I am contemplating converting some of our internal networks from routable to private IPv4 address space. I have a question about RIP as implemented under Cisco IOS 12.x. Presently the setting for rip is: router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 no auto-summary What I would like to know is how one routes the entire 192.168/16 address space using rip. My perusal of the various Cisco manuals, technical documents and various O'Rielly books is not giving me any clear answer and I am rather reluctant to experiment on our live Internet connection. Will this do what I imagine it might, treat any address 192.168.x.y or 10.x.y.z as an internal network? router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 network 192.168.0.0 network 10.0.0.0 no auto-summary Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Hi, [snip]> Presently the setting for rip is: > > router rip > version 2 > passive-interface [[FastEthernet]]0/0 > network aaa.bbb.ccc.0 > no auto-summaryis that aaa.bbb.ccc.0 a *public* IP class? if it is with the conf below:> router rip > version 2 > passive-interface [[FastEthernet]]0/0 > network aaa.bbb.ccc.0 > network 192.168.0.0 > network 10.0.0.0 > no auto-summaryyou inject private addresses to the other (public?) router... if aaa.bbb.ccc.0 is another *private* class the configuration should be ok... maybe i misunderstood your question ... cheers -- ------------------------------------------------ Daniele Santi .o. daniele at santi.vr.it ..o () ascii ribbon campaign Linux User #415108 ooo /\ www.asciiribbon.org ------------------------------------------------
On : Sat, 4 Oct 2008 14:50:37 +0200, "Mr Shunz" <mrshunz at gmail.com> wrote:> Hi, >[snip]>> Presently the setting for rip is: >> >> router rip >> version 2 >> passive-interface [[FastEthernet]]0/0 >> network aaa.bbb.ccc.0 >> no auto-summary > > is that aaa.bbb.ccc.0 a *public* IP class?Yes. It is a routable 'c' class address.> if it is with the conf below: > >> router rip >> version 2 >> passive-interface [[FastEthernet]]0/0 >> network aaa.bbb.ccc.0 >> network 192.168.0.0 >> network 10.0.0.0 >> no auto-summary > > you inject private addresses to the other (public?) router... > > if aaa.bbb.ccc.0 is another *private* class the configuration > should be ok... > > maybe i misunderstood your question ... >This is possibly because I an so unfamiliar with routing that I lack the terminology to ask it more clearly. Our internal networks date back to the spring of 1995 and at the time we used portions of our assigned C class netblock for all hosts. This arrangement has survived to the present day. I wish to move to a private netblock for internal use but I am operationally constrained to do so gradually. What I want to do is in the interim allow host 1 with the public IPv4 addr of aaa.bbb.ccc.171 to co-exist on the same lan segment as a host with an address of 192.168.2.151 say. On said segement there is but one gateway to the Internet, located at IPv4 aaa.bbb.ccc.1. The rest of the settings are as in the first example above. If I add 192.168.0.0 to the list of networks handled by RIPv2 at the router (and configure the router Eth0 with a suitable virtual IP from the same network, say: 192.168.71.1) , will internal traffic originating at a host with an address of 192.168.2.71 reach an internal host at 192.168.61.151 and can 192.168.2.71 also reach aaa.bbb.ccc.171? I will deal with NAT issues for these hosts at a later time. For now I am concerned only with hosts that should not reach or be reached from the public Internet in any case and therefore do not need a public IP or NAT. I do not know if that is any clearer or not. Basically, I do not wish to start physically segregating the internal lan into private and public segments using an internal router. I want both address spaces to co-exit on the same switch until the transformation is finalized and then we will look at whether it makes sense to segregate. We are taking about dozens of hosts, not thousands. But we do have legacy systems that require devoted multiple virtual IPS on a single interface so the number of IPs in use is several times the number of hosts. I hope this question makes my desires clearer and provides sufficient background detail for sensible commentary. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
James B. Byrne wrote:> You can accomplish this much easier by simply using > a firewall. I like OpenBSD firewalls in layer 2 > bridging mode. Put the firewall in-line between the > router and the rest of the network, no other network > changes needed.The difficulty with this is that it requires yet another host, a reconfiguration of the existing wiring plan, and dealing with a number of other issues which directly arise from the first two requirements. We already use IPtables, and we already have some of our older hosts secured behind sshd linux boxes so that network traffic to them is only carried en clair across direct x-wired patch cables.> If your not well versed in routing I wouldn't recommend > going around making a bunch of changes to a system that > I assume has been more or less working for more than > a decade.Which is why I asked the question if by making a single change to the network parameter of the Cisco Router could I avoid: 1. Physically segmenting my LAN 2. Having to commission an additional host or reconfigure an existing host to multi-homed. Routing is something I do not go at very often and I do not trust my memory for such things in consequence. The manuals and books that I have give sketchy coverage of this aspect and use examples much more narrow in scope than I contemplate. It would be a gross over-statement to say that I am unfamiliar with the concepts of routing. But I am asking for specific guidance on specific software (CISCO ISO 12.x) and hardware (CISCO 26xx series) from someone with experience in these matters. I recognize that this is not the precise forum to ask, thus the OT. On the other hand, I trust that my situation cannot be very dissimilar to those faced previously by many system administrators who also happen to run CentOS. Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3