Preventing Routing

Discussion in 'Cisco' started by Matt, Jun 8, 2004.

  1. Matt

    Matt Guest

    Hi,
    With the following setup:

    interface FastEthernet0/0
    description Retell Tower interconnect with WQBR (16 block)
    ip address 192.168.5.1 255.255.255.0 secondary
    ip address 65.173.x1.2 255.255.255.0
    no ip unreachables
    no ip directed-broadcast
    arp timeout 1800
    !
    interface FastEthernet0/1
    description Retell 17 Block
    ip address 192.168.6.1 255.255.255.0 secondary
    ip address 65.173.x2.1 255.255.255.192
    no ip redirects
    no ip unreachables
    no ip directed-broadcast
    arp timeout 1800
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 65.173.x1.1
    no ip http server

    (Note I've obscured the real world IP with the x)..... Now.. if
    someone is on the 65.173.x2.1 block and they type in a 192.168.5.x or
    192.168.6.x address it connects very nicely. We don't want that.

    There are machines on both sides of the router. Clients with 65
    addresses and radios with 192 addresses. We want to keep the customers
    from being able to see the radios.. which until this router was put in
    place worked fine. Now the router is in place and if you are on the
    x2.1 block you can nicely connect to either side of the radios (because
    the router nicely routes it hehehe). Is there anyway to tell the router
    to ONLY route 192.168.6.x <-->192.168.5.x to hosts and from hosts that
    are also on that same subnet and NOT to route it to anything else (ie
    65.173.x2.x).
     
    Matt, Jun 8, 2004
    #1
    1. Advertising

  2. Matt

    Toby Guest

    Hi

    If I've read the thread correctly you want to let the 192.168.x.x range talk
    to the 192.168.x.x only and the 65.173.x.x talk to the 65.173.x.x only.

    If this is the case then a simple access list (ACL) would surfice.

    from global config
    access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 101 permit ip 65.173.0.0 0.0.255.255 65.173.0.0 0.0.255.255

    and on each interface
    ip access-group 101 in

    You would need other permit statements though if other source/destination
    addresses were involved in the routing.

    N.B. no deny statement has been given in the above so all other traffic
    would be denied by default (explicit deny). Also note that the access list
    does not have to conform to the subnet mask's applied to the interfaces and
    also follows the inverse function. i.e. 255.255.255.0 is a subnet mask and
    0.0.0.255 is a wildcard mask, both achieve the same goal just in reverse.

    If you have a more complex arangement then you may need to use a route map
    but this would be better achieved by using sub interfaces rather than
    secondary interfaces.

    Toby

    "Matt" <> wrote in message
    news:...
    > Hi,
    > With the following setup:
    >
    > interface FastEthernet0/0
    > description Retell Tower interconnect with WQBR (16 block)
    > ip address 192.168.5.1 255.255.255.0 secondary
    > ip address 65.173.x1.2 255.255.255.0
    > no ip unreachables
    > no ip directed-broadcast
    > arp timeout 1800
    > !
    > interface FastEthernet0/1
    > description Retell 17 Block
    > ip address 192.168.6.1 255.255.255.0 secondary
    > ip address 65.173.x2.1 255.255.255.192
    > no ip redirects
    > no ip unreachables
    > no ip directed-broadcast
    > arp timeout 1800
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 65.173.x1.1
    > no ip http server
    >
    > (Note I've obscured the real world IP with the x)..... Now.. if
    > someone is on the 65.173.x2.1 block and they type in a 192.168.5.x or
    > 192.168.6.x address it connects very nicely. We don't want that.
    >
    > There are machines on both sides of the router. Clients with 65
    > addresses and radios with 192 addresses. We want to keep the customers
    > from being able to see the radios.. which until this router was put in
    > place worked fine. Now the router is in place and if you are on the
    > x2.1 block you can nicely connect to either side of the radios (because
    > the router nicely routes it hehehe). Is there anyway to tell the router
    > to ONLY route 192.168.6.x <-->192.168.5.x to hosts and from hosts that
    > are also on that same subnet and NOT to route it to anything else (ie
    > 65.173.x2.x).
     
    Toby, Jun 8, 2004
    #2
    1. Advertising

  3. Matt

    Matt Guest

    I want to allow the 192.168.x.x range to talk to itself.. and I want to
    allow the 65.173.x.x range to talk to itself but ALSO to be able to get
    to the outside world. Currently the 65.173.x.x networks can get to the
    outside world via the default route which hops to a gateway router.
    192.168.x.x does not need interenet access, just needs to talk to each
    other.

    Toby wrote:

    > Hi
    >
    > If I've read the thread correctly you want to let the 192.168.x.x range talk
    > to the 192.168.x.x only and the 65.173.x.x talk to the 65.173.x.x only.
    >
    > If this is the case then a simple access list (ACL) would surfice.
    >
    > from global config
    > access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    > access-list 101 permit ip 65.173.0.0 0.0.255.255 65.173.0.0 0.0.255.255
    >
    > and on each interface
    > ip access-group 101 in
    >
    > You would need other permit statements though if other source/destination
    > addresses were involved in the routing.
    >
    > N.B. no deny statement has been given in the above so all other traffic
    > would be denied by default (explicit deny). Also note that the access list
    > does not have to conform to the subnet mask's applied to the interfaces and
    > also follows the inverse function. i.e. 255.255.255.0 is a subnet mask and
    > 0.0.0.255 is a wildcard mask, both achieve the same goal just in reverse.
    >
    > If you have a more complex arangement then you may need to use a route map
    > but this would be better achieved by using sub interfaces rather than
    > secondary interfaces.
    >
    > Toby
    >
    > "Matt" <> wrote in message
    > news:...
    >
    >>Hi,
    >>With the following setup:
    >>
    >>interface FastEthernet0/0
    >> description Retell Tower interconnect with WQBR (16 block)
    >> ip address 192.168.5.1 255.255.255.0 secondary
    >> ip address 65.173.x1.2 255.255.255.0
    >> no ip unreachables
    >> no ip directed-broadcast
    >> arp timeout 1800
    >>!
    >>interface FastEthernet0/1
    >> description Retell 17 Block
    >> ip address 192.168.6.1 255.255.255.0 secondary
    >> ip address 65.173.x2.1 255.255.255.192
    >> no ip redirects
    >> no ip unreachables
    >> no ip directed-broadcast
    >> arp timeout 1800
    >>!
    >>ip classless
    >>ip route 0.0.0.0 0.0.0.0 65.173.x1.1
    >>no ip http server
    >>
    >>(Note I've obscured the real world IP with the x)..... Now.. if
    >>someone is on the 65.173.x2.1 block and they type in a 192.168.5.x or
    >>192.168.6.x address it connects very nicely. We don't want that.
    >>
    >>There are machines on both sides of the router. Clients with 65
    >>addresses and radios with 192 addresses. We want to keep the customers
    >>from being able to see the radios.. which until this router was put in
    >>place worked fine. Now the router is in place and if you are on the
    >>x2.1 block you can nicely connect to either side of the radios (because
    >>the router nicely routes it hehehe). Is there anyway to tell the router
    >>to ONLY route 192.168.6.x <-->192.168.5.x to hosts and from hosts that
    >>are also on that same subnet and NOT to route it to anything else (ie
    >>65.173.x2.x).

    >
    >
    >
     
    Matt, Jun 9, 2004
    #3
  4. Matt

    Toby Guest

    Ok

    Your current config will not allow the 192.168.x.x from or too the internet
    anyway as your ISP will block private addresses unless you are using NAT. so
    your main problem is the internal cross talking between hosts and radios.

    You will need to use sub interfaces in this case so that you can apply
    different access lists to the different sub interfaces. You will need
    downtime though on the interfaces to reconfigure.

    As I don't know you exact addressing scheme or interface type I have assumed
    Ethernet and 24 bit masks. I have used a subinterface numer that matches the
    first octet of the IP address but this isn't a rule, use whatever you like.
    Also ignore any typos as the following was not taken from a router but typed
    in freehand.

    Interface E0
    no ip address
    !
    Interface E0.192
    ip address 192.168.1.1 255.255.255.0
    ip access-group 101 in
    !
    Interface E0.65
    ip address 65.173.1.1 255.255.255.0
    ip access-group 102 in
    !
    Interface E1
    no ip address
    !
    Interface E1.192
    ip address 192.168.2.1 255.255.255.0
    ip access-group 101 in
    !
    Interface E1.65
    ip address 65.173.2.1 255.255.255.0
    ip access-group 102 in
    !
    access-list 101 deny ip any 65.173.0.0 0.0.255.255
    access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 102 deny ip any 192.168.0.0 0.0.255.255
    access-list 102 permit ip any any

    N.B. double check any routing entries to ensure they are still valid

    Toby

    "Matt" <> wrote in message
    news:...
    > I want to allow the 192.168.x.x range to talk to itself.. and I want to
    > allow the 65.173.x.x range to talk to itself but ALSO to be able to get
    > to the outside world. Currently the 65.173.x.x networks can get to the
    > outside world via the default route which hops to a gateway router.
    > 192.168.x.x does not need interenet access, just needs to talk to each
    > other.
    >
    > Toby wrote:
    >
    > > Hi
    > >
    > > If I've read the thread correctly you want to let the 192.168.x.x range

    talk
    > > to the 192.168.x.x only and the 65.173.x.x talk to the 65.173.x.x only.
    > >
    > > If this is the case then a simple access list (ACL) would surfice.
    > >
    > > from global config
    > > access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0

    0.0.255.255
    > > access-list 101 permit ip 65.173.0.0 0.0.255.255 65.173.0.0 0.0.255.255
    > >
    > > and on each interface
    > > ip access-group 101 in
    > >
    > > You would need other permit statements though if other

    source/destination
    > > addresses were involved in the routing.
    > >
    > > N.B. no deny statement has been given in the above so all other traffic
    > > would be denied by default (explicit deny). Also note that the access

    list
    > > does not have to conform to the subnet mask's applied to the interfaces

    and
    > > also follows the inverse function. i.e. 255.255.255.0 is a subnet mask

    and
    > > 0.0.0.255 is a wildcard mask, both achieve the same goal just in

    reverse.
    > >
    > > If you have a more complex arangement then you may need to use a route

    map
    > > but this would be better achieved by using sub interfaces rather than
    > > secondary interfaces.
    > >
    > > Toby
    > >
    > > "Matt" <> wrote in message
    > > news:...
    > >
    > >>Hi,
    > >>With the following setup:
    > >>
    > >>interface FastEthernet0/0
    > >> description Retell Tower interconnect with WQBR (16 block)
    > >> ip address 192.168.5.1 255.255.255.0 secondary
    > >> ip address 65.173.x1.2 255.255.255.0
    > >> no ip unreachables
    > >> no ip directed-broadcast
    > >> arp timeout 1800
    > >>!
    > >>interface FastEthernet0/1
    > >> description Retell 17 Block
    > >> ip address 192.168.6.1 255.255.255.0 secondary
    > >> ip address 65.173.x2.1 255.255.255.192
    > >> no ip redirects
    > >> no ip unreachables
    > >> no ip directed-broadcast
    > >> arp timeout 1800
    > >>!
    > >>ip classless
    > >>ip route 0.0.0.0 0.0.0.0 65.173.x1.1
    > >>no ip http server
    > >>
    > >>(Note I've obscured the real world IP with the x)..... Now.. if
    > >>someone is on the 65.173.x2.1 block and they type in a 192.168.5.x or
    > >>192.168.6.x address it connects very nicely. We don't want that.
    > >>
    > >>There are machines on both sides of the router. Clients with 65
    > >>addresses and radios with 192 addresses. We want to keep the customers
    > >>from being able to see the radios.. which until this router was put in
    > >>place worked fine. Now the router is in place and if you are on the
    > >>x2.1 block you can nicely connect to either side of the radios (because
    > >>the router nicely routes it hehehe). Is there anyway to tell the router
    > >>to ONLY route 192.168.6.x <-->192.168.5.x to hosts and from hosts that
    > >>are also on that same subnet and NOT to route it to anything else (ie
    > >>65.173.x2.x).

    > >
    > >
    > >
     
    Toby, Jun 9, 2004
    #4
  5. Matt

    Toby Guest

    Just checked over my post and found you didn't need the line

    access-list 101 deny ip any 65.173.0.0 0.0.255.255

    Would have still worked as anything without a permit statement is
    automatically denied. including the above in the config just makes things
    messy.

    Toby

    "Toby" <> wrote in message
    news:1bIxc.310$...
    > Ok
    >
    > Your current config will not allow the 192.168.x.x from or too the

    internet
    > anyway as your ISP will block private addresses unless you are using NAT.

    so
    > your main problem is the internal cross talking between hosts and radios.
    >
    > You will need to use sub interfaces in this case so that you can apply
    > different access lists to the different sub interfaces. You will need
    > downtime though on the interfaces to reconfigure.
    >
    > As I don't know you exact addressing scheme or interface type I have

    assumed
    > Ethernet and 24 bit masks. I have used a subinterface numer that matches

    the
    > first octet of the IP address but this isn't a rule, use whatever you

    like.
    > Also ignore any typos as the following was not taken from a router but

    typed
    > in freehand.
    >
    > Interface E0
    > no ip address
    > !
    > Interface E0.192
    > ip address 192.168.1.1 255.255.255.0
    > ip access-group 101 in
    > !
    > Interface E0.65
    > ip address 65.173.1.1 255.255.255.0
    > ip access-group 102 in
    > !
    > Interface E1
    > no ip address
    > !
    > Interface E1.192
    > ip address 192.168.2.1 255.255.255.0
    > ip access-group 101 in
    > !
    > Interface E1.65
    > ip address 65.173.2.1 255.255.255.0
    > ip access-group 102 in
    > !
    > access-list 101 deny ip any 65.173.0.0 0.0.255.255
    > access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    > access-list 102 deny ip any 192.168.0.0 0.0.255.255
    > access-list 102 permit ip any any
    >
    > N.B. double check any routing entries to ensure they are still valid
    >
    > Toby
    >
    > "Matt" <> wrote in message
    > news:...
    > > I want to allow the 192.168.x.x range to talk to itself.. and I want to
    > > allow the 65.173.x.x range to talk to itself but ALSO to be able to get
    > > to the outside world. Currently the 65.173.x.x networks can get to the
    > > outside world via the default route which hops to a gateway router.
    > > 192.168.x.x does not need interenet access, just needs to talk to each
    > > other.
    > >
    > > Toby wrote:
    > >
    > > > Hi
    > > >
    > > > If I've read the thread correctly you want to let the 192.168.x.x

    range
    > talk
    > > > to the 192.168.x.x only and the 65.173.x.x talk to the 65.173.x.x

    only.
    > > >
    > > > If this is the case then a simple access list (ACL) would surfice.
    > > >
    > > > from global config
    > > > access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0

    > 0.0.255.255
    > > > access-list 101 permit ip 65.173.0.0 0.0.255.255 65.173.0.0

    0.0.255.255
    > > >
    > > > and on each interface
    > > > ip access-group 101 in
    > > >
    > > > You would need other permit statements though if other

    > source/destination
    > > > addresses were involved in the routing.
    > > >
    > > > N.B. no deny statement has been given in the above so all other

    traffic
    > > > would be denied by default (explicit deny). Also note that the access

    > list
    > > > does not have to conform to the subnet mask's applied to the

    interfaces
    > and
    > > > also follows the inverse function. i.e. 255.255.255.0 is a subnet mask

    > and
    > > > 0.0.0.255 is a wildcard mask, both achieve the same goal just in

    > reverse.
    > > >
    > > > If you have a more complex arangement then you may need to use a route

    > map
    > > > but this would be better achieved by using sub interfaces rather than
    > > > secondary interfaces.
    > > >
    > > > Toby
    > > >
    > > > "Matt" <> wrote in message
    > > > news:...
    > > >
    > > >>Hi,
    > > >>With the following setup:
    > > >>
    > > >>interface FastEthernet0/0
    > > >> description Retell Tower interconnect with WQBR (16 block)
    > > >> ip address 192.168.5.1 255.255.255.0 secondary
    > > >> ip address 65.173.x1.2 255.255.255.0
    > > >> no ip unreachables
    > > >> no ip directed-broadcast
    > > >> arp timeout 1800
    > > >>!
    > > >>interface FastEthernet0/1
    > > >> description Retell 17 Block
    > > >> ip address 192.168.6.1 255.255.255.0 secondary
    > > >> ip address 65.173.x2.1 255.255.255.192
    > > >> no ip redirects
    > > >> no ip unreachables
    > > >> no ip directed-broadcast
    > > >> arp timeout 1800
    > > >>!
    > > >>ip classless
    > > >>ip route 0.0.0.0 0.0.0.0 65.173.x1.1
    > > >>no ip http server
    > > >>
    > > >>(Note I've obscured the real world IP with the x)..... Now.. if
    > > >>someone is on the 65.173.x2.1 block and they type in a 192.168.5.x or
    > > >>192.168.6.x address it connects very nicely. We don't want that.
    > > >>
    > > >>There are machines on both sides of the router. Clients with 65
    > > >>addresses and radios with 192 addresses. We want to keep the

    customers
    > > >>from being able to see the radios.. which until this router was put in
    > > >>place worked fine. Now the router is in place and if you are on the
    > > >>x2.1 block you can nicely connect to either side of the radios

    (because
    > > >>the router nicely routes it hehehe). Is there anyway to tell the

    router
    > > >>to ONLY route 192.168.6.x <-->192.168.5.x to hosts and from hosts that
    > > >>are also on that same subnet and NOT to route it to anything else (ie
    > > >>65.173.x2.x).
    > > >
    > > >
    > > >

    >
    >
     
    Toby, Jun 9, 2004
    #5
  6. Hi,

    Apart from using an access-list; what "radio's" are we talking about?
    Aironet 350, 1100, 1200, something totally different?
    If you're using aironet you can configure vlans and position the management
    addresses in another network.

    Erik

    "Matt" <> wrote in message
    news:...
    > Hi,
    > With the following setup:
    >
    > interface FastEthernet0/0
    > description Retell Tower interconnect with WQBR (16 block)
    > ip address 192.168.5.1 255.255.255.0 secondary
    > ip address 65.173.x1.2 255.255.255.0
    > no ip unreachables
    > no ip directed-broadcast
    > arp timeout 1800
    > !
    > interface FastEthernet0/1
    > description Retell 17 Block
    > ip address 192.168.6.1 255.255.255.0 secondary
    > ip address 65.173.x2.1 255.255.255.192
    > no ip redirects
    > no ip unreachables
    > no ip directed-broadcast
    > arp timeout 1800
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 65.173.x1.1
    > no ip http server
    >
    > (Note I've obscured the real world IP with the x)..... Now.. if
    > someone is on the 65.173.x2.1 block and they type in a 192.168.5.x or
    > 192.168.6.x address it connects very nicely. We don't want that.
    >
    > There are machines on both sides of the router. Clients with 65
    > addresses and radios with 192 addresses. We want to keep the customers
    > from being able to see the radios.. which until this router was put in
    > place worked fine. Now the router is in place and if you are on the
    > x2.1 block you can nicely connect to either side of the radios (because
    > the router nicely routes it hehehe). Is there anyway to tell the router
    > to ONLY route 192.168.6.x <-->192.168.5.x to hosts and from hosts that
    > are also on that same subnet and NOT to route it to anything else (ie
    > 65.173.x2.x).
     
    Erik Tamminga, Jun 9, 2004
    #6
  7. Matt

    Matt Guest

    We're talking about Alvarion gear. We use private addresses for radio
    management and give customers public addresses.

    Erik Tamminga wrote:

    > Hi,
    >
    > Apart from using an access-list; what "radio's" are we talking about?
    > Aironet 350, 1100, 1200, something totally different?
    > If you're using aironet you can configure vlans and position the management
    > addresses in another network.
    >
    > Erik
    >
    > "Matt" <> wrote in message
    > news:...
    >
    >>Hi,
    >>With the following setup:
    >>
    >>interface FastEthernet0/0
    >> description Retell Tower interconnect with WQBR (16 block)
    >> ip address 192.168.5.1 255.255.255.0 secondary
    >> ip address 65.173.x1.2 255.255.255.0
    >> no ip unreachables
    >> no ip directed-broadcast
    >> arp timeout 1800
    >>!
    >>interface FastEthernet0/1
    >> description Retell 17 Block
    >> ip address 192.168.6.1 255.255.255.0 secondary
    >> ip address 65.173.x2.1 255.255.255.192
    >> no ip redirects
    >> no ip unreachables
    >> no ip directed-broadcast
    >> arp timeout 1800
    >>!
    >>ip classless
    >>ip route 0.0.0.0 0.0.0.0 65.173.x1.1
    >>no ip http server
    >>
    >>(Note I've obscured the real world IP with the x)..... Now.. if
    >>someone is on the 65.173.x2.1 block and they type in a 192.168.5.x or
    >>192.168.6.x address it connects very nicely. We don't want that.
    >>
    >>There are machines on both sides of the router. Clients with 65
    >>addresses and radios with 192 addresses. We want to keep the customers
    >>from being able to see the radios.. which until this router was put in
    >>place worked fine. Now the router is in place and if you are on the
    >>x2.1 block you can nicely connect to either side of the radios (because
    >>the router nicely routes it hehehe). Is there anyway to tell the router
    >>to ONLY route 192.168.6.x <-->192.168.5.x to hosts and from hosts that
    >>are also on that same subnet and NOT to route it to anything else (ie
    >>65.173.x2.x).

    >
    >
    >
     
    Matt, Jun 9, 2004
    #7
  8. Matt

    Matt Guest

    Toby,
    How does one go about setting up the sub interface? When I had tried
    to do that in the past it said I needed to setup vlans and the whole #!
    and I didn't really want to do all that.

    Toby wrote:

    > Ok
    >
    > Your current config will not allow the 192.168.x.x from or too the internet
    > anyway as your ISP will block private addresses unless you are using NAT. so
    > your main problem is the internal cross talking between hosts and radios.
    >
    > You will need to use sub interfaces in this case so that you can apply
    > different access lists to the different sub interfaces. You will need
    > downtime though on the interfaces to reconfigure.
    >
    > As I don't know you exact addressing scheme or interface type I have assumed
    > Ethernet and 24 bit masks. I have used a subinterface numer that matches the
    > first octet of the IP address but this isn't a rule, use whatever you like.
    > Also ignore any typos as the following was not taken from a router but typed
    > in freehand.
    >
    > Interface E0
    > no ip address
    > !
    > Interface E0.192
    > ip address 192.168.1.1 255.255.255.0
    > ip access-group 101 in
    > !
    > Interface E0.65
    > ip address 65.173.1.1 255.255.255.0
    > ip access-group 102 in
    > !
    > Interface E1
    > no ip address
    > !
    > Interface E1.192
    > ip address 192.168.2.1 255.255.255.0
    > ip access-group 101 in
    > !
    > Interface E1.65
    > ip address 65.173.2.1 255.255.255.0
    > ip access-group 102 in
    > !
    > access-list 101 deny ip any 65.173.0.0 0.0.255.255
    > access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    > access-list 102 deny ip any 192.168.0.0 0.0.255.255
    > access-list 102 permit ip any any
    >
    > N.B. double check any routing entries to ensure they are still valid
    >
    > Toby
    >
    > "Matt" <> wrote in message
    > news:...
    >
    >>I want to allow the 192.168.x.x range to talk to itself.. and I want to
    >>allow the 65.173.x.x range to talk to itself but ALSO to be able to get
    >>to the outside world. Currently the 65.173.x.x networks can get to the
    >>outside world via the default route which hops to a gateway router.
    >>192.168.x.x does not need interenet access, just needs to talk to each
    >>other.
    >>
    >>Toby wrote:
    >>
    >>
    >>>Hi
    >>>
    >>>If I've read the thread correctly you want to let the 192.168.x.x range

    >
    > talk
    >
    >>>to the 192.168.x.x only and the 65.173.x.x talk to the 65.173.x.x only.
    >>>
    >>>If this is the case then a simple access list (ACL) would surfice.
    >>>
    >>>from global config
    >>>access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0

    >
    > 0.0.255.255
    >
    >>>access-list 101 permit ip 65.173.0.0 0.0.255.255 65.173.0.0 0.0.255.255
    >>>
    >>>and on each interface
    >>>ip access-group 101 in
    >>>
    >>>You would need other permit statements though if other

    >
    > source/destination
    >
    >>>addresses were involved in the routing.
    >>>
    >>>N.B. no deny statement has been given in the above so all other traffic
    >>>would be denied by default (explicit deny). Also note that the access

    >
    > list
    >
    >>>does not have to conform to the subnet mask's applied to the interfaces

    >
    > and
    >
    >>>also follows the inverse function. i.e. 255.255.255.0 is a subnet mask

    >
    > and
    >
    >>>0.0.0.255 is a wildcard mask, both achieve the same goal just in

    >
    > reverse.
    >
    >>>If you have a more complex arangement then you may need to use a route

    >
    > map
    >
    >>>but this would be better achieved by using sub interfaces rather than
    >>>secondary interfaces.
    >>>
    >>>Toby
    >>>
    >>>"Matt" <> wrote in message
    >>>news:...
    >>>
    >>>
    >>>>Hi,
    >>>>With the following setup:
    >>>>
    >>>>interface FastEthernet0/0
    >>>> description Retell Tower interconnect with WQBR (16 block)
    >>>> ip address 192.168.5.1 255.255.255.0 secondary
    >>>> ip address 65.173.x1.2 255.255.255.0
    >>>> no ip unreachables
    >>>> no ip directed-broadcast
    >>>> arp timeout 1800
    >>>>!
    >>>>interface FastEthernet0/1
    >>>> description Retell 17 Block
    >>>> ip address 192.168.6.1 255.255.255.0 secondary
    >>>> ip address 65.173.x2.1 255.255.255.192
    >>>> no ip redirects
    >>>> no ip unreachables
    >>>> no ip directed-broadcast
    >>>> arp timeout 1800
    >>>>!
    >>>>ip classless
    >>>>ip route 0.0.0.0 0.0.0.0 65.173.x1.1
    >>>>no ip http server
    >>>>
    >>>>(Note I've obscured the real world IP with the x)..... Now.. if
    >>>>someone is on the 65.173.x2.1 block and they type in a 192.168.5.x or
    >>>>192.168.6.x address it connects very nicely. We don't want that.
    >>>>
    >>>>There are machines on both sides of the router. Clients with 65
    >>>>addresses and radios with 192 addresses. We want to keep the customers
    >>>
    >>>>from being able to see the radios.. which until this router was put in
    >>>
    >>>>place worked fine. Now the router is in place and if you are on the
    >>>>x2.1 block you can nicely connect to either side of the radios (because
    >>>>the router nicely routes it hehehe). Is there anyway to tell the router
    >>>>to ONLY route 192.168.6.x <-->192.168.5.x to hosts and from hosts that
    >>>>are also on that same subnet and NOT to route it to anything else (ie
    >>>>65.173.x2.x).
    >>>
    >>>
    >>>

    >
    >
     
    Matt, Jun 9, 2004
    #8
  9. Matt

    Toby Guest

    Sorry your correct.Bugger!

    It does need VLAN's. The only time I have tried to set up multiple address
    spaces over the Ethernet I have used VLAN's but honistly thought it would
    work without them as long as no routing was needed between the
    sub-interfaces, which yours doesn't.. Just tried it AHhhhh.

    I have had another thought though.

    This method works (or should do) as it does not stop the 192.168.x.x traffic
    from entering the internet but relies on the fact that private addresses
    can't be carried over the internet (both source or destination) as the ISP
    has to block them to conform to the RFC (can't remember the RFC number not
    that sad)

    access-list 101 deny ip 192.168.0.0 0.0.255.255 65.173.0.0 0.0.255.255
    access-list 101 deny ip 65.173.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 101 permit ip any any

    applied inbound on all interfaces with above address spaces.

    I.E. 192 can not talk to 65 and vice-versa but both can access any other
    networks, apart from the internet where the 192 range will be blocked by the
    ISP.

    The security concious out there may be gasping as we are preached never
    trust anyone even your service provider. This is true so even though the
    above should work and no traffic should come from the Internet pointing to
    192.168.x.x you may still want to block the 192.168.x.x range from trying to
    get to the Internet. The way I would do this is another access list but
    placed on the Internet port blocking any 192.168.x.x traffic in the outbound
    direction and posibly inbound directions also if you was really untrusting..
    But I gather you are really concerned with the 65.173.x.x range accessing
    the 192.168.x.x range.

    Sometimes the simpler configs are the best afterall.

    This is the greatness of news groups. If we don't mind looking like an ASS
    occasionally we all benefit from others experience.

    Toby


    "Matt" <> wrote in message
    news:...
    > Toby,
    > How does one go about setting up the sub interface? When I had tried
    > to do that in the past it said I needed to setup vlans and the whole #!
    > and I didn't really want to do all that.
    >
     
    Toby, Jun 9, 2004
    #9
  10. Matt

    Matt Guest

    Toby,
    Indeed this newsgroup is great for advice, and help and suggestions.
    And that suggestions of blocking cross network sounds great I'll try
    that tommorrow morning and see what happens. Yeah... cause neither
    network has any business really talking to the other and only the 65
    needs to get to the outside world.. we'll see what happens.

    Toby wrote:
    > Sorry your correct.Bugger!
    >
    > It does need VLAN's. The only time I have tried to set up multiple address
    > spaces over the Ethernet I have used VLAN's but honistly thought it would
    > work without them as long as no routing was needed between the
    > sub-interfaces, which yours doesn't.. Just tried it AHhhhh.
    >
    > I have had another thought though.
    >
    > This method works (or should do) as it does not stop the 192.168.x.x traffic
    > from entering the internet but relies on the fact that private addresses
    > can't be carried over the internet (both source or destination) as the ISP
    > has to block them to conform to the RFC (can't remember the RFC number not
    > that sad)
    >
    > access-list 101 deny ip 192.168.0.0 0.0.255.255 65.173.0.0 0.0.255.255
    > access-list 101 deny ip 65.173.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    > access-list 101 permit ip any any
    >
    > applied inbound on all interfaces with above address spaces.
    >
    > I.E. 192 can not talk to 65 and vice-versa but both can access any other
    > networks, apart from the internet where the 192 range will be blocked by the
    > ISP.
    >
    > The security concious out there may be gasping as we are preached never
    > trust anyone even your service provider. This is true so even though the
    > above should work and no traffic should come from the Internet pointing to
    > 192.168.x.x you may still want to block the 192.168.x.x range from trying to
    > get to the Internet. The way I would do this is another access list but
    > placed on the Internet port blocking any 192.168.x.x traffic in the outbound
    > direction and posibly inbound directions also if you was really untrusting..
    > But I gather you are really concerned with the 65.173.x.x range accessing
    > the 192.168.x.x range.
    >
    > Sometimes the simpler configs are the best afterall.
    >
    > This is the greatness of news groups. If we don't mind looking like an ASS
    > occasionally we all benefit from others experience.
    >
    > Toby
    >
    >
    > "Matt" <> wrote in message
    > news:...
    >
    >>Toby,
    >>How does one go about setting up the sub interface? When I had tried
    >>to do that in the past it said I needed to setup vlans and the whole #!
    >>and I didn't really want to do all that.
    >>

    >
    >
    >
     
    Matt, Jun 9, 2004
    #10
  11. Matt

    Toby Guest

    Great let me know how you get on.

    Toby

    "Matt" <> wrote in message
    news:...
    > Toby,
    > Indeed this newsgroup is great for advice, and help and suggestions.
    > And that suggestions of blocking cross network sounds great I'll try
    > that tommorrow morning and see what happens. Yeah... cause neither
    > network has any business really talking to the other and only the 65
    > needs to get to the outside world.. we'll see what happens.
    >
    > Toby wrote:
    > > Sorry your correct.Bugger!
    > >
    > > It does need VLAN's. The only time I have tried to set up multiple

    address
    > > spaces over the Ethernet I have used VLAN's but honistly thought it

    would
    > > work without them as long as no routing was needed between the
    > > sub-interfaces, which yours doesn't.. Just tried it AHhhhh.
    > >
    > > I have had another thought though.
    > >
    > > This method works (or should do) as it does not stop the 192.168.x.x

    traffic
    > > from entering the internet but relies on the fact that private addresses
    > > can't be carried over the internet (both source or destination) as the

    ISP
    > > has to block them to conform to the RFC (can't remember the RFC number

    not
    > > that sad)
    > >
    > > access-list 101 deny ip 192.168.0.0 0.0.255.255 65.173.0.0 0.0.255.255
    > > access-list 101 deny ip 65.173.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    > > access-list 101 permit ip any any
    > >
    > > applied inbound on all interfaces with above address spaces.
    > >
    > > I.E. 192 can not talk to 65 and vice-versa but both can access any other
    > > networks, apart from the internet where the 192 range will be blocked by

    the
    > > ISP.
    > >
    > > The security concious out there may be gasping as we are preached never
    > > trust anyone even your service provider. This is true so even though

    the
    > > above should work and no traffic should come from the Internet pointing

    to
    > > 192.168.x.x you may still want to block the 192.168.x.x range from

    trying to
    > > get to the Internet. The way I would do this is another access list but
    > > placed on the Internet port blocking any 192.168.x.x traffic in the

    outbound
    > > direction and posibly inbound directions also if you was really

    untrusting..
    > > But I gather you are really concerned with the 65.173.x.x range

    accessing
    > > the 192.168.x.x range.
    > >
    > > Sometimes the simpler configs are the best afterall.
    > >
    > > This is the greatness of news groups. If we don't mind looking like an

    ASS
    > > occasionally we all benefit from others experience.
    > >
    > > Toby
    > >
    > >
    > > "Matt" <> wrote in message
    > > news:...
    > >
    > >>Toby,
    > >>How does one go about setting up the sub interface? When I had tried
    > >>to do that in the past it said I needed to setup vlans and the whole #!
    > >>and I didn't really want to do all that.
    > >>

    > >
    > >
    > >
     
    Toby, Jun 9, 2004
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jim
    Replies:
    3
    Views:
    525
    Jeroen van Bemmel
    Aug 31, 2004
  2. lombardi
    Replies:
    1
    Views:
    1,341
    Chad Mahoney
    Apr 13, 2004
  3. Rami Rosen
    Replies:
    13
    Views:
    10,327
  4. Pavlov
    Replies:
    0
    Views:
    608
    Pavlov
    Nov 23, 2004
  5. Papi
    Replies:
    0
    Views:
    441
Loading...

Share This Page