Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 575
  • Last Modified:

CISCO 1712 - Unwanted routing betwen VLANs

Hello

I have recently purchased cisco 1712 router. It has 4port switch for lan interface.
I want to establish internet connection to two VLANs trough  my test router.
I created two VLANs :
VLAN1 – 10.21.16.0 255.255.248.0 connected to fastethernet1
VLAN2 – 10.21.24.0 255.255.248.0 connected to fastethernet2
Both VLANs can access internet, but my problem is that both VLANs can see each other .
Would I have to create some aditional ACLs?
Where did I go wrong...? I'm new with this kind of config, so please help me with this.

Thank you.
Marko

Here is my runnig config:

!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1712
!
boot-start-marker
boot-end-marker
!
!
username cisco privilege 15 secret 5 xxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
no ip subnet-zero
no ip source-route
!

ip tcp synwait-time 10
ip name-server xxx.xxx.xxx.xxx
!
!
no crypto isakmp enable
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no cdp enable
!
interface FastEthernet0
 description WAN
 ip address 192.168.0.2 255.255.255.0 (my Internal lan)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1  (this interface is set to vlan 1)
 no ip address
 no cdp enable
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
!
interface Vlan1
 ip address 10.21.16.1 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
interface Vlan2
 ip address 10.21.24.1 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside

!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1 (my internal test router)
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface FastEthernet0 overload
!
!
!
access-list 1 permit 10.21.16.0 0.0.7.255
access-list 2 permit 10.21.24.0 0.0.7.255
no cdp run
!
!
control-plane
!

line con ........




0
Miki18
Asked:
Miki18
  • 2
1 Solution
 
lrmooreCommented:
>but my problem is that both VLANs can see each other .Would I have to create some aditional ACLs?

Of course they can, this is a router after all.
If you want to prevent the two VLAN's from talking to each other you will have to use access-lists


interface FastEthernet1  
 ip access-group 101 in
 !
interface FastEthernet2
 switchport access vlan 2
 ip access-group 102 in
!
access-list 101 deny ip 10.21.16.0 0.0.7.255 10.21.24.0 0.0.7.255
access-list 101 permit ip 10.21.16.0 0.0.7.255 any
!
access-list 102 deny ip 10.21.24.0 0.0.7.255 10.21.16.0 0.0.7.255
access-list 102 permit ip 10.21.24.0 0.0.7.255 any
!


0
 
Miki18Author Commented:
Hello again..

I tryed applayng ACLs to fastethernet ports, but there was no change.
I did exactly what you suggested.
Whatever I do I can always ping other subnet... Except if I turn off routing (no IP-routing), but than everything else stops also.
Do I have to apply another ACL to my NAT rule, or maby apply some ACLs to VLANs?. Are there some special settings for 4port switch adapter in my router (WIC-4ESW)?
My reseller ashured me that it is posible to establish up to four separate VLANs, or more if I have a catalyst switch (which I also have - 2950) , but they didn't know how to help me... :-(
Is there anything else you can suggest?

Best regards.
0
 
PennGwynCommented:
> Do I have to apply another ACL to my NAT rule, or maby apply some ACLs to VLANs?

Yes, I think the ACLs (just as given above) need to be applied to the Vlan1 and Vlan2 interfaces of the router, rather than the switched physical interfaces.

0
 
Miki18Author Commented:
Ttank you PennGwyn

I'we already applyed ACLs to my VLANs and it works perfectly now.
I also established trunk line to my catalyst 2950 and it works OK on the switch too.
P.S.
Which is more suitabe for VTP mde configuration? To have router configured for a VTP server mode and switch for vtp client mode or vice versa?
(I established one vtp domain and configured router as a server and switch as a client)

Thank you
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now