OSPF - Backup Network

Answered Question
Jun 15th, 2009
User Badges:

Hi,



LAN Users are on VLAN#5

Web-Server on VLAN#10

Backup Network on VLAN#25


Lan_Users : 192.168.100/24

Web_server : 10.10.10.1/24

Backup Network : 192.168.1.0/24


OSPF configured

nework 10.10.10.0 0.0.0.255

network 192.168.100.0 0.0.0.255



Backup Network is not configured on OSPF still LAN_Users are able to access the Backup_Network and ping it.


We dont want Backup_Network VLAN to communicate with Other VLAN.

Can someone help on this.



Correct Answer by dario.didio about 7 years 11 months ago

Hi,


you would need to configure your C4500 using the command:


interface vlan 25

ip address ....


only if the devices that are in VLAN25 need to communicate with devices outside VLAN 25.


If devices in VLAN25 only need to communicate with device inside VLAN25, you do not need to configure an interface vlan 25.


Regarding the question about what the reason is that other devices can communicate with devices in VLAN 25; Because you configured an IP address on you C4500, the subnet is put into the routing table as "directly connected". This means that the C4500 has an IP address in VLAN 25 (directly connected).


Devices in other VLANs on your C4500 have this C4500 as default gateway. When they try to connect to an IP Address inside VLAN25, they use their default gateway, reach the C4500 which performs a routing table lookup, and finds that VLAN25 is directly connected and forwards traffic.


If you delete the interface VLAN 25


no interface vlan 25


the subnet is erased from the routing table and nobody outside VLAN25 is cabapble of communicating with devices inside VLAN25, like you want.


HTH,

Dario

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 06/15/2009 - 02:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ronald


If the backup network L3 vlan interface is on the same switch as the LAN users L3 vlan interface then it doesn't matter what you advertise into OSPF, they will still be able to communicate.


If you don't want the backup LAN to talk to anything else you have 2 choices -


1) remove the L3 vlan interface for vlan 25. But you don't say whether you need to access this vlan remotely ?


2) use an acl on the backup network SVI eg.


access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255


int vlan 25

ip access-group 101 out


Jon

dario.didio Mon, 06/15/2009 - 02:37
User Badges:
  • Silver, 250 points or more

Hi,


You can reach it because it is directly connected on your router.


If your Backup VLAN shouldn't be routed (if traffic is only Layer 2 local, if the devices in this VLAN don't need a default gateway to communicate outside this VLAN), just remove the layer3 interface from your router:


no interface vlan 25


Otherwhise, put an ACL on interface 25 to block traffic entering this VLAN.


HTH,

Dario

ronald.ramzy Mon, 06/15/2009 - 04:19
User Badges:

Hi,


The Switch is Cisco 4500 Series ( L3 )

all VLAN is configured on this switch.


configuration on Switch is:-


Interface vlan 25

description #BACKUP NETWORK#

ip address 192.168.1.1 255.255.255.0


Interface vlan 5

description #USER_Network#

ip address 192.168.100.1 255.255.255.0


Interface vlan 10

description #WEB_SERVER#

ip address 10.10.10.1 255.255.255.0


Router OSPF 15

nework 10.10.10.0 0.0.0.255 area 0

network 192.168.100.0 0.0.0.255 area 0



Under router OSPF process there is no network define for 192.168.1.0 0.0.0.255


So why LAN Users can access Backup_Network



Harold Ritter Mon, 06/15/2009 - 04:29
User Badges:
  • Cisco Employee,

Ronald,


The router doesn't need any routing protocol to forward packets from one interface to another as these subnets are directly connected. Why do you need an ip address on interface vlan 25 if you don't need ip connectivity on this subnet, or do you?


Regards

ronald.ramzy Mon, 06/15/2009 - 04:41
User Badges:

Hi,

I am not really an expert, but reading from cisco documentation CD, I managed to fix bits and pieces.


So you mean to avoid communication between VLAN ; I should not have ip on the VLAN 25.



Correct Answer
dario.didio Mon, 06/15/2009 - 04:56
User Badges:
  • Silver, 250 points or more

Hi,


you would need to configure your C4500 using the command:


interface vlan 25

ip address ....


only if the devices that are in VLAN25 need to communicate with devices outside VLAN 25.


If devices in VLAN25 only need to communicate with device inside VLAN25, you do not need to configure an interface vlan 25.


Regarding the question about what the reason is that other devices can communicate with devices in VLAN 25; Because you configured an IP address on you C4500, the subnet is put into the routing table as "directly connected". This means that the C4500 has an IP address in VLAN 25 (directly connected).


Devices in other VLANs on your C4500 have this C4500 as default gateway. When they try to connect to an IP Address inside VLAN25, they use their default gateway, reach the C4500 which performs a routing table lookup, and finds that VLAN25 is directly connected and forwards traffic.


If you delete the interface VLAN 25


no interface vlan 25


the subnet is erased from the routing table and nobody outside VLAN25 is cabapble of communicating with devices inside VLAN25, like you want.


HTH,

Dario

Actions

This Discussion