[nsp] port security on 29xx switches

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Tue May 18 15:26:58 EDT 2004


anybody know if port security is enabled on the 29xx series switches.


####################################
# delbert.hudson at losangeles.af.mil #
#        61cs/scbn, 3-0182         #
####################################


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Kristofer
Sigurdsson
Sent: Tuesday, May 18, 2004 11:09 AM
To: Chintan Shah
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] Multihoming with Two ISP without BGP


Chintan Shah, Tue, May 18, 2004 at 10:42:04PM -0700 :
> 
> Dear All,
> 
> My Customer is having two different link with two different ISP for
internet connectivity. Customer is having two different department one is
Manufaturing and one software and he wants to keep dedicated line for
Manufature department with ISP1 and Software department  with ISP 2.  He is
having Different IP block from ISP1 and ISP2.
> 
> Lex say ISP 1 - a.b.c.d/28 and from ISP 2 - p.q.r.s/28 block.
> 
> He is having one cisco 1700 series router with two WIC card (WAN card) and
one Fast Ethernet card. Ethernet card is having multiple IP address each
from a.b.c.d//28 and p.q.r.s/28 block so that request from any IP block will
come to FastEthernet and then forwarded to WAN card.
> 
> To utilize dedicated connection with ISP 1 and ISP 2 for different
department as per customer requirement, we have opted to use IP routing
policy to define next hop using route-map with IP accesslist so that any
request from block a.b.c.d/28 will be forwarded to ISP1 (Seria0) and from
p.q.r.s/28 will be forwarded to ISP2 (serial1).
> 
> Now, customer wants some redudancy, as if any link goes down , let say
ISP1 then Manufature department should not suffer as already second link is
working. Now, its require BGP Mulithoming as  request for internet from IP
which is allocated by ISP1 to be forwarded to ISP2 and for that customer has
to do BGP with both provider. But customer does not have AS number and don't
want to go with this despite of lots of discussion and still wants
redudancy.
> 
> So, we agin suggested to do NAT with WAN IP allocated by ISP so that in
case of ISP1 link will down , any request with source IP of ISP1 will be
NATed through WAN IP of ISP2 and request will forwarded to ISP2 to provide
uninteruppted Internet services and Return traffic will automatically come
back via the same working link, because that link is the only link servicing
that address range.
> 
> I hope above our solutions is workable, if you have any comment/suggestion
, please most welcome.

You can indeed use the NAT solution, but I think you'd have to turn it on
manually, I can't recall any Cisco
function that starts NAT'ing when a link goes down...

> 
> But , I want to know that if now customer wants to run any Internet
services on his end like Webserver or DNS server then with above solution Of
course, this approach won't work if you're providing services to the outside
world, as the addresses associated with the failed link will disappear from
the Internet. 
> 
> So what could be solution ,if possible for abvoe scenario.

Getting traffic from the user is not a problem.  You could even simply use
two default routes, one for each ISP.  If the ISPs agree
to route both networks and announce them to the Internet, this will not be a
problem (provided that the rest of the Internet accepts
the route, which it most likely will not, given the size of the networks).
However, making, say, ISP1, stop announcing the route
when it's connection to your client goes down is close to impossible,
without running somekind of routing protocol between the ISPs
and your client.  You will have to do that.  Any routing protocol will
suffice.

These speculations are highly hypothetical, as announcing /28 routes to the
Internet will not work - they will simply be aggregated.
If ISP1 and ISP2 share upstream providers or peer between them, this is
doable.  Do they?

-- 
Kristófer Sigurðsson			Tel: +354 525 4103 / MSN:
ks at rhi.hi.is
Netsérfræðingur/Network specialist	Reiknistofnun HÍ/University of
Iceland
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list