• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 604
  • Last Modified:

2 Networks with Cisco 836: DHCP problem

Hi,

I have 2 networks connected on my C836 configured with

interface Ethernet0
 ip address 10.140.0.1 255.255.255.0 secondary
 ip address 10.139.0.1 255.255.255.0

They both want to share one DSL connection, but they aren't
allowed to see each other. So I set an access-list:

access-list 101 deny   ip 10.139.0.0 0.0.0.255 10.140.0.0 0.0.0.255
access-list 101 deny   ip 10.140.0.0 0.0.0.255 10.139.0.0 0.0.0.255
access-list 101 permit ip any any

and:
interface Ethernet0
 ip access-group 101 in
 ip access-group 101 out

All works fine, but now they both are using DHCP with source
of course 0.0.0.0 and dest 255.255.255.255. Now I've added:

access-list 101 deny   udp any any eq bootpc
access-list 101 deny   udp any any eq bootps
access-list 101 deny   udp any eq bootpc any
access-list 101 deny   udp any eq bootps any

That also doesn't work. Now I've added the access-lists to the FastEthernet
switch ports (available with 12.3.? release).
With "show ip access-lists" I don't see any matches for FastEthernet, only
Ethernet. I also see dropped packets for DHCP, but the clients vom network
139 gets IP's from 140 DHCP server.
I'm searching for a method, like with Catalysts to block broadcasts on
switchports but can't find anything.
IOS is 12.3.11T.

Any ideas ?

Thx
0
ok-disaster
Asked:
ok-disaster
1 Solution
 
lrmooreCommented:
You can't prevent broadcasts when using secondary IP addressing on the same interface.

You might try using the DMZ feature of the 836 and put the 2nd network on the DMZ instead.
--------------------------------------------------------------
Cisco 831, Cisco 836, and Cisco 837-All feature sets.

DMZ provides an additional Ethernet interface, Ethernet 2, that, when enabled, has the Fast Ethernet 4 port on the LAN side switch as its physical representation. This interface acts as an additional LAN or WAN side interface on Layers 2 and 3 and allows for an additional DMZ leg that can be used for several different purposes. For example, this may include a separate LAN network where traffic to and from the other interfaces can be controlled by access control lists. The behavior of the Cisco IOS firewall is the same as other Ethernet Interfaces. Any state of the switch port is reflected on the Ethernet 2 port once it is put in a "no shut" state.
------------------------------------------------------------------
 
0
 
ok-disasterAuthor Commented:
Already found that feature at cisco.com but I'm using 12.3.11T. I'll change the IOS to XR and try it.
Thx
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now