02-24-2007 11:16 AM - edited 03-05-2019 02:33 PM
I have an assignment where I need to design a network with 4 subnets and 50 hosts each.
For each of the subnets, I was going to use a 4500 series LAN switch with 2 WS-X4148-RJ cards. Now, if I use a router for each subnet, what router should I use to tie the 4 subnet routers together?
Solved! Go to Solution.
02-25-2007 02:02 AM
Hi
If you are trying to stop the other three subnets talking to your first subnet then can use the following access-list
access-list restrict deny ip 221.221.221.64 0.0.0.63 221.221.221.0 0.0.0.63
access-list restrict deny ip 221.221.221.128 0.0.0.63 221.221.221.0 0.0.0.63
access-list restrict deny ip 221.221.221.192 0.0.0.63 221.221.221.0 0.0.0.63
access-list restrict permit ip any any
then apply access-list to the relevant interface in outbbound direction ie.
ip access-group restrict out
This will stop any traffic from your other three subnets going through to the first subnet and it would still allow your first subnets outbound traffic. Note that this access-list is not stopping your first subnet talking to your other three subnets but the return traffic will be blocked.
HTH
Jon
02-24-2007 11:21 AM
you can use a router with subinterfaces and allow the intervlan routing. I think any router like the 2600,3600,2800 or the 3800 would do the job for you.
Since you are using 4500, i would like to know what is the SUP engine you are using.
i think nowadays all the sup engines are L3 capable and hence all you need is to define vlans and enable ip routing for intervlan communication
HTH, rate if it does
Narayan
02-24-2007 11:29 AM
I'm really in over my head. What do you mean by "sup engine"?
02-24-2007 02:21 PM
Hi
The modular switches like the 4500 & the 6500 are based on a chassis in which you can insert linecards or service modules. These chassis switches have something called a Supervisor Engine which is the "brains" of the switch.
In your 4500 chassis the supervisor engine should be in the top slot. Have a look at it and it should tell you what type it is eg
Sup 2+, Sup 3, Sup V.
Most of the more recent 4500 switches are also capable of routing so as Narayan has said you might be able to use your 4500 to do the routing.
HTH
Jon
02-24-2007 03:46 PM
I explained my situation too vaguely. I don't actually have any of this equipment. I need to design it on paper for a final term paper assignment for the class I am taking.
Here are the requirments that were set forth for this:
with 4 subnets
and 50 host addresses.
One subnet will be the HR Department.
All inbound and outbound traffic from the other subnets will be denied access to the HR Subnet.
Make sure to list where all static IP Address will be places,
and the commands needed to create your Access List.
I have the subnets addresses figured out.
I can use the 4500 with one 48 port card each, (or two if I actually have to have 50 hosts on each subnet..).
It is trying to figure out what router to use at the top of each subnet and what router to tie the other four together.
PLEASE HELP ME
02-24-2007 04:13 PM
Basically, what is being stated is that the 4500 switch can, with the correct supervisor module, work as a router as well as a switch...and can route each subnet to the others or, in your case, also block a subnet from another. This eliminates the need for an external router (external to the 4500's supervisor module, that is). In the event the supervisor module for the 4500 isn't capable of routing, then you would need an external router to do the routing for you.
It sounds like you need to create VLAN interfaces on the router and some ACLs to isolate the HR network from the others. The ACLs might be tricky because the HR people might need some access to devices outside their network (ie. domain controllers or file servers) but it isn't too complicated.
02-24-2007 04:25 PM
Thankyou. Now I do remember that an ACL has to be specific to the router it resides on.
If I have individual WS-X4148-RJ 48 port cards plugged into the switch, then i can configure them separately?
And on one of the cards, I can specify an ACL?
02-24-2007 04:59 PM
Well, in this case, you would probably configure each port separately. Each port will be in the VLAN it is supposed to be in. Let's say HR is VLAN 10 and IT is VLAN 20, you might have 20 ports in VLAN 10 and 28 ports in VLAN 20 on a given module. Hosts on each VLAN cannot communicate with other VLANs unless they go through the router...which is where the ACLs would be placed and would come into play.
What you propose can easily be done on one router. The switch side would likely be 5 48 port modules (assuming all hosts are connected to this switch) and one router...either integrated into the supervisor module or separate from the switch. Most of the 240 ports would be configured to be in one of the four VLANs (you'd have some ports left over). The ACLs would probably be a few permits to and from the HR subnet (for any external resources they need access to) and then a deny and would be applied on the router to the VLAN interface for that VLAN.
02-24-2007 05:02 PM
Thanks Dan, let me work on this for a while and see what I come up with !!!
02-24-2007 05:04 PM
Feel free to email me any questions.
02-24-2007 10:21 PM
I can?t figure out how to do the commands for an ACL list to protect the first subnet from the other three while still allowing the first one to have outbound traffic.
Here are the addresses:
IP 221.221.221.0
Sub 1 221.221.221.0
Host 221.221.221.1 > 62
Sub 2 221.221.221.64
Host 221.221.221.65 > 126
Sub 3 221.221.221.128
Host 221.221.221.129 > 190
Sub 4 221.221.221.192
Host 221.221.221.193 > 254
The specs of what I am designing is as follows:
(4)WS-X4548-GB-RJ45-Cisco Catalyst 4500 Enhanced 48-Port 10/100/1000 Mod (RJ-45)
WS-C4507R Cisco Catalyst 4507R Chassis 7 slot Maximum 240 Ports
WS-X4013+ Cisco Catalyst 4500 Series Supervisor Engine II-Plus
Cisco IOS Software Release 12.1(19)EW or later
Can anyone help me with this, Please????
02-25-2007 02:02 AM
Hi
If you are trying to stop the other three subnets talking to your first subnet then can use the following access-list
access-list restrict deny ip 221.221.221.64 0.0.0.63 221.221.221.0 0.0.0.63
access-list restrict deny ip 221.221.221.128 0.0.0.63 221.221.221.0 0.0.0.63
access-list restrict deny ip 221.221.221.192 0.0.0.63 221.221.221.0 0.0.0.63
access-list restrict permit ip any any
then apply access-list to the relevant interface in outbbound direction ie.
ip access-group restrict out
This will stop any traffic from your other three subnets going through to the first subnet and it would still allow your first subnets outbound traffic. Note that this access-list is not stopping your first subnet talking to your other three subnets but the return traffic will be blocked.
HTH
Jon
02-24-2007 11:40 PM
If this is a LAN not a WAN you don't need a router. The 4500 series switch is Layer3 capable. Configure your switch with 5 different VLans (1 VLan for Management purposes). Assign IP addresses to each VLan. Enable routing on the switch and add IP route 0.0.0.0 0.0.0.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide