IP unnumbered and Cat6500

Answered Question
Feb 15th, 2010

Hello everyone! I have a task "as is" to have one ip network spanning multiple 6500 interfaces(every interface will be connected to single department with dummy switch on remote side). In addition i need to have ip source guard or equivalen feature to restrict static ip address assignements by users. The problem is i have a quite old Sup2/MSFC2/PFC2 gear installed on 6500. My first idea was to use native mode with s222-adventerprisek9_wan-mz.122-18.SXF17, but there is no ip source guard feature there(optionally i thought to use MAC ACL+ IP ACL, which are dynamically filled with entries from management statoin as eligible users come online). Second option is was to use hybrid mode with  cat6000-sup2cvk9.8-6-4.bin and c6msfc2-adventerprisek9_wan-mz.122-18.SXF6, which supports  ip source guard, but does not support ip unnumbered for VLAN SVI.

So the question is there any option which allow single ip network to span multiple L3/SVI interfaces in hybrid mode, or any option like ip source guard in native mode.

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 9 months ago

Hello Iurii,

if there is a dumb switch on the remote site there is little you can do to protect the users from themselves.

Features like ip source guard are effective if configured near the end user.

Put each remote site in a separate ip subnet, it is the best choice also for limiting unnecessary broadcast traffic.

Edit:

You could try to play with IRB putting all SVI vlan interfaces in the same bridge-group.

I think I used if for a joining vlans in a sup2/MSFC2 with native IOS:

Also you can explore the use of Port ACL if supported you could be able to apply different ACLs to ports leading to different remote sites.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Mon, 02/15/2010 - 05:12

Hello Iurii,

if there is a dumb switch on the remote site there is little you can do to protect the users from themselves.

Features like ip source guard are effective if configured near the end user.

Put each remote site in a separate ip subnet, it is the best choice also for limiting unnecessary broadcast traffic.

Edit:

You could try to play with IRB putting all SVI vlan interfaces in the same bridge-group.

I think I used if for a joining vlans in a sup2/MSFC2 with native IOS:

Also you can explore the use of Port ACL if supported you could be able to apply different ACLs to ports leading to different remote sites.

Hope to help

Giuseppe

iurii_andr Tue, 02/16/2010 - 00:24

Thank you Giuseppe for clue, but thats what i found in release notes for 12.1E (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/release/notes/OL_2310.html#wp218139)

"Integrated routing and bridging (IRB) and concurrent routing and bridging (CRB) have deliberately been disabled on the Catalyst 6500 series switches and Cisco 7600 Series Routers. You should use routable Layer 2 VLANs and VLAN interfaces for normal bridging and interVLAN routing. Bridge groups are supported only to bridge nonrouted protocols."

In addition to that i can say that i cannot separate clients seated on different 6500 interfaces to different subnets(customer caprice) - although almost all addresses are assigned by DHCP, there will be too much of ip subnets and they scared about it, plus "wise" clients who set addresses statically. So the solution must be seamless to customer and presume current design iseas. Maybe there is another option how to substitute either ip unnumbered in hybrid mode or ip source guard in native mode(i believe that for last thing i can use Port ACL to filter MACs and IP ACL attached to VLAN SVI to filter IPs). Thank you.

Actions

This Discussion