Solved

CISCO 1712 - Unwanted routing betwen VLANs

Posted on 2004-09-25
4
569 Views
Last Modified: 2011-10-03
Hello

I have recently purchased cisco 1712 router. It has 4port switch for lan interface.
I want to establish internet connection to two VLANs trough  my test router.
I created two VLANs :
VLAN1 – 10.21.16.0 255.255.248.0 connected to fastethernet1
VLAN2 – 10.21.24.0 255.255.248.0 connected to fastethernet2
Both VLANs can access internet, but my problem is that both VLANs can see each other .
Would I have to create some aditional ACLs?
Where did I go wrong...? I'm new with this kind of config, so please help me with this.

Thank you.
Marko

Here is my runnig config:

!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1712
!
boot-start-marker
boot-end-marker
!
!
username cisco privilege 15 secret 5 xxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
no ip subnet-zero
no ip source-route
!

ip tcp synwait-time 10
ip name-server xxx.xxx.xxx.xxx
!
!
no crypto isakmp enable
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no cdp enable
!
interface FastEthernet0
 description WAN
 ip address 192.168.0.2 255.255.255.0 (my Internal lan)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1  (this interface is set to vlan 1)
 no ip address
 no cdp enable
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
!
interface Vlan1
 ip address 10.21.16.1 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
interface Vlan2
 ip address 10.21.24.1 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside

!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1 (my internal test router)
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface FastEthernet0 overload
!
!
!
access-list 1 permit 10.21.16.0 0.0.7.255
access-list 2 permit 10.21.24.0 0.0.7.255
no cdp run
!
!
control-plane
!

line con ........




0
Comment
Question by:Miki18
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12152642
>but my problem is that both VLANs can see each other .Would I have to create some aditional ACLs?

Of course they can, this is a router after all.
If you want to prevent the two VLAN's from talking to each other you will have to use access-lists


interface FastEthernet1  
 ip access-group 101 in
 !
interface FastEthernet2
 switchport access vlan 2
 ip access-group 102 in
!
access-list 101 deny ip 10.21.16.0 0.0.7.255 10.21.24.0 0.0.7.255
access-list 101 permit ip 10.21.16.0 0.0.7.255 any
!
access-list 102 deny ip 10.21.24.0 0.0.7.255 10.21.16.0 0.0.7.255
access-list 102 permit ip 10.21.24.0 0.0.7.255 any
!


0
 
LVL 2

Author Comment

by:Miki18
ID: 12156060
Hello again..

I tryed applayng ACLs to fastethernet ports, but there was no change.
I did exactly what you suggested.
Whatever I do I can always ping other subnet... Except if I turn off routing (no IP-routing), but than everything else stops also.
Do I have to apply another ACL to my NAT rule, or maby apply some ACLs to VLANs?. Are there some special settings for 4port switch adapter in my router (WIC-4ESW)?
My reseller ashured me that it is posible to establish up to four separate VLANs, or more if I have a catalyst switch (which I also have - 2950) , but they didn't know how to help me... :-(
Is there anything else you can suggest?

Best regards.
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 125 total points
ID: 12161667
> Do I have to apply another ACL to my NAT rule, or maby apply some ACLs to VLANs?

Yes, I think the ACLs (just as given above) need to be applied to the Vlan1 and Vlan2 interfaces of the router, rather than the switched physical interfaces.

0
 
LVL 2

Author Comment

by:Miki18
ID: 12163009
Ttank you PennGwyn

I'we already applyed ACLs to my VLANs and it works perfectly now.
I also established trunk line to my catalyst 2950 and it works OK on the switch too.
P.S.
Which is more suitabe for VTP mde configuration? To have router configured for a VTP server mode and switch for vtp client mode or vice versa?
(I established one vtp domain and configured router as a server and switch as a client)

Thank you
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question