routing policy and acl

Userlevel 2
Thanks in advance to all!

We want to create a wired guest network inside each one of our buildings. Each building has a switch (x460 that acts like a router) that have mulitple vlans each with an interface with each having ospf enabled on the backbone. These switches are then all connected to our EAPS WAN link that connects all buildings together. I want to create a new 2 new vlans:

create vlan Guest tag ... #-- This vlan would be inside each building
create vlan GuestDefaultGateway tag ... #-- This vlan would be protected vlan on the EAPS ring

I want Guest to not be able to access any of our district networks, but we need the devices to be able to get DHCP from our DHCP server (which is outside each building) which are all on our district networks. By setting up bootprelay we can forward requests to get the IP Address.

If I setup an ACL with 2 entries. One allowing udp port 67 and another entry blocking all other access to district devices I think (in my own twisted mind) I should be OK.

I then want this Guest Network to only go out the new GuestDefaultGateway vlan. Can I setup a routing policy that will set the next-hop for the GuestDefaultGateway?


2 replies

Userlevel 6
Hey BW447 so it sounds like all of the Layer 2 guest VLANs will be tagged all the way back to the core correct. At that point will you have the IP addresses on the core switch?

Your ACL looks correct you will need to add another one to allow the unicast DHCP offer to get back to the host using port 68 I think.

You could then put an entry to add a redirect statement to forward

"redirect ipv4"
"addr—Forwards the packet to the specified IPv4 address (BlackDiamond X8"
"series switches, BlackDiamond 8000 c-, e-, xl-, and xm-series modules, and Summit family switches"

Redirecting Packets
Packets are forwarded to the IPv4 address specified, without modifying the IP header (except the TTL is decremented and the IP checksum is updated). The IPv4 address must be in the IP ARP cache, otherwise the packet is forwarded normally. Only fast path traffic can be redirected. This capability can be used to implement Policy-Based Routing.

Would that help?

Userlevel 2
Hello Mr. Russo!

Sorry for the late reply. My only hesitation with this is that if the iparp doesn't have the mac2ip I don't want those packets going to our district side.

If the mac2ip isn't in the iparp table and the packet will just go down our district network, will it ever check to see what the mac address is for the redirected IP. So we might get a couple of packets down the district, but pretty soon we would get the proper mac2ip in iparp and then the acl redirect wouuld work.

However, if the GuestDefaulGateway vlan has ospf enabled the multicast traffic from the hello packets should keep the mac2ip on the router all the time correct?