Student needs help

Answered Question
Feb 24th, 2007

I have an assignment where I need to design a network with 4 subnets and 50 hosts each.

For each of the subnets, I was going to use a 4500 series LAN switch with 2 WS-X4148-RJ cards. Now, if I use a router for each subnet, what router should I use to tie the 4 subnet routers together?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 7 months ago

Hi

If you are trying to stop the other three subnets talking to your first subnet then can use the following access-list

access-list restrict deny ip 221.221.221.64 0.0.0.63 221.221.221.0 0.0.0.63

access-list restrict deny ip 221.221.221.128 0.0.0.63 221.221.221.0 0.0.0.63

access-list restrict deny ip 221.221.221.192 0.0.0.63 221.221.221.0 0.0.0.63

access-list restrict permit ip any any

then apply access-list to the relevant interface in outbbound direction ie.

ip access-group restrict out

This will stop any traffic from your other three subnets going through to the first subnet and it would still allow your first subnets outbound traffic. Note that this access-list is not stopping your first subnet talking to your other three subnets but the return traffic will be blocked.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Loading.
royalblues Sat, 02/24/2007 - 11:21

you can use a router with subinterfaces and allow the intervlan routing. I think any router like the 2600,3600,2800 or the 3800 would do the job for you.

Since you are using 4500, i would like to know what is the SUP engine you are using.

i think nowadays all the sup engines are L3 capable and hence all you need is to define vlans and enable ip routing for intervlan communication

HTH, rate if it does

Narayan

zboltman1 Sat, 02/24/2007 - 11:29

I'm really in over my head. What do you mean by "sup engine"?

Jon Marshall Sat, 02/24/2007 - 14:21

Hi

The modular switches like the 4500 & the 6500 are based on a chassis in which you can insert linecards or service modules. These chassis switches have something called a Supervisor Engine which is the "brains" of the switch.

In your 4500 chassis the supervisor engine should be in the top slot. Have a look at it and it should tell you what type it is eg

Sup 2+, Sup 3, Sup V.

Most of the more recent 4500 switches are also capable of routing so as Narayan has said you might be able to use your 4500 to do the routing.

HTH

Jon

zboltman1 Sat, 02/24/2007 - 15:46

I explained my situation too vaguely. I don't actually have any of this equipment. I need to design it on paper for a final term paper assignment for the class I am taking.

Here are the requirments that were set forth for this:

with 4 subnets

and 50 host addresses.

One subnet will be the HR Department.

All inbound and outbound traffic from the other subnets will be denied access to the HR Subnet.

Make sure to list where all static IP Address will be places,

and the commands needed to create your Access List.

I have the subnets addresses figured out.

I can use the 4500 with one 48 port card each, (or two if I actually have to have 50 hosts on each subnet..).

It is trying to figure out what router to use at the top of each subnet and what router to tie the other four together.

PLEASE HELP ME

Basically, what is being stated is that the 4500 switch can, with the correct supervisor module, work as a router as well as a switch...and can route each subnet to the others or, in your case, also block a subnet from another. This eliminates the need for an external router (external to the 4500's supervisor module, that is). In the event the supervisor module for the 4500 isn't capable of routing, then you would need an external router to do the routing for you.

It sounds like you need to create VLAN interfaces on the router and some ACLs to isolate the HR network from the others. The ACLs might be tricky because the HR people might need some access to devices outside their network (ie. domain controllers or file servers) but it isn't too complicated.

zboltman1 Sat, 02/24/2007 - 16:25

Thankyou. Now I do remember that an ACL has to be specific to the router it resides on.

If I have individual WS-X4148-RJ 48 port cards plugged into the switch, then i can configure them separately?

And on one of the cards, I can specify an ACL?

Well, in this case, you would probably configure each port separately. Each port will be in the VLAN it is supposed to be in. Let's say HR is VLAN 10 and IT is VLAN 20, you might have 20 ports in VLAN 10 and 28 ports in VLAN 20 on a given module. Hosts on each VLAN cannot communicate with other VLANs unless they go through the router...which is where the ACLs would be placed and would come into play.

What you propose can easily be done on one router. The switch side would likely be 5 48 port modules (assuming all hosts are connected to this switch) and one router...either integrated into the supervisor module or separate from the switch. Most of the 240 ports would be configured to be in one of the four VLANs (you'd have some ports left over). The ACLs would probably be a few permits to and from the HR subnet (for any external resources they need access to) and then a deny and would be applied on the router to the VLAN interface for that VLAN.

zboltman1 Sat, 02/24/2007 - 17:02

Thanks Dan, let me work on this for a while and see what I come up with !!!

zboltman1 Sat, 02/24/2007 - 22:21

I can?t figure out how to do the commands for an ACL list to protect the first subnet from the other three while still allowing the first one to have outbound traffic.

Here are the addresses:

IP 221.221.221.0

Sub 1 221.221.221.0

Host 221.221.221.1 > 62

Sub 2 221.221.221.64

Host 221.221.221.65 > 126

Sub 3 221.221.221.128

Host 221.221.221.129 > 190

Sub 4 221.221.221.192

Host 221.221.221.193 > 254

The specs of what I am designing is as follows:

(4)WS-X4548-GB-RJ45-Cisco Catalyst 4500 Enhanced 48-Port 10/100/1000 Mod (RJ-45)

WS-C4507R Cisco Catalyst 4507R Chassis 7 slot Maximum 240 Ports

WS-X4013+ Cisco Catalyst 4500 Series Supervisor Engine II-Plus

Cisco IOS Software Release 12.1(19)EW or later

Can anyone help me with this, Please????

Correct Answer
Jon Marshall Sun, 02/25/2007 - 02:02

Hi

If you are trying to stop the other three subnets talking to your first subnet then can use the following access-list

access-list restrict deny ip 221.221.221.64 0.0.0.63 221.221.221.0 0.0.0.63

access-list restrict deny ip 221.221.221.128 0.0.0.63 221.221.221.0 0.0.0.63

access-list restrict deny ip 221.221.221.192 0.0.0.63 221.221.221.0 0.0.0.63

access-list restrict permit ip any any

then apply access-list to the relevant interface in outbbound direction ie.

ip access-group restrict out

This will stop any traffic from your other three subnets going through to the first subnet and it would still allow your first subnets outbound traffic. Note that this access-list is not stopping your first subnet talking to your other three subnets but the return traffic will be blocked.

HTH

Jon

rtford31 Sat, 02/24/2007 - 23:40

If this is a LAN not a WAN you don't need a router. The 4500 series switch is Layer3 capable. Configure your switch with 5 different VLans (1 VLan for Management purposes). Assign IP addresses to each VLan. Enable routing on the switch and add IP route 0.0.0.0 0.0.0.0 to internet.

Actions

This Discussion