11-04-2010 09:42 PM - edited 03-04-2019 10:22 AM
Hello Experts,
I would like to ask you a favor. I am having a trouble finding a manual or guide on how to setup a firewall on an IP Unnumbered interface for Cisco 2900 series router. Please help.
Thank you very much in advance!
Our router setup is as follows:
======================
ISP
|
|
-----------------------
Interface e0/0 - (IP Unnumbered using PPPoE )
Interface e0/1 – ( this address is shared by the IP unnumbered interface to dial to ISP)
-----------------------
Interface e0/2 – used for router management only purpose.
Solved! Go to Solution.
11-05-2010 03:02 AM
Hello Ken,
If you are using PPPoE to access the internet then I suppose you have also created and configured the Dialer interface. In this case, it is the Dialer interface that processes the IP traffic sent via the PPPoE session, so simply configure the firewall on the corresponding Dialer interface. Do not place any firewall on the Ethernet interface - it would not have any effect because the IP traffic is not encapsulated directly into Ethernet frames.
Please note that the IP Unnumbered is something different from an interface that simply has no IP address configured. If an interface is configured without any IP address (i.e., the command no ip address is present in its configuration) then this interface is disabled for pure IP protocol. IP packets arriving at this interface are dropped without any processing, and such interface does not send any IP packets itself. The Ethernet interface on which only a PPPoE is configured without any IP address is IP-disabled, not IP Unnumbered.
On the other hand, the IP Unnumbered is a special feature that allows several interfaces to share the same IP address using the command ip unnumbered
Best regards,
Peter
11-05-2010 03:02 AM
Hello Ken,
If you are using PPPoE to access the internet then I suppose you have also created and configured the Dialer interface. In this case, it is the Dialer interface that processes the IP traffic sent via the PPPoE session, so simply configure the firewall on the corresponding Dialer interface. Do not place any firewall on the Ethernet interface - it would not have any effect because the IP traffic is not encapsulated directly into Ethernet frames.
Please note that the IP Unnumbered is something different from an interface that simply has no IP address configured. If an interface is configured without any IP address (i.e., the command no ip address is present in its configuration) then this interface is disabled for pure IP protocol. IP packets arriving at this interface are dropped without any processing, and such interface does not send any IP packets itself. The Ethernet interface on which only a PPPoE is configured without any IP address is IP-disabled, not IP Unnumbered.
On the other hand, the IP Unnumbered is a special feature that allows several interfaces to share the same IP address using the command ip unnumbered
Best regards,
Peter
11-05-2010 03:10 AM
THANK YOU so much! All clear now. You made my day, man!
11-06-2010 04:28 AM
Sorry, another question:
I tested two ways of firewall zone setup on the Router 1 Cisco 2911 IOS based Firewall:
A.
Outside zone member: 1. interface e0/0 ( Dialer0 )
Inside zone member: e0/1
Then there is no connection to internet even if all Access rules from inside to outside are all set to Allow. No other ACL is associated with the any of the interfaces.
B.
Outside zone members: 1. interface e0/0 ( Dialer0 ) and 2. interface e0/1
Inside zone member: e0/3 (management only)
Internet connection is Ok. But this setup is the same as having no firewall, isn't it?
Please advice me how it should be properly setup.
Thank you!
11-06-2010 05:32 AM
Ken,
You are welcome. Please, post your current configuration if it is possible. It is easier to start from there.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide