I have two main orivate subnets currently running off one FastEther Iteface on a Cisco 2621 router, with 10.1.1.251 and 10.1.4.251 being primary and secondary gateway respectively.
Now, I have got a Cisco router 3825 with two GigiEther0/0 and 0/1 Interfaces and want to have these two subnets to be off these two interfaces. I don't know if my two subnets willbe able to talk to each other?
ip address 10.1.4.251 255.255.255.0 secondary
ip address 10.1.1.251 255.255.255.0
ip helper-address 10.1.1.21
ip policy route-map Main-outbound-hop2
ip route 10.1.4.0 255.255.255.0 10.1.1.10
ip route 10.1.5.0 255.255.255.0 10.1.1.10
ip route 10.5.1.0 255.255.255.0 10.222.222.2
ip route 18.104.22.168 255.255.255.255 10.222.222.2
Above was the ACL I use between these subnets. pls ignore the Ip route statement for 10.1.2.0 which is meant to be isolated.
access-list 102 deny ip 10.1.1.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 102 deny ip 10.1.4.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 102 deny ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255
access-list 102 permit ip 10.5.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.5.1.0 0.0.0.255 10.1.4.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.1.4.0 0.0.0.255 any
access-list 102 permit ip 10.5.1.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 102 permit ip any any
Are you saying that you are having problems or suspect that you might run into problems?
If you are having problems then, can you post the config (after removing sensitive info)in it's entirety so that we can quickly identify the problem.
I am sking if I will face any problems when i swap the routers and put each subnet on its own physical Interface.
You cannot configure the route for local interface. e.g. ip route 10.1.4.0 is the subnet of secondary address of FE 0/1.
You can only configure the route if it is not present locally. i.e. the route behide the interface.
Please advise more information of the requirement and current design.
Hope this helps.
My concern is when I put 10.1.1.0 on one interface and 10.1.4.0 on another, then these two subnets won't talk to each other uinless I define route map and ACL. I posted the current config and wondered if this current route map and ACL will work with new setup, i.e. 10.1.1.0 on one Inteface and 10.1.4.0 on another and they need to tak to each other.
Also, whn this is done, what would be the defualt gateway for the workstations and servers since the DHCP server giving out IP from bother the subnets.
Pls let me know if more infor is required.
You can very well go for two interface and routing will work between subnet without any additional configuration. However your current routes are pointing to 10.1.1.10 which seems an ip address of the device which is doing routing between these two subnets.
Please clarify what is that.
Thanks for responding.
10.1.1.10 is our firewall which is defined as the next hop in the router's config. we have a remote office on 10.5.1.0 which is consedered internal. So, the Firewall desides if the traffic is destined for that remote office or to the Internet.
To answer other questions, yes, i am anticipating that if i put 10.1.4.0/24 on a separate physical Interface then 10.1.1.0 and 10.1.4.0 won't talk to each other. therfore, i posted this to see if my current config, route-map and ACL will facilitate for this or not after I replace the router. The problem is that we don't do any dynamic routing such as EIGRP or OSFP.
When you migrate from single interface w/ two IP to two interface w/ two IP, this is fine to have this change. But you have to know how the new interface connect to the network ?
Could you please advise how the router connects to the network and where will the 10.1.4.0 connect to ?
The main issue is you have to define the return path of those traffic. Could you please provide a network diagram w/ IP address then we can advise the configuration.
For the ACL, I suggest to separate it to two sets, one for 10.1.1.0 interface and one for 10.1.4.0 interface. It is easier for modification in future. I don't find any problem when you setup those ACL. But you can remove all permit statement and keep the last one "permit ip any any" is enough. The reason is you only need to block those unwanted traffic and you do not require to apply the permit list if you have the "permit ip any any" at last. The "permit ip any any" already permit all traffic.
If you want the 10.1.1.0 & 10.1.4.0 won't talk to each other. You can remove any related static route in remote router. e.g. at 10.1.4.0 connected remote router, remove the static route for 10.1.1.0, but keep 10.1.5.0 if there is a need. So if the traffic go to 10.1.1.0, it will be dropped due to no route for these specific subnet.
Hope this helps.
You are righ, I need to put these two subnets on two different Interfaces and have them talk to each other.
The DHCP gives out IPs from these two subnets, so these two subnets are my main Network where I have users on both as well as the servers.
This is an Internal router and will decide if the trafficv needs to be sent to the next hop, which the Firewall to the Internet or to our remote location which is 10.5.1.0/24.
so, these two subnets, i.e. 10.1.1.0/24 and 10.1.4.0/24 are my main network and must talk to each other with full access to to and from each subnets.
I will put together a diagram and post it by replying to your posting again.
but, given this scenario, what do i need to do to have these subnets talk to each other while on two different iinterfaces on the same router?
Thanks very much.
If each device on the subnet will be using the router is its default gateway, then you do not need any additional configuration performed (ACL, route-map, etc). Simply make sure the router has ip routing turned on, which it should by default. In other words, make sure "no ip routing" is *not* in the configuration.
The real question is how your switches will be configured. Will each subnet be on a separate VLAN?
Thanks. Unfortunately no reall VLANs. I have put all the servers and users (users are on both the subnets) on VLAN 2. The IT people don't want to move to segmentation by Real VLAN! i have been pushing for that but no luck so far.
Our switches are very good and top of the line Cisco switches but not a real use of them but I am sure they will be forced to accept VLANs very soon.
I have also applied the route-map to the Interface that will have 10.1.4.0/24 on it, would this works?
i.e. same statement whichis under Ether0/1 Interface for ip-policy route-map has been applied to the new Interface for tyhat subnet too.
I am not doing any dynamic routing do I still need Ip routing on? I don't see that on my 2621 router currently functioning!? acdtually the pIX will do the routing here since the PIX has been defined as the next hop inb in the router.