Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
0
Helpful
4
Replies

How to setup firewall on IP Unnumbered interface?

Go to solution
kmigmar805
Level 1
Level 1

‎11-04-2010 09:42 PM - edited ‎03-04-2019 10:22 AM

Hello Experts,

I would like to ask you a favor. I am having a trouble finding a manual or guide on how to setup a firewall on an IP Unnumbered interface for Cisco 2900  series router. Please help.

Thank you very much in advance!

Our router setup is as follows:

======================

ISP

|

|

-----------------------

Interface e0/0 - (IP Unnumbered using PPPoE )

Interface e0/1 – ( this address is shared by the IP unnumbered interface to dial to ISP)

-----------------------

Interface e0/2 – used for router management only purpose.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎11-05-2010 03:02 AM

Hello Ken,

If you are using PPPoE to access the internet then I suppose you have also created and configured the Dialer interface. In this case, it is the Dialer interface that processes the IP traffic sent via the PPPoE session, so simply configure the firewall on the corresponding Dialer interface. Do not place any firewall on the Ethernet interface - it would not have any effect because the IP traffic is not encapsulated directly into Ethernet frames.

Please note that the IP Unnumbered is something different from an interface that simply has no IP address configured. If an interface is configured without any IP address (i.e., the command no ip address is present in its configuration) then this interface is disabled for pure IP protocol. IP packets arriving at this interface are dropped without any processing, and such interface does not send any IP packets itself. The Ethernet interface on which only a PPPoE is configured without any IP address is IP-disabled, not IP Unnumbered.

On the other hand, the IP Unnumbered is a special feature that allows several interfaces to share the same IP address using the command ip unnumbered . In this case, interface configured using this command has the same IP address and mask as the other interface that is referenced by that command. This technique is used to conserve IP addresses.

Best regards,

Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎11-05-2010 03:02 AM

Hello Ken,

If you are using PPPoE to access the internet then I suppose you have also created and configured the Dialer interface. In this case, it is the Dialer interface that processes the IP traffic sent via the PPPoE session, so simply configure the firewall on the corresponding Dialer interface. Do not place any firewall on the Ethernet interface - it would not have any effect because the IP traffic is not encapsulated directly into Ethernet frames.

Please note that the IP Unnumbered is something different from an interface that simply has no IP address configured. If an interface is configured without any IP address (i.e., the command no ip address is present in its configuration) then this interface is disabled for pure IP protocol. IP packets arriving at this interface are dropped without any processing, and such interface does not send any IP packets itself. The Ethernet interface on which only a PPPoE is configured without any IP address is IP-disabled, not IP Unnumbered.

On the other hand, the IP Unnumbered is a special feature that allows several interfaces to share the same IP address using the command ip unnumbered . In this case, interface configured using this command has the same IP address and mask as the other interface that is referenced by that command. This technique is used to conserve IP addresses.

Best regards,

Peter

0 Helpful

Go to solution
kmigmar805
Level 1
Level 1
In response to Peter Paluch

‎11-05-2010 03:10 AM

THANK YOU so much! All clear now. You made my day, man!

0 Helpful

Go to solution
kmigmar805
Level 1
Level 1
In response to kmigmar805

‎11-06-2010 04:28 AM

Sorry, another question:

I tested two ways of firewall zone setup on the Router 1 Cisco 2911 IOS based Firewall:

A.

Outside zone member: 1. interface e0/0 ( Dialer0 )

Inside zone member: e0/1

Then there is no  connection to internet even if all Access rules from inside to outside are all set to Allow. No other ACL is associated with the any of the interfaces.

B.

Outside zone members: 1. interface e0/0 ( Dialer0 ) and 2. interface e0/1 

Inside zone member: e0/3 (management only)

Internet connection is Ok. But this setup is the same as having no firewall, isn't it?

Please advice me how it should be properly setup.

Thank you!

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to kmigmar805

‎11-06-2010 05:32 AM

Ken,

You are welcome. Please, post your current configuration if it is possible. It is easier to start from there.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card