[c-nsp] Disable some routing

Bernd Ueberbacher noc at mynet.at
Mon Jun 11 09:04:12 EDT 2007


Hi there!

First of all, thanks for the replies!

You understood it right, this is exactly what I was looking for :-)
ACLs were on my mind, but first I thought of something different (VRF as
you wrote). After looking at the pros and cons I decided to use ACLs.
There are a few reason that stand for it, instead of using VRF. In my
scenario ACLs would be way enough and VRF could be overkill for this
small configuration.

An other reason is that I don't want to implement something that I don't
really know. I hope it's not a shame if I say that I never used VRF
before. I'm young! :-p


Thanks again,
Bernd



On Wed, 2007-06-06 at 15:44 +0530, Jyotirmay Samanta wrote:
> I don't know if I have understood your scenario properly. But based on your
> description it looks like you also have one ip address from the office
> network in the router. Now as u correctly said it's a normal behavior and if
> you want to stop this u have two options.
> 
> 1. Put the office vlan interface in a different VRF (Virtual Routing
> Forwarding) instance - Incase you don't need an Internet access out of this
> Office. For Intranet depending on your number of prefix you can do a route
> leaking.
> 2. Use ACL to block traffic from Office LAN segment to management segment.
> 
> Let me know if it answers your question.
> 
> 
> Thanks & Regards,
> Jyotirmay Samanta.
> Network Engineering
> Google Inc.
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bernd Ueberbacher
> Sent: Wednesday, June 06, 2007 3:17 PM
> To: cisco-nsp
> Subject: [c-nsp] Disable some routing
> 
> Hi there!
> 
> I've got a bit of a strange question...
> I have a small Cisco Router with some VLANs and a Catalyst behind. If I
> connect one office to the switch in a seperate VLAN with an official IP
> address, the person can reach everything, but in my case (or the general
> case?) a bit too much. One VLAN on the switch and the Router is for
> management, with 10.0.0.0/24, but as the router is doing what it is
> supposed to do, he routes everything for this network, as the router
> also has an IP in this network. A person in the office can now ping,
> telnet, ... into my management network. If I remove the IP address from
> the routers VLAN, the problem is "solved", but not the way I want it to
> be solved *G* 
> 
> I hope you understand my problem, because it's somehow hard to explain
> and even harder to search for in google ;-)
> 
> 
> Thanks and have a nice day,
> Bernd
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list