2 Networks with Cisco 836: DHCP problem

Hi,

I have 2 networks connected on my C836 configured with

interface Ethernet0
 ip address 10.140.0.1 255.255.255.0 secondary
 ip address 10.139.0.1 255.255.255.0

They both want to share one DSL connection, but they aren't
allowed to see each other. So I set an access-list:

access-list 101 deny   ip 10.139.0.0 0.0.0.255 10.140.0.0 0.0.0.255
access-list 101 deny   ip 10.140.0.0 0.0.0.255 10.139.0.0 0.0.0.255
access-list 101 permit ip any any

and:
interface Ethernet0
 ip access-group 101 in
 ip access-group 101 out

All works fine, but now they both are using DHCP with source
of course 0.0.0.0 and dest 255.255.255.255. Now I've added:

access-list 101 deny   udp any any eq bootpc
access-list 101 deny   udp any any eq bootps
access-list 101 deny   udp any eq bootpc any
access-list 101 deny   udp any eq bootps any

That also doesn't work. Now I've added the access-lists to the FastEthernet
switch ports (available with 12.3.? release).
With "show ip access-lists" I don't see any matches for FastEthernet, only
Ethernet. I also see dropped packets for DHCP, but the clients vom network
139 gets IP's from 140 DHCP server.
I'm searching for a method, like with Catalysts to block broadcasts on
switchports but can't find anything.
IOS is 12.3.11T.

Any ideas ?

Thx
LVL 2
ok-disasterAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
You can't prevent broadcasts when using secondary IP addressing on the same interface.

You might try using the DMZ feature of the 836 and put the 2nd network on the DMZ instead.
--------------------------------------------------------------
Cisco 831, Cisco 836, and Cisco 837-All feature sets.

DMZ provides an additional Ethernet interface, Ethernet 2, that, when enabled, has the Fast Ethernet 4 port on the LAN side switch as its physical representation. This interface acts as an additional LAN or WAN side interface on Layers 2 and 3 and allows for an additional DMZ leg that can be used for several different purposes. For example, this may include a separate LAN network where traffic to and from the other interfaces can be controlled by access control lists. The behavior of the Cisco IOS firewall is the same as other Ethernet Interfaces. Any state of the switch port is reflected on the Ethernet 2 port once it is put in a "no shut" state.
------------------------------------------------------------------
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ok-disasterAuthor Commented:
Already found that feature at cisco.com but I'm using 12.3.11T. I'll change the IOS to XR and try it.
Thx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.