Re: [nsp] Interface Routing

From: Eric Osborne (eosborne@cisco.com)
Date: Sat Jul 13 2002 - 10:52:35 EDT


On Fri, Jul 12, 2002 at 02:02:45PM -0400, Jared Mauch wrote:
> I suggest the ACL approach then.
>

or you could use VRFs

ip vrf foo
 rd <ASN:nn>
 route-target both <ASN:nn>

int s0
 ip vrf forwarding foo
 ip addr ...

int s1
 ip vrf forwarding foo
 ip addr ...

The advantage of doing it this way is that you don't have to know what
addresses are behind the serial interfaces; run a routing protocol in
them and let routing exchange happen normally.

The disadvantage is that if you don't understand VRFs already, it's a
new conceptual thing to stare at.

eric

> eg:
>
> interface serial 0
> ip access-group 101 in
> ip access-group 102 out
> interface serial 1
> ip access-group 103 in
> ip access-group 104 out
>
> ! access-list 101 denys interface serial1 ips but allows rest
> ! access-list 102 denys traffic from serial0 ips to serial1
> ! access-list 103 denys interface serial0 ips but allows rest
> ! access-list 104 denys traffic from serial1 ips to serial0
>
> You probally want all four to prevent any 'evil' activities.
>
> - Jared
>
> On Fri, Jul 12, 2002 at 01:54:19PM -0400, Stephane Gingras wrote:
> > Exactly,
> >
> > I whant ip routing enabled because I whant thes 2 interfaces to route with
> > the other interfaces. It just in between the 2 that I don't whant routing.
> > Do you have any example.
> >
> > Thank's
> >
> > -----Message d'origine-----
> > De : David Sinn [mailto:dsinn@microsoft.com]
> > Envoye : 12 juillet, 2002 13:33
> > A : Jared Mauch; Stephane Gingras
> > Cc : cisco-nsp@puck.nether.net
> > Objet : RE: [nsp] Interface Routing
> >
> >
> > I guess along the lines of Jared's response, I'd have to ask "To what
> > end?"
> >
> > If you want the box to just be on the networks in question and not do
> > anything else, then turning off routing will solve your problem.
> >
> > If you want to have two interfaces on a box and not allow any traffic to
> > go between them, but do allow it to others, then you should look at
> > ACL's.
> >
> > Also this assumes you are talking about IP routing.
> >
> > David
> >
> > -----Original Message-----
> > From: Jared Mauch [mailto:jared@puck.nether.net]
> > Sent: Friday, July 12, 2002 8:49 AM
> > To: Stephane Gingras
> > Cc: cisco-nsp@puck.nether.net
> > Subject: Re: [nsp] Interface Routing
> >
> >
> > conf t
> > no ip routing
> >
> >
> > - jared
> >
> > On Fri, Jul 12, 2002 at 11:31:22AM -0400, Stephane Gingras wrote:
> > > Hi all,
> > >
> > > I'm looking for a configuration example to be able to have 2
> > specifique
> > > interfaces/networks on 1 router to not be able to route between them.
> > >
> > > Thanks
> > >
> >
> > --
> > Jared Mauch | pgp key available via finger from jared@puck.nether.net
> > clue++; | http://puck.nether.net/~jared/ My statements are only
> > mine.
> >
> >
>
> --
> Jared Mauch | pgp key available via finger from jared@puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:49 EDT