02-11-2012 03:15 AM - edited 03-11-2019 03:28 PM
Hi,
I'm new to configuring routers en switches of cisco. But I've been able to get a cisco 861 router working with 2 vlan's.
My only problem is to seperate the 2 vlan's so they cannot reach eachother. I banged my head on getting these acces lists to work, but the only thing I've been able to is to not receive a DHCP adress at all, the rest I've tried both vlans where always able to ping eachother.
I'm very confused about how to configure these acces-lists (with the in and out and after all what I've tried its also beginning to confuse me in the source and destination ip)
some info :
Router = Cisco 861
Fastethernet 0 / 1 / 2 / 3 are configure in trunk mode (to switch)
I have 4 switches where VLANs work (port 1 & 2 are VLAN1 , all other ports are VLAN10)
Switch info is :
1 x Cisco SF-200 48 port
3 x Cisco SF-300 24 port
What I want to achieve is :
- Both VLAN's receive their ip by DHCP from the router (so they still need to be able to receive DHCP)
- VLAN1 needs to be able to only connect to 2 ip's on VLAN10 (192.168.1.200 and 192.168.1.201)
- VLAN10 may not reach anything on VLAN1
Can someone help me with this ? its not much but I don't find how to do this.
The acces-lists in the router config atm are totally wrong but it was to test what it did.
Thx in advance :-)
My router config :
Router#show run
Building configuration...
Current configuration : 2815 bytes
!
! Last configuration change at 15:11:46 UTC Wed Jan 4 2006
! NVRAM config last updated at 14:01:07 UTC Wed Jan 4 2006
! NVRAM config last updated at 14:01:07 UTC Wed Jan 4 2006
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$B2a.$abguCFXGb79.CGszFLQZf0
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1719798455
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1719798455
revocation-check none
rsakeypair TP-self-signed-1719798455
!
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.200 192.168.1.254
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool vlan10
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 195.130.130.1 195.130.130.129
!
ip dhcp pool vlan 1
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 195.130.130.1 195.130.130.129
!
!
!
ip name-server 195.130.130.129
ip name-server 195.130.130.1
ip name-server 195.130.131.4
no ip cef
!
!
license udi pid CISCO861-K9 sn FCZ160390WV
!
!
username ben privilege 15 secret 5 $1$DLkn$/cLYXwLSOiLSl5O/hH0Jw0
username ben2 privilege 15 password 0 xxxxxxx
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport mode trunk
no ip address
!
interface FastEthernet2
switchport mode trunk
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip access-group 110 out
ip nat inside
ip nat enable
ip virtual-reassembly in
no ip route-cache
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip nat enable
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.40.1 254
!
ip access-list standard vlan1
deny 192.168.1.0 0.0.0.255
ip access-list standard vlan10
deny 192.168.2.0 0.0.0.255
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip host 192.168.2.2 host 192.168.1.1
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
password xxxxxxx
login
transport input all
!
end
Solved! Go to Solution.
02-12-2012 05:42 PM
Hello Ben,
Great to know that you could solve it, please mark the question as answered so future users can learn
from your post.
Regards,
Julio
02-11-2012 09:03 AM
Hello Ben,
To acomplish this you will need a stateful firewall ( like ZBFW) or Reflexive ACLS,
I would help you with the reflexive ACL:
ip access-list extended test
permit ip 192.168.2.0 0.0.0.255 host 192.168.1.200 reflect TEST
permit ip 192.168.2.0 0.0.0.255 host 192.168.1.201 reflect TEST
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 reflect TEST
permit ip any any reflect TEST
ip access-list extended reflexive
evaluate TEST
interface vlan 1
ip access-group test in
ip access-group reflexive out
ip access-list extended Vlan10
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0 255 reflect
permit ip any any reflect
ip access-list extended reflexive2
evaluate Vlan 10
interface vlan10
ip access-group Vlan10 in
ip access-group reflexive2 out
Please give it a try with that and let me know
02-12-2012 01:42 PM
Hi I was able to fix this without the reflexive ACL's.
I did it like this :
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip access-group inbound in
ip nat inside
ip nat enable
ip virtual-reassembly in
no ip route-cache
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip access-group inbound10 in
ip nat inside
ip nat enable
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.40.1 254
!
ip access-list extended inbound
permit ip 192.168.2.0 0.0.0.255 host 192.168.1.5
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended inbound10
permit ip host 192.168.1.5 192.168.2.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
02-12-2012 05:42 PM
Hello Ben,
Great to know that you could solve it, please mark the question as answered so future users can learn
from your post.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide