I have 2 networks connected on my C836 configured with
ip address 10.140.0.1 255.255.255.0 secondary
ip address 10.139.0.1 255.255.255.0
They both want to share one DSL connection, but they aren't
allowed to see each other. So I set an access-list:
access-list 101 deny ip 10.139.0.0 0.0.0.255 10.140.0.0 0.0.0.255
access-list 101 deny ip 10.140.0.0 0.0.0.255 10.139.0.0 0.0.0.255
access-list 101 permit ip any any
ip access-group 101 in
ip access-group 101 out
All works fine, but now they both are using DHCP with source
of course 0.0.0.0 and dest 255.255.255.255. Now I've added:
access-list 101 deny udp any any eq bootpc
access-list 101 deny udp any any eq bootps
access-list 101 deny udp any eq bootpc any
access-list 101 deny udp any eq bootps any
That also doesn't work. Now I've added the access-lists to the FastEthernet
switch ports (available with 12.3.? release).
With "show ip access-lists" I don't see any matches for FastEthernet, only
Ethernet. I also see dropped packets for DHCP, but the clients vom network
139 gets IP's from 140 DHCP server.
I'm searching for a method, like with Catalysts to block broadcasts on
switchports but can't find anything.
IOS is 12.3.11T.
Any ideas ?