Question:
this is on a 881 router. Catalyst 3560V2
so I have this bvi 1 interface with many
vlans.
how would I tell that bvi1
- if traffic is going to the dialer0 (main
dsl line) allow everything
- if traffic is going to the dialer1
(backup 1fl line) just allow things to 10.10.10 .10
ip
Answer:
Just to make it really clear on what I was
saying..... We have the following as an example:
R2 is the default gateway for vlans 10 and
20 with a host on each.... 10.10.10 .10, and
20.20.20.20.
We want everything to route via the 10.0.0 .0
network (i.e. fa0/0) on R2 and if this fails it will switch over to fa0/1 which
is the 20.0.0.0 network. But we will only allow the host 10.10.10.10 on vlan 10
to be able to reach outbound to R1 on the 100.0.0.1 address via the secondary
interface, in the case of primary link failure.
Config on R2 will show that there is
tracking with ip sla's and will also show that there is an ACL to only allow
host 10.10.10 .10 to go via fa0/1 in an event of
a primary link failure.
R2#show run
Building configuration...
Current configuration : 1348 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
ip sla monitor 1
type echo protocol ipIcmpEcho 10.0.0 .1
source-interface FastEthernet0/0
ip sla monitor schedule 1 life forever
start-time now
!
!
track 1 rtr 1 reachability
delay down 2 up 2
!
interface FastEthernet0/0
ip address 10.0.0 .2
255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.0.0 .2
255.255.255.0
ip access-group ALLOW10 out
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.10
encapsulation dot1Q 10
ip address 10.10.10 .1
255.255.255.0
!
interface FastEthernet1/0.20
encapsulation dot1Q 20
ip address 20.20.20 .1
255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0 .0
0.0.0.0 10.0.0.1 track 1
ip route 0.0.0 .0
0.0.0.0 20.0.0.1 10
!
!
ip access-list extended ALLOW10
permit ip host 10.10.10 .10
any log
deny ip any any log
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
R2#
Here we can see that the status of the
track is 'up' and the show ip route is showing the default route to be the
primary link:
Just to test if Ping is working I will ping
from the host 10.10.10 .10 and 20.20.20.20 to
100.0.0.1
Now I will fail the primary link by
shutting down the interface fa0/0 on R1
And we'll see what happens on R2:
As you can see the default route has
changed to the secondary route because the track SLA changed state to down.
Now we'll go ahead and test our pings from
SW1 (our hosts)
As you can see, the host 10.10.10 .10
was permitted but now host 20.20.20.20 gets unreachable. We'll see what is
happening on R2 whilst we are doing the pings. Here is the output of 'debug ip packet'
This shows the permitting of traffic from 10.10.10 .10,
but denied the 20.20.20.20
Here is the deny for the other hosts.
So in summary, the tracking of the default
route with the floating static route is required. And also just an extended ACL
to ONLY allow traffic from 10.10.10 .10 outbound
via the secondary interface, in the case of primary failure...
more information ,you can visit http://www.3anetwork.com/cisco-catalyst-3560-switches-price_c40
没有评论:
发表评论