Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Catalyst G-L3 Series Switches

Configuring IP Uplink Redirect Using BVIs on Catalyst 2948G-L3 Switches

Downloads

Document ID: 14979


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Background Information
IP Uplink Redirect Sample Configuration 1
      Network Diagram
      Sample Configuration
      Verification
IP Uplink Redirect Sample Configuration 2
      Network Diagram
      Sample Configuration
      Verification
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document provides information on how to configure IP uplink redirects with BVIs on Catalyst 2948G-L3 switches.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The example configurations in this document were based on these software and hardware versions:

  • Catalyst 2948G-L3 that runs Cisco IOS 12.0(10)W5(18e)

  • A router (no specific hardware or IOS)

  • Two switches (no specific hardware or IOS) configured as end stations

    Note: The two switches configured as end stations have an IP address assigned to the management interface, and an ip default-gateway ip_addr statement.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

The Catalyst 2948G-L3 switch IP uplink redirect feature redirects traffic received on a Fast Ethernet interface to one of the Gigabit Ethernet interfaces.

When traffic is sourced from a host on one Fast Ethernet interface and destined for a host on another Fast Ethernet interface, the 2948G-L3 switch redirects the traffic to one of the Gigabit Ethernet interfaces instead of directly routing the traffic between the two Fast Ethernet interfaces.

The IP uplink redirect feature is designed to allow service providers to provision Fast Ethernet interfaces to different customers (for web hosting, for example) but deny access to interfaces assigned to other customers. In other words, the majority of traffic is between the Internet, connected with a Gigabit Ethernet interface, and individual co-located web servers, connected to the Fast Ethernet interfaces.

IP uplink redirect requires that a static default route is installed in the routing table that points to an upstream router connected to the Gigabit Ethernet interface. Redirected traffic is forwarded to the upstream router, where it is routed back to the 2948G-L3 and forwarded out the appropriate interface.

If the intention is to prevent some or all communication between hosts connected to the Fast Ethernet interfaces, you can apply Access Control Lists (ACLs) on the Gigabit Ethernet interfaces to enforce the desired traffic filtering. The IP uplink redirect feature is useful in this case because ACLs are not supported on Fast Ethernet interfaces on the Catalyst 2948G-L3 switch.

caution Caution: The IP uplink redirect feature affects only IP unicast Layer 3 (L3) switched traffic. It has no impact on Layer 2 (L2) switched or non-IP unicast L3 switched traffic, such as IP Multicast or Internetwork Packet Exchange (IPX). Such traffic is bridged or routed directly between Fast Ethernet interfaces, as usual.

This document provides a sample configuration for the IP uplink redirect feature with Bridge-Group Virtual Interfaces (BVIs) on the Catalyst 2948G-L3 switch. The IP uplink redirect feature is supported in Cisco IOS ® release 12.0(10)W5(18e) and later on the Catalyst 2948G-L3 switch only.

This sample configuration does not discuss how the IP uplink redirect feature is useful in a service provider site. For more information on how this feature can be used by the service providers to isolate the direct communication between customer servers, refer to this document:

Configuring IP Uplink Redirect on Catalyst 2948G-L3 Switches

IP Uplink Redirect Sample Configuration 1

Configure Cat2948G-L3 so that station_B belongs to a bridge-group, and station_A is connected to a routed interface. A BVI is used to allow the communication.

Network Diagram

86-1.gif

Sample Configuration

Sample Configuration

 
Cat2948G-L3#show run 
... 
bridge irb 

!-- This command enables the Integrated Routing and Bridging feature (IRB).

... 
interface Fast Ethernet20 
 ip address 10.1.20.2 255.255.255.0 
 no ip directed-broadcast 
 duplex full 
 speed 100 
! 
interface Fast Ethernet21 
 no ip address 
 no ip directed-broadcast 
 duplex full 
 speed 100 
 bridge-group 21

 !-- This command converts the routed interface to a bridged interface.

... 
interface GigabitEthernet49 
 ip address 10.1.22.2 255.255.255.0 
 no ip directed-broadcast 
... 
interface BVI21

!-- This logical interface is used to route the traffic received on bridged interfaces.

 ip address 10.1.21.2 255.255.255.0 
 no ip directed-broadcast 
 no ip route-cache cef 
! 
router rip 
 network 10.0.0.0 
! 
bridge 21 protocol ieee

!-- This command enables bridging on this switch-router.

 bridge 21 route ip

!-- This commands enables IP routing on interface 21.

Verification

The IP uplink redirect feature has not been enabled yet, as shown here: 

Cat2948G-L3#show ip uplink 
IP Uplink Redirect Configuration: 

Running Configuration : no ip uplink-redirect 

!-- The IP uplink redirect feature is not enabled.

Configuration on next reload : no ip uplink-redirect

The process to configure IP uplink redirect in this topology is this: 

Cat2948G-L3#configure t 
Enter configuration commands, one per line.  End with CNTL/Z. 
Cat2948G-L3(config)#ip uplink-redirect

!-- This global configuration command enables the IP uplink-redirect feature,
!-- but takes effect only after the reload.  

Please save configuration and reload for this command to take effect  

Cat2948G-L3#show ip uplink

IP Uplink Redirect Configuration:

Running Configuration : no ip uplink-redirect 
Configuration on next reload : ip uplink-redirect

!-- The feature is enabled, but takes effect after the reload.


Cat2948G-L3#reload 

System configuration has been modified. Save? [yes/no]: y 
Building configuration... 
[OK] 
Proceed with reload? [confirm]

After reload: 

Cat2948G-L3#show ip uplink

IP Uplink Redirect Configuration: 

Running Configuration : ip uplink-redirect

!-- The IP uplink redirect feature is enabled.

Configuration on next reload : ip uplink-redirect

In order to complete the IP uplink redirect configuration on Cat2948G-L3, you must configure a static default route that points to the interface IP address of the upstream router.

In this example, the interface gig 49 of the router is the upstream router interface. Interface gig 49 has IP address 10.1.22.1. You cannot specify an outbound interface in the ip route command; you must specify a next-hop IP address. 

Cat2948G-L3(config)#ip route 0.0.0.0 0.0.0.0 10.1.22.1

The basic routing configuration on the router is this:

Router Configuration

 
router#show run 
... 
interface GigabitEthernet49 
 ip address 10.1.22.1 255.255.255.0 
 no ip directed-broadcast 
... 
router rip 
 network 10.0.0.0

The routing table in the router is this:

router#show ip route 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP 
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP 
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default 
       U - per-user static route, o - ODR 

Gateway of last resort is not set 

     10.0.0.0/24 is subnetted, 3 subnets 
R       10.1.20.0 [120/1] via 10.1.22.2, 00:00:21, GigabitEthernet49 
R       10.1.21.0 [120/1] via 10.1.22.2, 00:00:21, GigabitEthernet49 
C       10.1.22.0 is directly connected, GigabitEthernet49
router#

caution Caution: If the upstream router has an better alternative path back to the IP networks reached through the Catalyst 2948G-L3 Fast Ethernet interfaces, that path is used, which can result in routing loops.

The connectivity between station_A and station_B is ensured through BVI21/router/gig link, as seen here:

station_A#traceroute 10.1.21.1 
Type escape sequence to abort. 
Tracing the route to 10.1.21.1 

  1 10.1.20.2 0 msec 0 msec 3 msec 
  2 10.1.22.1 0 msec 0 msec 3 msec 
  3 10.1.22.2 2 msec 0 msec 2 msec 
  4 10.1.21.1 3 msec 3 msec * 
station_A#

In this example, the trace passed over interface fast 20 (10.1.20.2 0) on the Catalyst 2948G-L3, was redirected to interface gig 49 (10.1.22.1) on the upstream router, was routed back to interface gig 49 (10.1.22.2) on the Catalyst 2948G-L3, and then to the station_B (10.1.21.1).

If desired, you can apply ACLs on the interface gig 49 of the Cat2948G-L3 to control access between stations. In this example, an input access list is applied on interface gig 49 that does not allow the stations to communicate: 

Cat2948G-L3#show run 
... 
interface GigabitEthernet49 
 ip address 10.1.22.2 255.255.255.0 
 ip access-group 1 in 
 no ip directed-broadcast 
... 
access-list 1 deny   10.1.20.1 
access-list 1 permit any 
  
station_A#traceroute 10.1.21.1 

Type escape sequence to abort. 
Tracing the route to 10.1.21.1 

  1 10.1.20.2 3 msec 0 msec 2 msec 
  2 10.1.22.1 0 msec 0 msec 3 msec 
  3  *  *  * 
  4  *  *  * 
  5  *  *

Although such an input ACL is probably not the most efficient way to achieve this goal, it has been chosen to illustrate the traffic flow. The traffic from station_A is indeed filtered when it comes back from the router to the gig interface of Cat2948G-L3.

caution Caution: Certain types of IP packets, such as packets with IP options, are process switched. The CPU switches the packets based on the IOS routing table. Process-switched packets do not follow the IP uplink-redirect path, and any ACLs configured on the Gigabit Ethernet interfaces are not applied.

IP Uplink Redirect Sample Configuration 2

Modify the configuration so that both stations belong to two different bridge-groups. Two BVIs enable them to communicate.

What about traffic filtering?

Network Diagram

86-2.gif

Sample Configuration

Sample Configuration

 
Cat2948G-L3#show run 
... 
ip uplink-redirect

!-- This command enables the IP uplink redirect
!-- feature and takes effect after the reload.


bridge irb

!-- This command enables the IRB.

... 
interface Fast Ethernet20 
 no ip address 
 no ip directed-broadcast 
 duplex full 
 speed 100 
 bridge-group 20

!-- This command converts the routed interface to
!-- a bridged interface in bridge-group 20.   
    
! 
interface Fast Ethernet21 
 no ip address 
 no ip directed-broadcast 
 duplex full 
 speed 100 
 bridge-group 21

!-- This command converts the routed interface to a
!-- bridged interface in bridge-group 21.

 ... 
interface GigabitEthernet49 
 ip address 10.1.22.2 255.255.255.0 
 no ip directed-broadcast 
... 
interface BVI20

!-- This logical interface is used to route the traffic
!-- received on bridged interfaces in bridge-group 20.

 ip address 10.1.20.2 255.255.255.0 
 no ip directed-broadcast 
 no ip route-cache cef 
 ! 
interface BVI21

!-- This logical interface is used to route the traffic
!-- received on bridged interfaces in bridge-group 21.

 ip address 10.1.21.2 255.255.255.0 
 no ip directed-broadcast 
 no ip route-cache cef 
! 
router rip 
 network 10.0.0.0 
! 
ip route 0.0.0.0 0.0.0.0 10.1.22.1 
! 
access-list 1 deny   10.1.20.1 
access-list 1 permit any 
... 
bridge 20 protocol ieee 
 bridge 20 route ip

!-- This commands enables IP routing on interface BVI 20.

bridge 21 protocol ieee 
 bridge 21 route ip

!-- This commands enables IP routing on interface BVI 21.

Verification

As we can see from this example, the traffic passes over interface fast 20 (10.1.20.2 0) on the Catalyst 2948G-L3, is redirected to interface gig 49 (10.1.22.1) on the upstream router, routed back to interface gig 49 (10.1.22.2) on the Catalyst 2948G-L3, and then to station_B (10.1.21.1): 

station_A#traceroute 10.1.21.1 
Type escape sequence to abort. 
Tracing the route to 10.1.21.1 

  1 10.1.20.2 3 msec 0 msec 2 msec 
  2 10.1.22.1 3 msec 0 msec 2 msec 
  3 10.1.22.2 3 msec 0 msec 2 msec 
  4 10.1.21.1 3 msec 0 msec *

Apply the ACL:

Cat2948G-L3(config)#int gig 49 
Cat2948G-L3(config-if)#ip access-group 1 in

As before, the traffic from station_A has been filtered when it comes back from the router to the gig interface of Cat2948G-L3, which does not allow the stations to communicate: 

station_A#traceroute 10.1.21.1 
Type escape sequence to abort. 
Tracing the route to 10.1.21.1 

  1 10.1.20.2 0 msec 0 msec 3 msec 
  2 10.1.22.1 3 msec 0 msec 3 msec 
  3  *  *  * 
  4  *

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for LAN
Network Infrastructure: LAN Routing and Switching
Network Infrastructure: Getting Started with LANs

Related Information

Updated: Nov 23, 2007Document ID: 14979