11-06-2003 12:48 AM - edited 03-02-2019 11:31 AM
I can ping both ends of the WAN Link. These are connected switch to Switch Cat6509 to Cat3550-EMI. At the Cat6509 is ip address 8.33.5.20/29 and at the Cat3550 is 8.33.5.17/29
I only want devices in a particular subnet - VLAN 416( 8.33.36.0/26) at the Cat6509 end to use this line to talk to the 8.33.6.0/24 at the Cat3550 site.
How do I specify this and apply it to this particular VLAN.
Please help.
Thanks
Solved! Go to Solution.
11-06-2003 11:00 PM
Hi,
If your requirement stands as only 8.33.36.0 network (on 6500)should use the GIG link for talking to 8.33.6.0(remote net on 3550), just applying an outbound extended access-list on VLAN 200 would be enough.
On 6500--
------------------------------------------
IP access-list exetended 100
permit IP 8.33.36.0 0.0.0.255 8.33.6.0 0.0.0.255
Interface VLAN 200
Ip access-group 100 out
------------------------------------------
Here I got some queries regarding your setup.
1.Do you have any other link between 3550 and 6500
2.You have configured HSRP in both the switches(3500 does not have standby IP). Do you have any other L3 boxes at both the sides, else what purpose r u using this ?
regards
11-06-2003 01:20 AM
can you pls past the connectivity diagram here
(ex... 6509--Eth---3550)
which will give better idea on your requirement
11-06-2003 01:43 AM
Thanks
On the Cat6509 MSFC
interface Vlan200
ip address 8.33.5.18 255.255.255.248 1GB Line
no ip redirects
standby 20 ip 8.33.5.20
standby 20 priority 120
standby 20 preempt
Cat6509 sh por 9/1
Port Name Status Vlan Duplex Speed Type
----- -------------------- ---------- ---------- ------ ----- ------------
9/1 Rem_Link connected 200 full 1000 1000BaseSX
This is the VLAN that needs access to the remote Site:
On Cat6509
interface Vlan416 (particular vlan)
ip address 8.33.36.27 255.255.255.240
no ip redirects
standby 16 ip 8.33.36.30
standby 16 priority 120
standby 16 preempt
On the Cat3550.
interface GigabitEthernet0/1
switchport access vlan 200
no ip address
!
interface Vlan200
ip address 8.33.5.17 255.255.255.248 1GB Line
standby 19 priority 120
standby 19 preempt
Cat6509 ---- Cat3550
Port 9/1---IGB Fiber Link---Int g0/1
ip 8.33.5.18 --------------ip 8.33.5.17
net 8.33.36.0 ---------------net 8.33.6.0
Thanks
11-06-2003 11:00 PM
Hi,
If your requirement stands as only 8.33.36.0 network (on 6500)should use the GIG link for talking to 8.33.6.0(remote net on 3550), just applying an outbound extended access-list on VLAN 200 would be enough.
On 6500--
------------------------------------------
IP access-list exetended 100
permit IP 8.33.36.0 0.0.0.255 8.33.6.0 0.0.0.255
Interface VLAN 200
Ip access-group 100 out
------------------------------------------
Here I got some queries regarding your setup.
1.Do you have any other link between 3550 and 6500
2.You have configured HSRP in both the switches(3500 does not have standby IP). Do you have any other L3 boxes at both the sides, else what purpose r u using this ?
regards
11-07-2003 12:08 AM
Than you so very much.
Yes we have an existing 100Mb link between the 2 sites but this is going from router to router so we have
cat6509-cis3640-100MB-cisc3640-cat3350.
No I did not configure HSRP in the 3550 as it is only one L3 not so?.
Only the Cat6509 have the L3 boxes.
Thanks
11-07-2003 12:37 AM
Otherway round you can do this way also.
1.You can have PBR in 6500 applied to the Inbound interface.(VLAN 410) to use VLAN200 as the next-hop interface to reach remote network from source 8.33.36.0/24 (Outbound traffic to remote N/W via GIG link)
All other traffic you may use router link (100Mb) as the default link.
2.At 3550 keep a static route Via VLAN 200 to reach 8.33.36.0/24 (Inbound traffic from remote NW via GIG link)
Here if you want redundacy use the 100Mb as second Nex-hop in first case,router-link as secondary using floating static route in second case.
11-07-2003 12:42 AM
I have tried the first sugestion as i want to keep it simple and then build on it.
But it came up with this
ip unreachables turned OFF on interface Vlan200 for Hardware ACL Assist
Any ideas?
11-07-2003 12:46 AM
Sorry
I have seen my mistake and corrected it. Please ignore the i unreachable reply.
Thanks
11-07-2003 12:29 AM
Thanks a lot.
As we have 2 MSFC on the Cat 6509. Is it alrightif i configure the access list onto both MSFC?
Thanks
11-07-2003 12:51 AM
I blieve you cann't make any changes in 2nd MSFC, if you have configured in high availability mode.
Only you have to configure the 1st MSFC. All configuration will get replicate to 2nd MSFC automatically.
11-07-2003 07:33 AM
Thank you very much.
This is what I have finally configured after going over andd over and as a test..
Configuration
Cat 6509
1. Put 1GB link into port 9/1, configure for VLAN 200.
2. Configure access list for
a. ip access-list extended 100
b. permit ip 8.33.36.28 0.0.0.0 8.33.6.6 0.0.0.0
3. Confgure int vlan 200
4. ip access-group 100 out
1. Configure access list to deny this host to go via the 100 mb
a. ip access-list extended 300
b. deny ip 8.33.36.28 0.0.0.0 8.33.6.6 0.0.0.0
c. permit ip any any
2. conf t
int vlan 801 ( this is the vlan that has the 100MB line interface)
3. ip access-group 300 out
Sess 15
1. Configure int vlan 200
2. ip address 8.33.5.18 255.255.255.248
3. standby 20 ip 10.33.5.20
Sess 16
1. Conifure int vlan 200
2. ip address 8.33.5.19 255.255.255.248
3. standby 20 ip 8.33.5.20
On Cat 3550
Conf t
1. VLAN database
2. add int vlan 200
3. ip address 8.33.5.17 255.255.255.248
Conf t
1. int g0/1
2. switchport access vlan 200
Conf t
ip route 10.33.36.28 255.255.255.255 8.33.5.20
DO you think this will work
Thanks
11-07-2003 10:38 PM
Well idea is alright.
where as you ip route in 3550 show 10.33.36.28 need to be replaced with 8.33.36.28
Moreover this will work for only one host 8.33.36.28
As you mentioned in your very first question for network 8.33.36.28/26(SOURCE), 8.33.6.0(DESTINATION) , you need to modify the access-lsit wildcard mask in 6500 and corresponding route entry in 3550
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: