Solved

ROUTER - 2 DEFAULT-GATEWAY - QUERIY

Posted on 2011-09-29
21
274 Views
Last Modified: 2012-06-27
Hi I wish to test an 'ACL', which if I remember correctly was setup with no 'Routing protocols' on the 'router' and no vlans!!!  

My router has 2 Fastethernet connections 1 & 2, plugged into 2 2950 switches using 'straight-thru' cables and set to 'trunk' only on both.

I will be using 2 different IP Addressing subnets on 'Router' ie fa0/0 - 192.168.1.1/24  & 10.0.0.1/24

Should I be adding a default-gateway on both switches pointing to the relevant fastethernet ports ie:
- ip default-gateway 192.168.1.2 255.255.255.0 - SwitchA
- ip default-gateway 10.0.0.2 255.255.255.0 - SwitchB

Im just setting it up this way for test purposes!!
0
Comment
Question by:mikey250
  • 12
  • 9
21 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I assume these are routing switches (layer 3)? Then you could do with a default gateway.
Only have a good look at what you typed for switch B ;)
0
 

Author Comment

by:mikey250
Comment Utility
Hi erniebeck,  No there not L3 they are L2, only because I did a test exam the other day and all it showed was a 'Router with 2 fastethernet ports connected to 2 switches A & B for eg, but did not specificy L2 or L3, but the scenario only let me onto the 'Router' to see both IP Addressing Subnets that were different!!

So even though a L3 switch is preferred, what I wish to know is can it still be done this way as Im thinking as long as there is 2 static routes on the router pointing to both switches A & B ie:

Mgmt Ip host SwitchA 192.168.1.2
Mgmt Ip host SwitchB 10.0.0.2

Router
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 192.168.1.2
0
 

Author Comment

by:mikey250
Comment Utility
Hi erniebeck, Ignore my last entry!!!!!!

Mgmt Ip host SwitchA 192.168.1.3
Mgmt Ip host SwitchB 10.0.0.3

Router
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 192.168.1.2
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Ok, got that.

So the default gateway on a layer 2 switch is only to make you able to connect to it (for management) remotely. Since the router has ip addresses in the same ranges on it's interfaces, it allready 'knows' those networks. If you do a sh ip route you should be able to see them in your routing table (as 'connected'). No need to manually add a route for them.
Even better, you don't want to have two default routes on a router ;)
0
 

Author Comment

by:mikey250
Comment Utility
No I dont wont 2 default gateways, but for the purposes of this test exam which had advised all configs were in place yesturday, and all I was able to do was logon to 'Router' and add '3 ACLS', which I could not get right!!  So before I move onto the 'ACL' part I just wish to get this setup as per exam lab from what I can remember!!!!!!!:))
0
 

Author Comment

by:mikey250
Comment Utility
Just so you know it was based around the 'CCNA' exam which I looked a hence presumably not using L3!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Well it's been a while since I took ICND :)
But I can't imagine them putting in two default routes. in the router. And like I said before, you don't need them.
Your setup will be perfectly ok without.
0
 

Author Comment

by:mikey250
Comment Utility
Hi ernie,  I realise what you are saying but it was on the 640-802 not the ICND Part 1 & 2, so all I wish to do, even if network not ideal topology is to be able to understand how to add my 'ACL's as I got it wrong!!

The exam did not allow access to the switches, just access to the 'Router' where I was supposed to add relevant 'ACL's!!!!!

The scenario was for me to add the following on 'SwitchA'
- Permit host pc on fa0/4 'only' to the 'Web Server'
- Permit host pc on fa0/4 'only' to the Finance Server
- Block every other host pc that 'WOULD' be attached to same 'SwitchA' - If configured so
- Permit host pc 'Ftp' access

I think that was the scenario!!!!!!

Hi erniebeek, It seems missing out the explanation of the 'ACL' is what I may have confused you with!!:

Router:

Int fa0/0 - Connected to SwitchA in 'Trunk mode'
ip address 192.168.1.1 255.255.255.0
no shut

Int fa0/1 - Connected to SwitchB in 'Trunk Mode'
ip address 10.0.0.1 255.255.255.0
no shut

SwitchA:

int fa0/4
Description Connected to Host pc
switchport mode access
spanning-tree portfast
no shut

Int vlan 1
ip address 192.168.1.100 255.255.255.0
no shut

no ip http server

SwitchB:

int fa0/4
Description Connected to Web Server
switchport mode access
spanning-tree portfast
no shut

int fa0/5
Description Connected to Finance Server
switchport mode access
spanning-tree portfast
no shut

Int vlan 1
ip address 10.0.0.2 255.255.255.0
no shut

ip http server
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, did they gave you ip addresses of the machines?
0
 

Author Comment

by:mikey250
Comment Utility
Yes in the scenario but I cannot remember them, all I remember is that they were both different subnets!!!

Im currently adding the config for what I think it is, then I will let you know!!!!!!!!!!!!!!  The reason why I wish to try this is because the only command the simulation would accept was as below and would not accept my 'ACL', as it said a total of 3 'ACL's I think to complete this task:

Router:
ip access-group 1 out
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:mikey250
Comment Utility
Correction:

Router
Int fa0/1
ip access-group 1 out
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, show it when you are ready :)
0
 

Author Comment

by:mikey250
Comment Utility
Hi erniebeek,  I got it working once, but now I cannot allow a specific host 192.168.1.11 to the 10.0.0.0 0.0.0.255 network

This is what Ive done:

Router:

Int fa0/0 - Connected to SwitchA in 'Trunk mode'
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no shut

Int fa0/1 - Connected to SwitchB in 'Trunk Mode'
ip address 10.0.0.1 255.255.255.0
no shut


access-list 101 deny tcp 191.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 permit tcp host 192.168.1.11 10.0.0.0 0.0.0.255 eqq www
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
Comment Utility
First:

Typo:

access-list 101 deny tcp 191.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 permit tcp host 192.168.1.11 10.0.0.0 0.0.0.255 eqq www


Second, change the sequence of the access list. It is processed top-down until it finds a hit. After that the rest of the list will be ignored. So you first block a whole range and after that allow one host from that range.... No go.

So try:

access-list 101 permit tcp host 192.168.1.11 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
Comment Utility
You should be able to lock it down further if you know the ip of the www host:

access-list 101 permit tcp host 192.168.1.11 host 10.0.0.x eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
Comment Utility
Hi erniebeek,  Thanks for that it works now as opening a 'browser' from host pc 192.168.1.11 is 'permitted' for: http://10.0.0.1 - Successful as confirms 1st 'access-list'.

I then changed the host pc address from 192.168.1.10 to 192.168.1.11 and this 'denied' access via http://10.0.0.1 - Successful as confirmed 2nd 'access-list' command

I realised where I was also going wrong as I was adding: 'ip access-group 101 in' on 'Int fa1/1' but was wrong as should have been 'Int fa0/0. Although I understand 'In & Out', I cannot get my head around which interface by thinking about it.  As in if Im blocking access from a host pc such as in this case: 192.168.1.11 TO 10.0.0.1.  My head thinks go to actual Interface '10.0.0.1', as if Im logging in from a host pc for eg: 10.0.0.4 coming into Interface: 10.0.0.1, which should make me realise that is wrong.  I will have to practise!!

Im starting to get my head around why using 'Standard & Entended' now!!

Appreciated!!
thanks!!
0
 

Author Comment

by:mikey250
Comment Utility
Correction:

'I then changed the host pc address from 192.168.1.11 to 192.168.1.10 and this 'denied' access via http://10.0.0.1 - Successful as confirmed 2nd 'access-list' command'
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Good to hear you're getting there :)
I always found it easiest to think of it as traffic going IN to and OUT of a device (through the interface), instead of just thinking of an interface.
For the rest, a standard access allows or denies based on ip addresses/ranges and an extended list can also define the ports/protocols ( simply put).
0
 

Author Comment

by:mikey250
Comment Utility
Yes and Im going to practice now!!!
0
 

Author Closing Comment

by:mikey250
Comment Utility
Sound advice!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Happy learning :)

Thx for the points.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now