10-09-2018 12:18 PM - edited 03-05-2019 10:58 AM
Hello.
Which configuration fragment is responsible for routing between network 192.168.200.0 /24 and 172.16.0.0 /24? It's about ACL?
! no ip source-route ip cef ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address (public address and mask 1) no ip redirects no ip proxy-arp ip verify unicast reverse-path ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.1 description network 2 encapsulation dot1Q 150 ip address (public address and mask 2) no ip redirects no ip proxy-arp ip verify unicast reverse-path no cdp enable ! interface GigabitEthernet0/1.2 description network 3 encapsulation dot1Q 151 ip address (public address and mask 3) no ip redirects no ip proxy-arp ip verify unicast reverse-path no cdp enable ! interface GigabitEthernet0/1.3 description lan1 encapsulation dot1Q 152 ip address 172.16.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in no cdp enable ! interface GigabitEthernet0/1.4 description lan2 encapsulation dot1Q 153 ip address 192.168.200.1 255.255.255.0 ip nat inside ip virtual-reassembly in no cdp enable ! interface GigabitEthernet0/1.5 description public4 encapsulation dot1Q 154 ip address (public address and mask 4) no cdp enable ! ip forward-protocol nd ! no ip http server ip http authentication local no ip http secure-server ! ip nat inside source list 1 interface GigabitEthernet0/0 overload ip nat inside source list 3 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 (public gateway) ip route (public network and mask) (public gateway) ip route (public network and mask) (public gateway) ip route (public network and mask) (public gateway) ! logging trap notifications logging source-interface GigabitEthernet0/0 no cdp run ! access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.200.0 0.0.0.255 access-list 3 remark CCP_ACL Category=2 access-list 3 permit 172.16.0.0 0.0.0.255 ! ! ! control-plane ! end
10-09-2018 12:25 PM
Hello,
both networks show up as directly connected when you issue the command 'show ip route', so routing between both networks is automatic. It is the same for all layer 3 interfaces on the router. There is no specific configuration necessary to enable routing between these directly connected interfaces...
10-09-2018 12:37 PM
Ok, but what should I do when I want to separate these two networks?
10-09-2018 12:52 PM
Separate mean, you do not like to communicate each other ? if yes you can create an ACL and apply to the interface.
10-09-2018 01:20 PM
Thanks for help.
I'll just make deny ACL for both networks.
10-09-2018 12:55 PM
If you would give us more explanation about your environment and about what you are trying to accomplish then we might be able to provide more helpful suggestions. Based on the little bit presented so far I would suggest that there could be a couple of alternatives for you to consider. The frequent solution for keeping two subnets separated would be to configure access lists and to apply these access lists to the appropriate interfaces/subinterfaces to prevent communication between the subnets. An alternative to consider might be to use vrf (or vrf lite) to provide separation between the subnets.
HTH
Rick
10-10-2018 10:09 AM
Well, that's simple network with 1 router and 2 networks, but looks like i screw something up.
I did that:
I removed access lists and create them again
access-list 1 deny 192.168.200.0 0.0.0.255 access-list 3 deny 172.16.0.0 0.0.0.255
Then I assigned
to port 0/1.3 - ACL 1 as in
to port 0/1.4 - ACL 3 as out
And I blocked internet access :(
Any ideas? Seriously, I'm newbie...
10-10-2018 12:09 PM
So an access-list has an implicit "deny all" at the end. Once you define the deny entries, you need to allow all else. So in your case:
!
access-list 1 deny 192.168.200.0 0.0.0.255
access-list 1 permit any
!
!
interface GigabitEthernet0/1.3
ip access-group 1 out
!
!
access-list 3 deny 172.16.0.0 0.0.0.255
access-list 3 permit any
!
!
interface GigabitEthernet0/1.4
ip access-group 3 out
!
!
This is probably the simplest way to accomplish what you are trying to do. It denies any packets with the source IPs of one network from being allowed onto the other and allows all else.
Hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide