Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

ROUTER - 2 DEFAULT-GATEWAY - QUERIY

Hi I wish to test an 'ACL', which if I remember correctly was setup with no 'Routing protocols' on the 'router' and no vlans!!!  

My router has 2 Fastethernet connections 1 & 2, plugged into 2 2950 switches using 'straight-thru' cables and set to 'trunk' only on both.

I will be using 2 different IP Addressing subnets on 'Router' ie fa0/0 - 192.168.1.1/24  & 10.0.0.1/24

Should I be adding a default-gateway on both switches pointing to the relevant fastethernet ports ie:
- ip default-gateway 192.168.1.2 255.255.255.0 - SwitchA
- ip default-gateway 10.0.0.2 255.255.255.0 - SwitchB

Im just setting it up this way for test purposes!!
0
mikey250
Asked:
mikey250
  • 12
  • 9
4 Solutions
 
Ernie BeekCommented:
I assume these are routing switches (layer 3)? Then you could do with a default gateway.
Only have a good look at what you typed for switch B ;)
0
 
mikey250Author Commented:
Hi erniebeck,  No there not L3 they are L2, only because I did a test exam the other day and all it showed was a 'Router with 2 fastethernet ports connected to 2 switches A & B for eg, but did not specificy L2 or L3, but the scenario only let me onto the 'Router' to see both IP Addressing Subnets that were different!!

So even though a L3 switch is preferred, what I wish to know is can it still be done this way as Im thinking as long as there is 2 static routes on the router pointing to both switches A & B ie:

Mgmt Ip host SwitchA 192.168.1.2
Mgmt Ip host SwitchB 10.0.0.2

Router
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 192.168.1.2
0
 
mikey250Author Commented:
Hi erniebeck, Ignore my last entry!!!!!!

Mgmt Ip host SwitchA 192.168.1.3
Mgmt Ip host SwitchB 10.0.0.3

Router
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 192.168.1.2
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Ernie BeekCommented:
Ok, got that.

So the default gateway on a layer 2 switch is only to make you able to connect to it (for management) remotely. Since the router has ip addresses in the same ranges on it's interfaces, it allready 'knows' those networks. If you do a sh ip route you should be able to see them in your routing table (as 'connected'). No need to manually add a route for them.
Even better, you don't want to have two default routes on a router ;)
0
 
mikey250Author Commented:
No I dont wont 2 default gateways, but for the purposes of this test exam which had advised all configs were in place yesturday, and all I was able to do was logon to 'Router' and add '3 ACLS', which I could not get right!!  So before I move onto the 'ACL' part I just wish to get this setup as per exam lab from what I can remember!!!!!!!:))
0
 
mikey250Author Commented:
Just so you know it was based around the 'CCNA' exam which I looked a hence presumably not using L3!!
0
 
Ernie BeekCommented:
Well it's been a while since I took ICND :)
But I can't imagine them putting in two default routes. in the router. And like I said before, you don't need them.
Your setup will be perfectly ok without.
0
 
mikey250Author Commented:
Hi ernie,  I realise what you are saying but it was on the 640-802 not the ICND Part 1 & 2, so all I wish to do, even if network not ideal topology is to be able to understand how to add my 'ACL's as I got it wrong!!

The exam did not allow access to the switches, just access to the 'Router' where I was supposed to add relevant 'ACL's!!!!!

The scenario was for me to add the following on 'SwitchA'
- Permit host pc on fa0/4 'only' to the 'Web Server'
- Permit host pc on fa0/4 'only' to the Finance Server
- Block every other host pc that 'WOULD' be attached to same 'SwitchA' - If configured so
- Permit host pc 'Ftp' access

I think that was the scenario!!!!!!

Hi erniebeek, It seems missing out the explanation of the 'ACL' is what I may have confused you with!!:

Router:

Int fa0/0 - Connected to SwitchA in 'Trunk mode'
ip address 192.168.1.1 255.255.255.0
no shut

Int fa0/1 - Connected to SwitchB in 'Trunk Mode'
ip address 10.0.0.1 255.255.255.0
no shut

SwitchA:

int fa0/4
Description Connected to Host pc
switchport mode access
spanning-tree portfast
no shut

Int vlan 1
ip address 192.168.1.100 255.255.255.0
no shut

no ip http server

SwitchB:

int fa0/4
Description Connected to Web Server
switchport mode access
spanning-tree portfast
no shut

int fa0/5
Description Connected to Finance Server
switchport mode access
spanning-tree portfast
no shut

Int vlan 1
ip address 10.0.0.2 255.255.255.0
no shut

ip http server
0
 
Ernie BeekCommented:
Ok, did they gave you ip addresses of the machines?
0
 
mikey250Author Commented:
Yes in the scenario but I cannot remember them, all I remember is that they were both different subnets!!!

Im currently adding the config for what I think it is, then I will let you know!!!!!!!!!!!!!!  The reason why I wish to try this is because the only command the simulation would accept was as below and would not accept my 'ACL', as it said a total of 3 'ACL's I think to complete this task:

Router:
ip access-group 1 out
0
 
mikey250Author Commented:
Correction:

Router
Int fa0/1
ip access-group 1 out
0
 
Ernie BeekCommented:
Ok, show it when you are ready :)
0
 
mikey250Author Commented:
Hi erniebeek,  I got it working once, but now I cannot allow a specific host 192.168.1.11 to the 10.0.0.0 0.0.0.255 network

This is what Ive done:

Router:

Int fa0/0 - Connected to SwitchA in 'Trunk mode'
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no shut

Int fa0/1 - Connected to SwitchB in 'Trunk Mode'
ip address 10.0.0.1 255.255.255.0
no shut


access-list 101 deny tcp 191.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 permit tcp host 192.168.1.11 10.0.0.0 0.0.0.255 eqq www
0
 
Ernie BeekCommented:
First:

Typo:

access-list 101 deny tcp 191.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www
access-list 101 permit tcp host 192.168.1.11 10.0.0.0 0.0.0.255 eqq www


Second, change the sequence of the access list. It is processed top-down until it finds a hit. After that the rest of the list will be ignored. So you first block a whole range and after that allow one host from that range.... No go.

So try:

access-list 101 permit tcp host 192.168.1.11 10.0.0.0 0.0.0.255 eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www
0
 
Ernie BeekCommented:
You should be able to lock it down further if you know the ip of the www host:

access-list 101 permit tcp host 192.168.1.11 host 10.0.0.x eq www
access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq www
0
 
mikey250Author Commented:
Hi erniebeek,  Thanks for that it works now as opening a 'browser' from host pc 192.168.1.11 is 'permitted' for: http://10.0.0.1 - Successful as confirms 1st 'access-list'.

I then changed the host pc address from 192.168.1.10 to 192.168.1.11 and this 'denied' access via http://10.0.0.1 - Successful as confirmed 2nd 'access-list' command

I realised where I was also going wrong as I was adding: 'ip access-group 101 in' on 'Int fa1/1' but was wrong as should have been 'Int fa0/0. Although I understand 'In & Out', I cannot get my head around which interface by thinking about it.  As in if Im blocking access from a host pc such as in this case: 192.168.1.11 TO 10.0.0.1.  My head thinks go to actual Interface '10.0.0.1', as if Im logging in from a host pc for eg: 10.0.0.4 coming into Interface: 10.0.0.1, which should make me realise that is wrong.  I will have to practise!!

Im starting to get my head around why using 'Standard & Entended' now!!

Appreciated!!
thanks!!
0
 
mikey250Author Commented:
Correction:

'I then changed the host pc address from 192.168.1.11 to 192.168.1.10 and this 'denied' access via http://10.0.0.1 - Successful as confirmed 2nd 'access-list' command'
0
 
Ernie BeekCommented:
Good to hear you're getting there :)
I always found it easiest to think of it as traffic going IN to and OUT of a device (through the interface), instead of just thinking of an interface.
For the rest, a standard access allows or denies based on ip addresses/ranges and an extended list can also define the ports/protocols ( simply put).
0
 
mikey250Author Commented:
Yes and Im going to practice now!!!
0
 
mikey250Author Commented:
Sound advice!!
0
 
Ernie BeekCommented:
Happy learning :)

Thx for the points.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now