Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New Network Connection

I can ping both ends of the WAN Link. These are connected switch to Switch Cat6509 to Cat3550-EMI. At the Cat6509 is ip address 8.33.5.20/29 and at the Cat3550 is 8.33.5.17/29

I only want devices in a particular subnet - VLAN 416( 8.33.36.0/26) at the Cat6509 end to use this line to talk to the 8.33.6.0/24 at the Cat3550 site.

How do I specify this and apply it to this particular VLAN.

Please help.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: New Network Connection

Hi,

If your requirement stands as only 8.33.36.0 network (on 6500)should use the GIG link for talking to 8.33.6.0(remote net on 3550), just applying an outbound extended access-list on VLAN 200 would be enough.

On 6500--

------------------------------------------

IP access-list exetended 100

permit IP 8.33.36.0 0.0.0.255 8.33.6.0 0.0.0.255

Interface VLAN 200

Ip access-group 100 out

------------------------------------------

Here I got some queries regarding your setup.

1.Do you have any other link between 3550 and 6500

2.You have configured HSRP in both the switches(3500 does not have standby IP). Do you have any other L3 boxes at both the sides, else what purpose r u using this ?

regards

11 REPLIES
New Member

Re: New Network Connection

can you pls past the connectivity diagram here

(ex... 6509--Eth---3550)

which will give better idea on your requirement

New Member

Re: New Network Connection

Thanks

On the Cat6509 MSFC

interface Vlan200

ip address 8.33.5.18 255.255.255.248 – 1GB Line

no ip redirects

standby 20 ip 8.33.5.20

standby 20 priority 120

standby 20 preempt

Cat6509 sh por 9/1

Port Name Status Vlan Duplex Speed Type

----- -------------------- ---------- ---------- ------ ----- ------------

9/1 Rem_Link connected 200 full 1000 1000BaseSX

This is the VLAN that needs access to the remote Site:

On Cat6509

interface Vlan416 (particular vlan)

ip address 8.33.36.27 255.255.255.240

no ip redirects

standby 16 ip 8.33.36.30

standby 16 priority 120

standby 16 preempt

On the Cat3550.

interface GigabitEthernet0/1

switchport access vlan 200

no ip address

!

interface Vlan200

ip address 8.33.5.17 255.255.255.248 – 1GB Line

standby 19 priority 120

standby 19 preempt

Cat6509 ---- Cat3550

Port 9/1---IGB Fiber Link---Int g0/1

ip 8.33.5.18 --------------ip 8.33.5.17

net 8.33.36.0 ---------------net 8.33.6.0

Thanks

New Member

Re: New Network Connection

Hi,

If your requirement stands as only 8.33.36.0 network (on 6500)should use the GIG link for talking to 8.33.6.0(remote net on 3550), just applying an outbound extended access-list on VLAN 200 would be enough.

On 6500--

------------------------------------------

IP access-list exetended 100

permit IP 8.33.36.0 0.0.0.255 8.33.6.0 0.0.0.255

Interface VLAN 200

Ip access-group 100 out

------------------------------------------

Here I got some queries regarding your setup.

1.Do you have any other link between 3550 and 6500

2.You have configured HSRP in both the switches(3500 does not have standby IP). Do you have any other L3 boxes at both the sides, else what purpose r u using this ?

regards

New Member

Re: New Network Connection

Than you so very much.

Yes we have an existing 100Mb link between the 2 sites but this is going from router to router so we have

cat6509-cis3640-100MB-cisc3640-cat3350.

No I did not configure HSRP in the 3550 as it is only one L3 not so?.

Only the Cat6509 have the L3 boxes.

Thanks

New Member

Re: New Network Connection

Otherway round you can do this way also.

1.You can have PBR in 6500 applied to the Inbound interface.(VLAN 410) to use VLAN200 as the next-hop interface to reach remote network from source 8.33.36.0/24 (Outbound traffic to remote N/W via GIG link)

All other traffic you may use router link (100Mb) as the default link.

2.At 3550 keep a static route Via VLAN 200 to reach 8.33.36.0/24 (Inbound traffic from remote NW via GIG link)

Here if you want redundacy use the 100Mb as second Nex-hop in first case,router-link as secondary using floating static route in second case.

New Member

Re: New Network Connection

I have tried the first sugestion as i want to keep it simple and then build on it.

But it came up with this

ip unreachables turned OFF on interface Vlan200 for Hardware ACL Assist

Any ideas?

New Member

Re: New Network Connection

Sorry

I have seen my mistake and corrected it. Please ignore the i unreachable reply.

Thanks

New Member

Re: New Network Connection

Thanks a lot.

As we have 2 MSFC on the Cat 6509. Is it alrightif i configure the access list onto both MSFC?

Thanks

New Member

Re: New Network Connection

I blieve you cann't make any changes in 2nd MSFC, if you have configured in high availability mode.

Only you have to configure the 1st MSFC. All configuration will get replicate to 2nd MSFC automatically.

New Member

Re: New Network Connection

Thank you very much.

This is what I have finally configured after going over andd over and as a test..

Configuration

Cat 6509

1. Put 1GB link into port 9/1, configure for VLAN 200.

2. Configure access list for

a. ip access-list extended 100

b. permit ip 8.33.36.28 0.0.0.0 8.33.6.6 0.0.0.0

3. Confgure int vlan 200

4. ip access-group 100 out

1. Configure access list to deny this host to go via the 100 mb

a. ip access-list extended 300

b. deny ip 8.33.36.28 0.0.0.0 8.33.6.6 0.0.0.0

c. permit ip any any

2. conf t

int vlan 801 ( this is the vlan that has the 100MB line interface)

3. ip access-group 300 out

Sess 15

1. Configure int vlan 200

2. ip address 8.33.5.18 255.255.255.248

3. standby 20 ip 10.33.5.20

Sess 16

1. Conifure int vlan 200

2. ip address 8.33.5.19 255.255.255.248

3. standby 20 ip 8.33.5.20

On Cat 3550

Conf t

1. VLAN database

2. add int vlan 200

3. ip address 8.33.5.17 255.255.255.248

Conf t

1. int g0/1

2. switchport access vlan 200

Conf t

ip route 10.33.36.28 255.255.255.255 8.33.5.20

DO you think this will work

Thanks

New Member

Re: New Network Connection

Well idea is alright.

where as you ip route in 3550 show 10.33.36.28 need to be replaced with 8.33.36.28

Moreover this will work for only one host 8.33.36.28

As you mentioned in your very first question for network 8.33.36.28/26(SOURCE), 8.33.6.0(DESTINATION) , you need to modify the access-lsit wildcard mask in 6500 and corresponding route entry in 3550

191
Views
0
Helpful
11
Replies
CreatePlease login to create content