Configuring IP Uplink Redirect on Catalyst 2948G-L3 Switches

Introduction

This document provides a sample configuration for the IP uplink redirect feature on the Catalyst 2948G-L3 switch. Enabling IP uplink redirect restricts devices connected to the Fast Ethernet interfaces to send Layer 3 traffic directly to each other and routes it directly to the Gigabit Ethernet interfaces.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

The IP uplink redirect feature is supported in Cisco IOS ® Software Release 12.0(10)W5(18e) and later, only on the Catalyst 2948G-L3 switch.

Components Used

The information in this document is based on the software and hardware versions below.

  • Catalyst 2948G-L3 running Cisco IOS 12.0(10)W5(18e)

  • Catalyst 4908G-L3 running Cisco IOS 12.0(10)W5(18e)

  • Two routers (no specific hardware or Cisco IOS) configured as end stations to simulate customer servers

Note: The two routers configured as end stations have no ip routing, an IP address on one interface, and an ip default-gatewayip_addr statement.

The configurations presented in this document was created from devices in a lab environment. All of the devices used in this document started with a cleared (default) configuration. The configurations on all devices were cleared with the write erase command and reloaded to ensure that they had a default configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Background Theory

The IP uplink redirect feature is designed to allow service providers to provision Fast Ethernet interfaces on the Catalyst 2948G-L3 switch to different customers. This feature also restricts a customer from directly accessing interfaces assigned to other customers. An example of when this feature could be used is if several customers had web servers connected to the Fast Ethernet interfaces and these servers do not need to communicate between one another. In this network design the majority of the traffic will be sent between the Internet, connected through the Gigabit Ethernet interface, and the individual, co-located web servers connected to the Fast Ethernet interfaces.

When IP uplink redirect is configured on the Catalyst 2948G-L3 switch, traffic that is sourced from a host on a Fast Ethernet interface is redirected to one of the Gigabit Ethernet interfaces instead of directly routing the traffic between the two Fast Ethernet interfaces. This feature accomplishes this by not populating the Fast Ethernet Content Addressable Memory (CAM) tables with the IP adjacencies for remote Fast Ethernet interfaces. Therefore the the network routes and adjacencies that are configured or learned on the Fast Ethernet interfaces do not get populated into the CAM table, but these routes and adjacencies are populated in the Gigabit Ethernet interfaces for routing purposes.

Note: The IP uplink redirect feature affects only IP Layer 3-switched traffic. It has no impact on Layer 2-switched or non-IP Layer 3-switched traffic like IP Multicast or IPX. This traffic will be bridged or routed directly between Fast Ethernet interfaces as usual.

If it is required to prevent some or all communication between hosts connected to the Fast Ethernet interfaces, you can apply Access Control Lists (ACLs) on the Gigabit Ethernet interfaces to enforce the desired traffic filtering. This is because ACLs are not supported on the Fast Ethernet interfaces the Catalyst 2948G-L3. The only way to prevent the communication between the hosts is to redirect the traffic to the Gigabit Ethernet interfaces using the IP uplink redirect feature and apply ACLs to filter the traffic.

Network Diagram

The network diagram displays a typical service provider topology where customer's connect their web servers to different Fast Ethernet interfaces

48a.gif

In this topology, the service provider has subnetted 192.168.1.0/24 using 30-bit subnet masks. For each subnet, one host address is assigned to one of the Fast Ethernet interfaces on the 2948G-L3 and the other IP is assigned to the customer's server. Customer 1's server is in subnet 192.168.1.0/30. Fast Ethernet 1 is assigned IP address 192.168.1.1/30 and Customer 1's server is assigned IP address 192.168.1.2/30.

Note: This is just an example. Another possible topology might have multiple customer devices connected to each Fast Ethernet interface (using larger IP subnets, for example, 26- or 24-bit subnet masks).

Configure IP Uplink Redirect Sample

Task

In this section, you are presented with the information to configure the features described in this document. The following sections shows the typical topology and the steps used to configure IP uplink redirect on the Catalyst 2948G-L3 switch.

Step-by-Step Instructions

The process for configuring IP uplink redirect in this topology is as follows:

  1. Enable IP uplink redirect on the Catalyst 2948G-L3 switch and reload the switch. You must reload the switch after enabling or disabling IP uplink redirect.

    2948G-L3#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    2948G-L3(config)#ip uplink-redirect
    
     Please save configuration and reload for this command to take effect
    
    2948G-L3(config)#^Z
    2948G-L3#copy running-config startup-config
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    2948G-L3#reload
    Proceed with reload? [confirm]
    
    
    ROMMON: Cold Reset frame @0x00000000
    ROMMON: Reading reset reason register
    ROMMON: Valid NVRAM config
    
    !--- Output suppressed.
    
    Press RETURN to get started!
  2. Verify that IP uplink redirect is enabled by issuing the show ip uplink-redirect command:

    2948G-L3#show ip uplink-redirect
    
    IP Uplink Redirect Configuration:
    
    Running Configuration : ip uplink-redirect 
    Configuration on next reload : ip uplink-redirect
    
    2948G-L3#
    
  3. Configure the Fast Ethernet interfaces. Each Fast Ethernet interface is assigned to a different IP subnet using a 30-bit subnet mask (make sure you enter the ip subnet-zero global configuration command if you are using subnet zero, as in this example).

    2948G-L3(config)#ip subnet-zero
    2948G-L3(config)#interface FastEthernet 1
    2948G-L3(config-if)#ip address 192.168.1.1 255.255.255.252
    2948G-L3(config-if)#no shutdown
    2948G-L3(config-if)#exit
    2948G-L3(config)#interface FastEthernet 2
    2948G-L3(config-if)#ip address 192.168.1.5 255.255.255.252
    2948G-L3(config-if)#no shutdown
    2948G-L3(config-if)#exit
    
    !--- Output suppressed.
    
    2948G-L3(config)#interface FastEthernet 48
    2948G-L3(config-if)#ip address 192.168.1.189 255.255.255.252
    2948G-L3(config-if)#no shutdown
    2948G-L3(config-if)#
  4. Configure each server with the remaining host IP address in the appropriate subnet, and use the corresponding Fast Ethernet IP address as the server's default gateway.

    For example, Customer 1's server is connected to interface Fast Ethernet 1, the server IP address is 192.168.1.2/30 and the default gateway is 192.168.1.1 (the IP address of interface Fast Ethernet 1).

  5. Configure the IP addresses of the Gigabit Ethernet interfaces that connect the Catalyst 2948G-L3 switch and the upstream Catalyst 4908G-L3 switch. In this example, interface Gigabit Ethernet 49 on the Catalyst 2948G-L3 switch connects to interface Gigabit Ethernet 1 on the Catalyst 4908G-L3 switch.

    Catalyst 2948G-L3:

    2948G-L3(config)#interface GigabitEthernet 49
    2948G-L3(config-if)#ip address 192.168.1.253 255.255.255.252
    2948G-L3(config-if)#no shutdown
    2948G-L3(config-if)#

    Catalyst 4908G-L3:

    4908G-L3(config)#interface GigabitEthernet 1
    4908G-L3(config-if)#ip address 192.168.1.254 255.255.255.252
    4908G-L3(config-if)#no shutdown
    4908G-L3(config-if)#
    
  6. In this example, the Internet is reached through interface Gigabit Ethernet 8 on the Catalyst 4908G-L3. Configure interface Gigabit Ethernet 8 with the appropriate IP address.

    4908G-L3(config)#interface GigabitEthernet 8
    4908G-L3(config-if)#ip address 192.168.255.1 255.255.255.0
    4908G-L3(config-if)#no shutdown
    4908G-L3(config-if)#
    
  7. Configure routing on the Catalyst 2948G-L3 switch and Catalyst 4908G-L3 switch. In this example, IP EIGRP is configured. Passive interfaces are specified on the Catalyst 2948G-L3 to prevent EIGRP hellos from being sent on the Fast Ethernet interfaces.

    In addition, the 30-bit subnets configured on the Fast Ethernet interfaces are summarized in a single advertisement of the 192.168.1.0/24 network to reduce the number of routing table entries managed by upstream routers.

    Catalyst 2948G-L3:

    2948G-L3(config)#router eigrp 10
    2948G-L3(config-router)#network 192.168.1.0
    2948G-L3(config-router)#passive-interface FastEthernet 1
    2948G-L3(config-router)#passive-interface FastEthernet 2
    2948G-L3(config-router)#passive-interface FastEthernet 3
    
    !--- Output suppressed.
    
    2948G-L3(config-router)#passive-interface FastEthernet 46
    2948G-L3(config-router)#passive-interface FastEthernet 47
    2948G-L3(config-router)#passive-interface FastEthernet 48
    2948G-L3(config-router)#exit
    2948G-L3(config)#interface GigabitEthernet 49
    2948G-L3(config-if)#ip summary-address eigrp 10 192.168.1.0 255.255.255.0
    2948G-L3(config-if)#

    Catalyst 4908G-L3:

    4908G-L3(config)#router eigrp 10
    4908G-L3(config-router)#network 192.168.1.0
    4908G-L3(config-router)#network 192.168.255.0
    4908G-L3(config-router)#no auto-summary
    4908G-L3(config-router)#

    caution Caution: If the upstream router has a better alternative path back to the IP networks reached through the Catalyst 2948G-L3 Fast Ethernet interfaces, that path will be used, which could result in routing loops.

  8. In order to complete the IP uplink redirect configuration on the Catalyst 2948G-L3 switch, you must configure a static route pointing to the upstream router's interface IP address.

    In this example, the upstream router interface on the Catalyst 4908G-L3 is interface Gigabit Ethernet 1. Interface Gigabit Ethernet 1 has IP address 192.168.1.254. (Note that you cannot specify an outgoing interface in the ip route command -- you must specify a next-hop IP address.)

    2948G-L3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254
    2948G-L3(config)#

This example shows the path a traceroute from Customer 1's server (on interface Fast Ethernet 1) takes to Customer 48's server (on interface Fast Ethernet 48) before and after IP uplink redirect is configured.

Traceroute before IP uplink redirect:

Customer1[192.168.1.2]#traceroute 192.168.1.190

Type escape sequence to abort.
Tracing the route to 192.168.1.190

  1 192.168.1.1 4 msec 0 msec 4 msec
  2 192.168.1.190 4 msec *  0 msec
Customer1[192.168.1.2]#

Shown above, the trace passed over interface Fast Ethernet 1 (192.168.1.1) on the Catalyst 2948G-L3 to Customer 48's server (192.168.1.190).

Traceroute after IP uplink redirect:

Customer1[192.168.1.2]#traceroute 192.168.1.190

Type escape sequence to abort.
Tracing the route to 192.168.1.190

  1 192.168.1.1 4 msec 0 msec 0 msec
  2 192.168.1.254 0 msec 0 msec 4 msec
  3 192.168.1.253 0 msec 4 msec 0 msec
  4 192.168.1.190 4 msec *  0 msec
Customer1[192.168.1.2]#

Shown above, the trace passed over interface Fast Ethernet 1 (192.168.1.1) on the Catalyst 2948G-L3, was redirected to interface Gigabit Ethernet 1 (192.168.1.254) on the upstream Catalyst 4908G-L3, was routed back to interface Gigabit Ethernet 49 (192.168.1.253) on the Catalyst 2948G-L3, and then to Customer 48's server (192.168.1.190).

Applying Access Control Lists

If desired, you can apply ACLs on interface gig 49 to control access between customer servers. In this example, an output access list is applied on interface Gigabit Ethernet 49 that permits ICMP pings (echo and echo-reply), but denies all other IP communication between customer servers.

2948G-L3(config)#access-list 101 permit icmp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 echo
2948G-L3(config)#access-list 101 permit icmp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply
2948G-L3(config)#access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
2948G-L3(config)#access-list 101 permit ip any any
2948G-L3(config)#interface GigabitEthernet 49
2948G-L3(config-if)#ip access-group 101 out
2948G-L3(config-if)#

caution Caution: Certain types of IP packets, such as packets with IP options, are process switched. The CPU switches the packets based on the Cisco IOS routing table. Process-switched packets will not follow the IP uplink-redirect path and any ACLs configured on the Gigabit Ethernet interfaces are not applied.

This example shows how Customer 1's server can ping Customer 48's server, but cannot run a traceroute or open a Telnet session:

Customer1[192.168.1.2]#ping 192.168.1.190

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 192.168.1.190, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Customer1[192.168.1.2]#
Customer1[192.168.1.2]#traceroute 192.168.1.190

Type escape sequence to abort.
Tracing the route to 192.168.1.190

  1 192.168.1.1 4 msec 0 msec 4 msec
  2  *
Customer1[192.168.1.2]#
Customer1[192.168.1.2]#telnet 192.168.1.190
Trying 192.168.1.190 ...
% Connection timed out; remote host not responding

Customer1[192.168.1.2]#

Verify

This section provides information you can use to confirm your configuration is working properly.

  • show ip uplink-redirect - this command verifies the current configuration and runtime status of the IP uplink redirect feature.

This example shows the output of the show ip uplink-redirect command before you enter the ip uplink-redirect global configuration command:

2948G-L3#show ip uplink-redirect

IP Uplink Redirect Configuration:

Running Configuration : no ip uplink-redirect 
Configuration on next reload : no ip uplink-redirect 

2948G-L3#

This example shows the output of the show ip uplink-redirect command after you enter the ip uplink-redirect command but before you reload the Catalyst 2948G-L3 switch:

2948G-L3#show ip uplink-redirect

IP Uplink Redirect Configuration:

Running Configuration : no ip uplink-redirect
Configuration on next reload : ip uplink-redirect 

2948G-L3#

This example shows the output of the show ip uplink-redirect command after you enter the ip uplink-redirect command and reload the Catalyst 2948G-L3 switch:

2948G-L3#show ip uplink-redirect

IP Uplink Redirect Configuration:

Running Configuration : ip uplink-redirect 
Configuration on next reload : ip uplink-redirect 

2948G-L3#

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Procedure

Below is troubleshooting information relevant to this configuration.

  1. If IP uplink redirect is enabled but Layer 3 IP traffic is not being redirected to the Gigabit Ethernet uplink interfaces, make sure you have a static default route configured using the ip route 0.0.0.0 0.0.0.0 next_hop_ip command.

    Remember, you must configure a static route. A default route advertised through a dynamic routing protocol is not sufficient to enable the IP uplink redirect functionality. In addition, make sure you specify the next hop IP address of the upstream router, not the outgoing interface (such as GigabitEthernet 49).

  2. If the IP uplink redirect feature is enabled and you have a static route configured, but traffic does not appear to be redirected to the Gigabit Ethernet ports, make sure the specific traffic you expect to be redirected is Layer 3 IP traffic. IP packets with non-IP Layer 3 traffic (such as IPX), and Layer 2 bridged traffic is not redirected by the IP uplink redirect feature.

  3. If ACLs have been configured on the Gigabit Ethernet ports and your not passing the desired traffic, verify that ACLs have been configured correctly. If you are unsure that the ACLs configured are filtering the desired traffic, remove the ACLs to identify if it is an ACL issue.

  4. Make sure the upstream router does not have an alternate route to the IP subnets reached through the Catalyst 2948G-L3 Fast Ethernet interfaces. Otherwise, traffic will not return from the upstream router on the Gigabit Ethernet uplinks. This can result in routing loops and other undesired behavior.

  5. If the Catalyst 2948G-L3 switch configuration appears correct but traffic does not seem to be redirected, check the CAM table entries to see if the IP adjacencies for remote Fast Ethernet interfaces are populated.

    For example, if IP uplink redirect is functioning correctly, the IP adjacency CAM entries on interface Fast Ethernet 1 should notinclude a complete entry for a device on interface Fast Ethernet 48 (or any other Fast Ethernet interface).

    This example shows the IP adjacencies installed in the CAM hardware on interface Fast Ethernet 1 before the IP uplink redirect feature is enabled (notice that there is a complete adjacency entry for 192.168.1.190 on interface Fast Ethernet 48):

    2948G-L3#show epc ip-address interface fast 1 all-entries
    IPaddr: 192.168.1.2     MACaddr: 0000.0c8c.4e28  FastEthernet1(4)
    IPaddr: 192.168.1.254   MACaddr: 0030.78fe.a007  GigabitEthernet49(52)
    IPaddr: 192.168.1.190   MACaddr: 0006.9486.7c05  FastEthernet48(51)
       Total number of IP adjacency entries: 3
       Missing IP adjacency entries: 0
    2948G-L3#
    

    This example shows the IP adjacencies installed in the CAM hardware on interface Fast Ethernet 1 after the IP uplink redirect feature is enabled (notice that there are no longer any Fast Ethernet adjacency entries and that there are now two Missing IP adjacency entries listed):

    2948G-L3#show epc ip-address interface fast 1 all-entries 
    IPaddr: 192.168.1.254   MACaddr: 0030.78fe.a007  GigabitEthernet49(52) 
       Total number of IP adjacency entries: 1
       Missing IP adjacency entries: 2
    2948G-L3#
    

Related Information


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值