?
Solved

CISCO 1712 - Unwanted routing betwen VLANs

Posted on 2004-09-25
4
Medium Priority
?
573 Views
Last Modified: 2011-10-03
Hello

I have recently purchased cisco 1712 router. It has 4port switch for lan interface.
I want to establish internet connection to two VLANs trough  my test router.
I created two VLANs :
VLAN1 – 10.21.16.0 255.255.248.0 connected to fastethernet1
VLAN2 – 10.21.24.0 255.255.248.0 connected to fastethernet2
Both VLANs can access internet, but my problem is that both VLANs can see each other .
Would I have to create some aditional ACLs?
Where did I go wrong...? I'm new with this kind of config, so please help me with this.

Thank you.
Marko

Here is my runnig config:

!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1712
!
boot-start-marker
boot-end-marker
!
!
username cisco privilege 15 secret 5 xxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
no ip subnet-zero
no ip source-route
!

ip tcp synwait-time 10
ip name-server xxx.xxx.xxx.xxx
!
!
no crypto isakmp enable
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no cdp enable
!
interface FastEthernet0
 description WAN
 ip address 192.168.0.2 255.255.255.0 (my Internal lan)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1  (this interface is set to vlan 1)
 no ip address
 no cdp enable
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
!
interface Vlan1
 ip address 10.21.16.1 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
interface Vlan2
 ip address 10.21.24.1 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside

!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1 (my internal test router)
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface FastEthernet0 overload
!
!
!
access-list 1 permit 10.21.16.0 0.0.7.255
access-list 2 permit 10.21.24.0 0.0.7.255
no cdp run
!
!
control-plane
!

line con ........




0
Comment
Question by:Miki18
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12152642
>but my problem is that both VLANs can see each other .Would I have to create some aditional ACLs?

Of course they can, this is a router after all.
If you want to prevent the two VLAN's from talking to each other you will have to use access-lists


interface FastEthernet1  
 ip access-group 101 in
 !
interface FastEthernet2
 switchport access vlan 2
 ip access-group 102 in
!
access-list 101 deny ip 10.21.16.0 0.0.7.255 10.21.24.0 0.0.7.255
access-list 101 permit ip 10.21.16.0 0.0.7.255 any
!
access-list 102 deny ip 10.21.24.0 0.0.7.255 10.21.16.0 0.0.7.255
access-list 102 permit ip 10.21.24.0 0.0.7.255 any
!


0
 
LVL 2

Author Comment

by:Miki18
ID: 12156060
Hello again..

I tryed applayng ACLs to fastethernet ports, but there was no change.
I did exactly what you suggested.
Whatever I do I can always ping other subnet... Except if I turn off routing (no IP-routing), but than everything else stops also.
Do I have to apply another ACL to my NAT rule, or maby apply some ACLs to VLANs?. Are there some special settings for 4port switch adapter in my router (WIC-4ESW)?
My reseller ashured me that it is posible to establish up to four separate VLANs, or more if I have a catalyst switch (which I also have - 2950) , but they didn't know how to help me... :-(
Is there anything else you can suggest?

Best regards.
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 375 total points
ID: 12161667
> Do I have to apply another ACL to my NAT rule, or maby apply some ACLs to VLANs?

Yes, I think the ACLs (just as given above) need to be applied to the Vlan1 and Vlan2 interfaces of the router, rather than the switched physical interfaces.

0
 
LVL 2

Author Comment

by:Miki18
ID: 12163009
Ttank you PennGwyn

I'we already applyed ACLs to my VLANs and it works perfectly now.
I also established trunk line to my catalyst 2950 and it works OK on the switch too.
P.S.
Which is more suitabe for VTP mde configuration? To have router configured for a VTP server mode and switch for vtp client mode or vice versa?
(I established one vtp domain and configured router as a server and switch as a client)

Thank you
0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this article, we’ll look at how to deploy ProxySQL.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question