Preventing Routing on Directly Connected Networks

[Dinkytoy]

I'm just playing with some lab stuff and something came up that seems overly complex and I wondered if there was a simpler way to do it.

My routing table is:

C 10.100.100.0/24 is directly connected, Vlan15
C 10.100.101.0/24 is directly connected, Vlan12
C 10.100.99.0/29 is directly connected, GigabitEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.100.99.1

I'm working on the assumption that 10.100.100.0/24 and 10.100.101.0/24 are DMZ networks and LAN is somewhere else not relevant. Communications between the two networks must be non-existant.

I've restricted it via a couple of access-lists assigned to the relevant VLAN interface:

Extended IP access list 101
10 permit ip 10.100.100.0 0.0.0.255 10.100.99.0 0.0.0.7 (2 matches)
20 permit ip 10.100.100.0 0.0.0.255 10.100.100.0 0.0.0.255 (53 matches)
30 deny ip any any (8 matches)
Extended IP access list 102
10 permit ip 10.100.101.0 0.0.0.255 10.100.99.0 0.0.0.7
20 permit ip 10.100.101.0 0.0.0.255 10.100.101.0 0.0.0.255 (7 matches)
30 deny ip any any

Now this all works ok. However, it does seem a little long winded. Given there is no routing protocol running and the networks are directly connected is it possible to rather stop it routing that particular network so all traffic is fed back to the default gateway without access lists?

If I put the given scenario live for example I may have to configure 10 such networks some with access to others and some without which is a bit of a hassle, especially if I'm not about to do it!

 

[burtsbees]

If you simply want to block access from one dc subnet to another, you need outbound acls on the interface. If you want to route to the gateway instead of the dc subnet, you need PBR, which cannot be done without acls. Does this answer your question? I am a little confused---please provide more info, i.e. what interfaces the acls are applied to and in what direction, and a topology (though from this we can guess and have a good idea...but it is only a guess).

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Dinkytoy]

PBR sounds like it would work, although I've not encountered or used it before, a quick google gave me an overview.

First off though on the previous setup, I had assigned those ACLs to inbound traffic on the two respective VLAN interfaces.


A quick topology, it's not optimal but is based on scaling up:

ServerA-----|- Port 10 - VLAN 12
| 3650G Switch - Port 1 |---- Firewall
ServerB-----|- Port 20 - VLAN 15

ServerA - 10.100.100.3
ServerB - 10.100.101.3
Switch Port 1 - 10.100.99.2
Switch VLAN 12 - 10.100.100.1
Switch VLAN 15 - 10.100.101.1
Firewall - 10.100.99.1

-------------------

Looking at PBR for a minute it sounds like I can do the following:

access-list 1 permit 0.0.0.0 255.255.255.255

route-map DefaultRoute permit 10
match ip address 1
set ip next-hop 10.100.99.1

int vlan 12
ip policy route-map DefaultRoute

int vlan 15
ip policy route-map DefaultRoute

Not labbed it yet but sounds promising if correct. I guess it looks at the policy before looking at the routing table.

 

[Dinkytoy]

Just tried to play with PBR, looks like it's on the IP Services feature set rather than the baseline . Can't use that idea then.

 

[burtsbees]

Maybe you should email me for some other "ideas"...

timandlizh at gmail dot com

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!