I am contemplating converting some of our internal networks from routable to private IPv4 address space. I have a question about RIP as implemented under Cisco IOS 12.x.
Presently the setting for rip is:
router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 no auto-summary
What I would like to know is how one routes the entire 192.168/16 address space using rip. My perusal of the various Cisco manuals, technical documents and various O'Rielly books is not giving me any clear answer and I am rather reluctant to experiment on our live Internet connection.
Will this do what I imagine it might, treat any address 192.168.x.y or 10.x.y.z as an internal network?
router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 network 192.168.0.0 network 10.0.0.0 no auto-summary
Regards,
Hi,
[snip]
Presently the setting for rip is:
router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 no auto-summary
is that aaa.bbb.ccc.0 a *public* IP class?
if it is with the conf below:
router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 network 192.168.0.0 network 10.0.0.0 no auto-summary
you inject private addresses to the other (public?) router...
if aaa.bbb.ccc.0 is another *private* class the configuration should be ok...
maybe i misunderstood your question ...
cheers
On : Sat, 4 Oct 2008 14:50:37 +0200, "Mr Shunz" mrshunz@gmail.com wrote:
Hi,
[snip]
Presently the setting for rip is:
router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 no auto-summary
is that aaa.bbb.ccc.0 a *public* IP class?
Yes. It is a routable 'c' class address.
if it is with the conf below:
router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 network 192.168.0.0 network 10.0.0.0 no auto-summary
you inject private addresses to the other (public?) router...
if aaa.bbb.ccc.0 is another *private* class the configuration should be ok...
maybe i misunderstood your question ...
This is possibly because I an so unfamiliar with routing that I lack the terminology to ask it more clearly.
Our internal networks date back to the spring of 1995 and at the time we used portions of our assigned C class netblock for all hosts. This arrangement has survived to the present day.
I wish to move to a private netblock for internal use but I am operationally constrained to do so gradually. What I want to do is in the interim allow host 1 with the public IPv4 addr of aaa.bbb.ccc.171 to co-exist on the same lan segment as a host with an address of 192.168.2.151 say. On said segement there is but one gateway to the Internet, located at IPv4 aaa.bbb.ccc.1. The rest of the settings are as in the first example above. If I add 192.168.0.0 to the list of networks handled by RIPv2 at the router (and configure the router Eth0 with a suitable virtual IP from the same network, say: 192.168.71.1) , will internal traffic originating at a host with an address of 192.168.2.71 reach an internal host at 192.168.61.151 and can 192.168.2.71 also reach aaa.bbb.ccc.171?
I will deal with NAT issues for these hosts at a later time. For now I am concerned only with hosts that should not reach or be reached from the public Internet in any case and therefore do not need a public IP or NAT.
I do not know if that is any clearer or not. Basically, I do not wish to start physically segregating the internal lan into private and public segments using an internal router. I want both address spaces to co-exit on the same switch until the transformation is finalized and then we will look at whether it makes sense to segregate.
We are taking about dozens of hosts, not thousands. But we do have legacy systems that require devoted multiple virtual IPS on a single interface so the number of IPs in use is several times the number of hosts.
I hope this question makes my desires clearer and provides sufficient background detail for sensible commentary.
James B. Byrne wrote:
I will deal with NAT issues for these hosts at a later time. For now I am concerned only with hosts that should not reach or be reached from the public Internet in any case and therefore do not need a public IP or NAT.
You can accomplish this much easier by simply using a firewall. I like OpenBSD firewalls in layer 2 bridging mode. Put the firewall in-line between the router and the rest of the network, no other network changes needed.
If your not well versed in routing I wouldn't recommend going around making a bunch of changes to a system that I assume has been more or less working for more than a decade.
nate
On Mon, Oct 6, 2008 at 1:03 PM, James B. Byrne byrnejb@harte-lyne.ca wrote:
On : Sat, 4 Oct 2008 14:50:37 +0200, "Mr Shunz" mrshunz@gmail.com wrote:
Hi,
[snip]
Presently the setting for rip is:
router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 no auto-summary
is that aaa.bbb.ccc.0 a *public* IP class?
Yes. It is a routable 'c' class address.
if it is with the conf below:
router rip version 2 passive-interface [[FastEthernet]]0/0 network aaa.bbb.ccc.0 network 192.168.0.0 network 10.0.0.0 no auto-summary
you inject private addresses to the other (public?) router...
if aaa.bbb.ccc.0 is another *private* class the configuration should be ok...
maybe i misunderstood your question ...
This is possibly because I an so unfamiliar with routing that I lack the terminology to ask it more clearly.
Our internal networks date back to the spring of 1995 and at the time we used portions of our assigned C class netblock for all hosts. This arrangement has survived to the present day.
I wish to move to a private netblock for internal use but I am operationally constrained to do so gradually. What I want to do is in the interim allow host 1 with the public IPv4 addr of aaa.bbb.ccc.171 to co-exist on the same lan segment as a host with an address of 192.168.2.151 say. On said segement there is but one gateway to the Internet, located at IPv4 aaa.bbb.ccc.1. The rest of the settings are as in the first example above. If I add 192.168.0.0 to the list of networks handled by RIPv2 at the router (and configure the router Eth0 with a suitable virtual IP from the same network, say: 192.168.71.1) , will internal traffic originating at a host with an address of 192.168.2.71 reach an internal host at 192.168.61.151 and can 192.168.2.71 also reach aaa.bbb.ccc.171?
I will deal with NAT issues for these hosts at a later time. For now I am concerned only with hosts that should not reach or be reached from the public Internet in any case and therefore do not need a public IP or NAT.
I do not know if that is any clearer or not. Basically, I do not wish to start physically segregating the internal lan into private and public segments using an internal router. I want both address spaces to co-exit on the same switch until the transformation is finalized and then we will look at whether it makes sense to segregate.
We are taking about dozens of hosts, not thousands. But we do have legacy systems that require devoted multiple virtual IPS on a single interface so the number of IPs in use is several times the number of hosts.
I hope this question makes my desires clearer and provides sufficient background detail for sensible commentary.
You can do this, no prob, make sure the private IPs terminate at the firewall/proxy with NAT'ing and don't get RIP'd to the edge router beyond.
I would probably only route 1 set of private IP addresses though, pick 192.168.0.0/16 or 10.0.0.0/8, but not both. You can subnet 10.0.0.0 into as many subnets you want with variable subnetting. Use vlans on the routers/switches, one vlan for the public IPs, one for the private IPs and as hosts are migrated from public to private IPs you will remove them from vlan A and add them to vlan B, if you use DHCP it makes things sooo much easier as all you need to do is change the vlan assignment.
Here I have a class B allocated from 10.X.X.X for each office site, and separate class Cs for each network within those sites.
Turn subnet auto-summation off too.
If you want more detailed config info email me off-list.
-Ross
-
James B. Byrne -
Mr Shunz -
nate -
Ross Walker