Solved

CISCO 1712 - Unwanted routing betwen VLANs

Posted on 2004-09-25
4
565 Views
Last Modified: 2011-10-03
Hello

I have recently purchased cisco 1712 router. It has 4port switch for lan interface.
I want to establish internet connection to two VLANs trough  my test router.
I created two VLANs :
VLAN1 – 10.21.16.0 255.255.248.0 connected to fastethernet1
VLAN2 – 10.21.24.0 255.255.248.0 connected to fastethernet2
Both VLANs can access internet, but my problem is that both VLANs can see each other .
Would I have to create some aditional ACLs?
Where did I go wrong...? I'm new with this kind of config, so please help me with this.

Thank you.
Marko

Here is my runnig config:

!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1712
!
boot-start-marker
boot-end-marker
!
!
username cisco privilege 15 secret 5 xxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
no ip subnet-zero
no ip source-route
!

ip tcp synwait-time 10
ip name-server xxx.xxx.xxx.xxx
!
!
no crypto isakmp enable
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no cdp enable
!
interface FastEthernet0
 description WAN
 ip address 192.168.0.2 255.255.255.0 (my Internal lan)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1  (this interface is set to vlan 1)
 no ip address
 no cdp enable
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
!
interface Vlan1
 ip address 10.21.16.1 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
interface Vlan2
 ip address 10.21.24.1 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside

!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1 (my internal test router)
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source list 2 interface FastEthernet0 overload
!
!
!
access-list 1 permit 10.21.16.0 0.0.7.255
access-list 2 permit 10.21.24.0 0.0.7.255
no cdp run
!
!
control-plane
!

line con ........




0
Comment
Question by:Miki18
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12152642
>but my problem is that both VLANs can see each other .Would I have to create some aditional ACLs?

Of course they can, this is a router after all.
If you want to prevent the two VLAN's from talking to each other you will have to use access-lists


interface FastEthernet1  
 ip access-group 101 in
 !
interface FastEthernet2
 switchport access vlan 2
 ip access-group 102 in
!
access-list 101 deny ip 10.21.16.0 0.0.7.255 10.21.24.0 0.0.7.255
access-list 101 permit ip 10.21.16.0 0.0.7.255 any
!
access-list 102 deny ip 10.21.24.0 0.0.7.255 10.21.16.0 0.0.7.255
access-list 102 permit ip 10.21.24.0 0.0.7.255 any
!


0
 
LVL 2

Author Comment

by:Miki18
ID: 12156060
Hello again..

I tryed applayng ACLs to fastethernet ports, but there was no change.
I did exactly what you suggested.
Whatever I do I can always ping other subnet... Except if I turn off routing (no IP-routing), but than everything else stops also.
Do I have to apply another ACL to my NAT rule, or maby apply some ACLs to VLANs?. Are there some special settings for 4port switch adapter in my router (WIC-4ESW)?
My reseller ashured me that it is posible to establish up to four separate VLANs, or more if I have a catalyst switch (which I also have - 2950) , but they didn't know how to help me... :-(
Is there anything else you can suggest?

Best regards.
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 125 total points
ID: 12161667
> Do I have to apply another ACL to my NAT rule, or maby apply some ACLs to VLANs?

Yes, I think the ACLs (just as given above) need to be applied to the Vlan1 and Vlan2 interfaces of the router, rather than the switched physical interfaces.

0
 
LVL 2

Author Comment

by:Miki18
ID: 12163009
Ttank you PennGwyn

I'we already applyed ACLs to my VLANs and it works perfectly now.
I also established trunk line to my catalyst 2950 and it works OK on the switch too.
P.S.
Which is more suitabe for VTP mde configuration? To have router configured for a VTP server mode and switch for vtp client mode or vice versa?
(I established one vtp domain and configured router as a server and switch as a client)

Thank you
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now