Recently I bought a Cisco ISR 1921 to experiment a little with and eventually use as a home router. I am completely new to configuring Cisco routers so I thought this would be a good opportunity to learn (as I come from a pfSense environment).
What I am trying to achieve is as follows:
I have 4 vlans, that are all configured as subinterfaces of my gigabitethernet0/1:
VLAN 10: 10.10.1.0/24
VLAN 20: 10.20.1.0/24
VLAN 30: 10.30.1.0/24
VLAN 40: 10.40.1.0/24
VLAN 10 should be able to access all other vlans + the internet
All other vlans should not be able to access any other vlan but itself and the internet
To allow for access to the internet, I have created a nat overload to the gigabitethernet0/0, which is working fine.
At present, all vlans can access each other, which is not desireable.
I have tried to limit the access between vlans using information that I found on forums, such as this post, but a problem that I run into every time is that from VLAN 10, I cannot access the other vlans (the other vlans cannot access each other or vlan 10, so that is working).
I get the impression that my router is blocking return traffic, so for instance the response to a request from a VLAN 10 client
to for vlan 20 server is blocked. I know that you can fix this for tcp by using a rule with the "established" keyword, but for instance icmp requests are also not working.
I have read that you can use reflexive acls to circumvent this issue, but I am unsure how to configure these, so I would like to know if these are actually a solution to my problem, and if so, how I should configure them.
Maybe it is also good to note that in the future, I would like to allow very specific machines to be allowed to communicate with each other, so for instance, a spam filter on vlan 30 should be able to reach a mail server on vlan 20.
I hope that someone can help me with this issue.
Thank you very much in advance for your efforts!
