TR Forums

Hi,

I've got to setup a server and router in a data centre's rack for a friend of mine. Here's the basic setup:

[server] ==> [cisco 5505] ==> [data centre]

The cisco 5505 is there to provide a vpn connection to a company my friend does a lot of work with and is something we were told to get as it's the only thing they support. Personally I'd have thought that it could have been done much more easily and cheaply with a software client but it's out of our control
the server behind the 5505 is on a 172... private subnet specified by the company who control the VPN.

Anyway, the data centre has given us a /30 subnet and my question is this:
a /30 has 4 ip addresses in it with 2 being usable, does that mean one address will go on the outside interface of my 5505 while the other is used by the data centre's router (so the data centre's router's address will also be my router's default gateway)?

The information I've been given is that our ip range is:
x.y.z.228/30
and that our gateway address is:
x.y.z.229

which says to me that I should set the 5505 with an IP of:
x.y.z.230 and default route x.y.z.229

What has me slightly confused is that my friend told me that he'd requested 2 addresses from the data centre and this setup means he can only use one... so either I've not understood something or he didn't get what he asked for, or perhaps both! I thought this kind of setup was used for point to point connections like leased lines rather than inside a data centre.

The 2nd address isn't actually that important as he thought he'd be able to use one for the 5505 and one for the server behind it so that he could bypass the 5505 if he messed it up. As the server has 2 nics he thought he'd be able to connect one to the inside of the 5505 and one directly to the data centre. After I got him to check how much the data centre would charge for a second network port he quickly dropped the idea

any suggestions are appreciated.


BTW, are Cisco routers the best things ever or just over expensive employment opportunities for Cisco engineers? This is my first real run it with them and while I can see they are obviously well made and highly configurable they do seem to be complete gits to setup. Probably what has annoyed me the most are the endless variations on ios that make finding information for any single device a bit tricky.

Yup, the 5505 should get x.y.z.230 and default route x.y.z.229. I suspect the data centre does this to keep track on who is using what IP where to stop spoofing and such.

I've previously admitted to being a Cisco developer so thanks for helping pay for my salary! One cultural thing I have found is that at Cisco if something is tunable then we put a knob in the CLI to tune it. We have enough customers with bizarre setups that we quickly determine a sensible default and just let the customers go ahead and tweak from there. On the multiple IOS versions, I'd say to not worry too much about finding the exact match, learn to use the "?" help system in the CLI and just Google here and there for possible things to start using the "?" help on.

Thanks!

One more little questions if you don't mind, when I as adding some port forwarding I was using this command:

which I thought would give me an acl for web, however it didn't work.

When I used the sdm with preview turned on I noticed it actually used two commands:


a bit of reading tells me the access-group bit applies the access-list to the interface I specify.

Presumably once applied I can modify the acl without having to re-apply it, that right?

Finally, what's the best way to open a range of ports in one go?

I'm on the IOS-XR side of things, been many years since I've been in IOS and I've never done the ACL side of things, so I may not be 100% here.

First of all, yes the idea is that you build an ACL and then you apply it to an interface. The same ACL can be applied to multiple interfaces and also ACLs can be used to define other ranges (e.g. SSM range in IPv4 Multicast). I believe you can modify ACLs on the fly even when in use although I know in IOS-XR there are some things you cannot modify when they are in use (e.g. Netflow monitor-maps). If it turns out you cannot modify it in use then you can always just do a "no access-group ..." before updating the ACL and then reapply the access-group afterwards. Just remember to "wr mem" at the end!

For the port range, check the options with "access-list outside_access_in_1 line 1 extended permit tcp any ?" and see if that has a "range" parameter, IOS-XR does.