I can't access both (httpd and snmpwalk) in any hosts of 192.168.0.0 network What am I doing wrong? What you have done is enable the PIX itself to be managed via HTTP and allowed host on the 192.168.0.0 DMZ to manage the PIX with HTTP. You have also tuned on SNMP management of the PIX itself. If you want the PIX to pass HTTP and SNMP traffic to the hosts on the 192.168.0.0 network you will need to allow that traffic in an access list applied to the appropriate interfaces. Like this: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/nwacc ess.html Hope this helps. Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TLU/PLU memory on engine 2 line card (12000)
Hi Drew, PLU (pointer lookup) and TLU (table lookup) is memory used by the layer3 ASIC. It contains your FIB/MFIB/LFIB data (read: your CEF and labels). The packet memory keeps - the packet :-) By user serviceable do they mean that you just can't upgrade them? by non-user-upgradable, correct, you cannot upgrade it. Not sure what happens if you try it but likely the card refuses to work. Regards, Marc On 9-Jan-09, at 12:28 PM, Drew Weaver wrote: I know that the packet RAM and route RAM are different but what is the difference between TLU/PLU memory and packet memory? I was just upgrading an E2 card and noticed that on the diagram it specifically indicates that slot 7 (PLU) and slot 8 (TLU) are not user serviceable but all 6 of the DIMMS (appear to be) identical. By user serviceable do they mean that you just can't upgrade them? Thanks, -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX question
On 1/9/09 2:41 PM, chloe K chloekcy2...@yahoo.ca wrote: One question, Why the telnet and ssh are working? You mean I have to put access-list before http and snmp can work OK. I may have misunderstood your original question. It now sounds like you are trying to enable management of the PIX with HTTPS and SNMP and it is not working. No, you do not need to configure an access-list to allow management traffic to the PIX. Secondly, even though you are typing 'http server enable', you can only manage the PIX/ASA with HTTPS. So try accessing the PIX with https:// not http:// For SNMP to work you might be missing the command 'snmp server enable' This should help: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgacc ess.html Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 74, Issue 20
Hi Eric, There are a few basic things that should be checked first. I don't mean to insult anyone, but I sometimes overlook some simple steps when I dive into a problem. First, ensure you have the latest software (as HP calls it) running on the switch. This is freely available from the Procurve website (no login is needed). Second, console into the switch and see if you can ping the DHCP server from the command prompt. If you cannot, then the switch does not know how to reach the DHCP server. Finally, check to see that you have the proper route for the VLAN on the switch. For example on our core 8212zl, I have to add the following statement for each VLAN: vlan 800 ip ospf 192.168.0.1 area 0.0.0.1 exit Obviously this is the statement used for OSPF on an 8212zl, so your config might be different (particularly if you're using a different routing protocol. - Chris Date: Thu, 8 Jan 2009 13:52:50 -0800 From: Eric Cables ecab...@gmail.com Subject: [c-nsp] Procurve DHCP relay question To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Message-ID: d5c7ccac0901081352w1e492fadg61d3edbdc1fcc...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 I'm in the middle of a transition from HP - Cisco, with an HP 2848 as the core, so sorry if this e-mail is off topic. I am having a hard time getting DHCP relay to work, and was hoping someone with HP experience could chime in with some assistance. I've created a new VLAN, and have specified a helper-address to point to a DHCP server that manages dozens of scopes. The new VLAN functions fine, assuming users are given a static address, but DHCP does not appear to work at all. To troubleshoot I pointed the helper-address to a system with Wireshark, but I don't see any requests coming in when a user on the new VLAN requests a new DHCP address, indicating that the request is not being forwarded properly. Is there any debugging available on the procurve to troubleshoot this further? I've read a number of documents describing how to configure DHCP relay on a procurve, and as far as I can tell the recommendations match my configuration. Here are the features enabled on the 2848: - 'ip routing' is enabled - 'dhcp-relay' does not show in a 'show run', indicating it is enabled (the default) - A 'ip helper-address x.x.x.x' statement is configured on the VLAN interface - There is a route back to the destination helper-address - Connectivity works on the VLAN in question, assuming users are statically configured Any advice would be appreciated.. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Logical Router Segmentation
I am looking for a bit of guidance on logically segmenting an existing router. Currently I have a core network router that has fiber connections to all of our buildings. Each building is in it's own VLAN. We run OSPF on the router and all VLANS are in the same area 0.0.0.1. In the future things are going to change, one of which will be our ISP. So we will have two fiber connections to the outside world. One will go to the internet VIA a yet to be named ISP, while the other will go to an external entity that provides some services to us. Since money is tight right now, I want to try to use our current hardware for the new setup. What I am unsure about is how everything would be setup. I know that the two external connections will be in their own VLAN, but it is the routing part that I am trying to wrap my head around. Would we have to run a separate routing instance for the two external connections? I ask this because once the outbound traffic makes it past our firewall, the router is going to have to make a decision on if the traffic should be routed to the external entity or to the internet. Would we be able to accomplish this with our current routing setup? The setup will be the two external connections on their own VLAN. A third connection will also be a part of that VLAN, and this will provide the outside link on our firewall. From there the firewall will connect to another port on our internal network (which is again on it's own VLAN, but this VLAN is part of our internal OSPF area). SO outbound traffic would travel into the internal interface on the firewall, out the external interface and back into our core router. From here the decision needs to be made on what link the packet should be forwarded out of. I appreciate any help! - Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 74, Issue 20
I haven't updated the sw yet, maybe that will yield some results. I have confirmed that I can ping the DHCP server from the switch, and vice versa. I'll check out the software image, and see how behind it is. Thanks for the tips.. -- Eric Cables On Fri, Jan 9, 2009 at 3:30 PM, Chris Burwell cburw...@gmail.com wrote: Hi Eric, There are a few basic things that should be checked first. I don't mean to insult anyone, but I sometimes overlook some simple steps when I dive into a problem. First, ensure you have the latest software (as HP calls it) running on the switch. This is freely available from the Procurve website (no login is needed). Second, console into the switch and see if you can ping the DHCP server from the command prompt. If you cannot, then the switch does not know how to reach the DHCP server. Finally, check to see that you have the proper route for the VLAN on the switch. For example on our core 8212zl, I have to add the following statement for each VLAN: vlan 800 ip ospf 192.168.0.1 area 0.0.0.1 exit Obviously this is the statement used for OSPF on an 8212zl, so your config might be different (particularly if you're using a different routing protocol. - Chris Date: Thu, 8 Jan 2009 13:52:50 -0800 From: Eric Cables ecab...@gmail.com Subject: [c-nsp] Procurve DHCP relay question To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Message-ID: d5c7ccac0901081352w1e492fadg61d3edbdc1fcc...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 I'm in the middle of a transition from HP - Cisco, with an HP 2848 as the core, so sorry if this e-mail is off topic. I am having a hard time getting DHCP relay to work, and was hoping someone with HP experience could chime in with some assistance. I've created a new VLAN, and have specified a helper-address to point to a DHCP server that manages dozens of scopes. The new VLAN functions fine, assuming users are given a static address, but DHCP does not appear to work at all. To troubleshoot I pointed the helper-address to a system with Wireshark, but I don't see any requests coming in when a user on the new VLAN requests a new DHCP address, indicating that the request is not being forwarded properly. Is there any debugging available on the procurve to troubleshoot this further? I've read a number of documents describing how to configure DHCP relay on a procurve, and as far as I can tell the recommendations match my configuration. Here are the features enabled on the 2848: - 'ip routing' is enabled - 'dhcp-relay' does not show in a 'show run', indicating it is enabled (the default) - A 'ip helper-address x.x.x.x' statement is configured on the VLAN interface - There is a route back to the destination helper-address - Connectivity works on the VLAN in question, assuming users are statically configured Any advice would be appreciated.. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Logical Router Segmentation
On 1/9/09 5:52 PM, Chris Burwell cburw...@gmail.com wrote: I am looking for a bit of guidance on logically segmenting an existing router. I appreciate any help! Chris, I think it would help if you drew this up in a Visio, saved it as a PDF, and uploaded it to a URL for folks to look at as they read your overview and questions. Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX question
Yes. you are right it works now. https works fine But I can't logon in http as user pix and pw Do I need to do anything? snmp works fine. But I can't get CPU info in cacti? It only shows the interface. Do you have any idea? Thank you again Brad Hedlund brhed...@cisco.com wrote: On 1/9/09 2:41 PM, chloe K wrote: One question, Why the telnet and ssh are working? You mean I have to put access-list before http and snmp can work OK. I may have misunderstood your original question. It now sounds like you are trying to enable management of the PIX with HTTPS and SNMP and it is not working. No, you do not need to configure an access-list to allow management traffic to the PIX. Secondly, even though you are typing 'http server enable', you can only manage the PIX/ASA with HTTPS. So try accessing the PIX with https:// not http:// For SNMP to work you might be missing the command 'snmp server enable' This should help: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgacc ess.html Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org - Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Logical Router Segmentation
Brad, Thank you for the suggestion! http://www.hiddenone.net/Topology.pdf That PDF has two pages. Page one represents our current topology and page two represents what I would like to do. The red lines on page two represent what would be outside of our network (the two connections). - Chris On Fri, Jan 9, 2009 at 7:10 PM, Brad Hedlund brhed...@cisco.com wrote: On 1/9/09 5:52 PM, Chris Burwell cburw...@gmail.com wrote: I am looking for a bit of guidance on logically segmenting an existing router. I appreciate any help! Chris, I think it would help if you drew this up in a Visio, saved it as a PDF, and uploaded it to a URL for folks to look at as they read your overview and questions. Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Logical Router Segmentation
On 1/9/09 8:54 PM, Chris Burwell cburw...@gmail.com wrote: http://www.hiddenone.net/Topology.pdf Chris, Thanks for the diagram. I can now visualize what you are trying to do. For this to work as diagramed you will need to create two separate routing instances on the District Router, one for internal, one for external. You would associate the internal VLANs to the internal instance, and the external connections and their respective VLANs to the external routing instance. With a Cisco switch this would be easy to accomplish with a feature called VRF-Lite, which creates separate discrete routing table instances, and allows you to then you define which VLANs and interfaces belong to which routing instances. If the District Router is not Cisco, and does not support a feature like VRF-Lite, you might need to buy a separate L3 switch or router to support the external connections on the outside of the firewall. If a full BGP table is NOT required, you might be able to do this on the cheap, such as a Cisco 3560. Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Logical Router Segmentation
Chris, Does your switch or router have VRF-lite in its feature set? I had a similar problem wrapping my brain around layer-3 segmentation. What you describe seems similar in concept to problems I faced in the past couple of years. I found some docs at Cisco that were close to what I wanted to, and they covered Policy-Based Routing and VRF as two solutions. A lot of what those documents talked about re. VRF was using either MPLS or GRE tunnels. That seemed a bit heavy for my campus LAN. So I found instead VRF-lite, which worked without all that MPLS and GRE stuff. I implemented VRF-lite in my core switch/routers because it was going to be easier to implement and maintain than PBR and traditional VRF. Basically, VRF and VRF-lite create alternate independent RIBs (route tables) in your switch or router. Unless you configure some way to explicitly share or leak routes between each of them and your global table, they won't. So you could create a totally separate routing process (OSPF, BGP, static routes, whatever) that is independent of your main OSPF IGP. As far as your existing internal OSPF, your switch/router's OSPF area 0 is an ASBR with a default route leading out to your content filter and firewall. What you might do with this is to create a VRF definition for your external connections, including the one coming back from the outside of your firewall. ip vrf externalzone rd 111:222 Then put your group of external zone interfaces into int fa1/0 ip vrf forwarding externalzone ip address 10.0.0.1 255.255.255.0 exit int fa2/0 ip vrf forwarding externalzone ip address 10.0.1.1 255.255.255.0 exit int fa3/0 ip vrf forwarding externalzone ip address 10.0.2.1 255.255.255.0 exit Then you set up your routing for the VRF. I'll show you OSPF and static routes. router ospf 333 vrf externalzone log-adjacency-changes capability vrf-lite area 0 stub no-summary passive-interface default network 10.0.0.0 0.0.0.255 area 0 network 10.0.1.0 0.0.0.255 area 0 network 10.0.2.0 0.0.0.255 area 0 distribute-list deny-def-route out ip route vrf externalzone 0.0.0.0 0.0.0.0 uplink-1-farside-ip ip route vrf externalzone 0.0.0.0 0.0.0.0 uplink-2-farside-ip 20 ip route vrf externalzone internal nets 10.0.2.2 It works for VLAN SVIs as well as L3 routed physical ports. Just make sure your switch/router has VRF-line in its feature set. If you have this feature available, here are some links to other web pages that can help you understand it better. http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/net_qanda0900aecd804a16ae.html http://www.cisco.com/en/US/netsol/ns658/networking_solutions_package.html http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080851cc6.pdf http://www.ciscosystems.com/en/US/docs/optical/15000r4_0/ethernet/454/guide/vrf.pdf http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/cheatsheet.shtml At 05:52 PM 1/9/2009, Chris Burwell wrote: I am looking for a bit of guidance on logically segmenting an existing router. Currently I have a core network router that has fiber connections to all of our buildings. Each building is in it's own VLAN. We run OSPF on the router and all VLANS are in the same area 0.0.0.1. In the future things are going to change, one of which will be our ISP. So we will have two fiber connections to the outside world. One will go to the internet VIA a yet to be named ISP, while the other will go to an external entity that provides some services to us. Since money is tight right now, I want to try to use our current hardware for the new setup. What I am unsure about is how everything would be setup. I know that the two external connections will be in their own VLAN, but it is the routing part that I am trying to wrap my head around. Would we have to run a separate routing instance for the two external connections? I ask this because once the outbound traffic makes it past our firewall, the router is going to have to make a decision on if the traffic should be routed to the external entity or to the internet. Would we be able to accomplish this with our current routing setup? The setup will be the two external connections on their own VLAN. A third connection will also be a part of that VLAN, and this will provide the outside link on our firewall. From there the firewall will connect to another port on our internal network (which is again on it's own VLAN, but this VLAN is part of our internal OSPF area). SO outbound traffic would travel into the internal interface on the firewall, out the external interface and back into our core router. From here the decision needs to be made on what link the packet should be forwarded out of. I appreciate any help!