Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
15
Helpful
7
Replies

Routing between networks

Jarzabek_Waclaw
Level 1
Level 1

‎10-09-2018 12:18 PM - edited ‎03-05-2019 10:58 AM

Hello.

Which configuration fragment is responsible for routing between network 192.168.200.0 /24 and 172.16.0.0 /24? It's about ACL?

 

!

no ip source-route
ip cef
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address (public address and mask 1)
 no ip redirects
 no ip proxy-arp
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 description network 2
 encapsulation dot1Q 150
 ip address (public address and mask 2)
 no ip redirects
 no ip proxy-arp
 ip verify unicast reverse-path
 no cdp enable
!
interface GigabitEthernet0/1.2
 description network 3
 encapsulation dot1Q 151
 ip address (public address and mask 3)
 no ip redirects
 no ip proxy-arp
 ip verify unicast reverse-path
 no cdp enable
!
interface GigabitEthernet0/1.3
 description lan1
 encapsulation dot1Q 152
 ip address 172.16.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface GigabitEthernet0/1.4
 description lan2
 encapsulation dot1Q 153
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!
interface GigabitEthernet0/1.5
 description public4
 encapsulation dot1Q 154
 ip address (public address and mask 4)
 no cdp enable
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 3 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 (public gateway)
ip route (public network and mask) (public gateway)
ip route (public network and mask) (public gateway)
ip route (public network and mask) (public gateway)
!
logging trap notifications
logging source-interface GigabitEthernet0/0
no cdp run
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 172.16.0.0 0.0.0.255
!
!
!
control-plane
!
end
Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎10-09-2018 12:25 PM

Hello,

 

both networks show up as directly connected when you issue the command 'show ip route', so routing between both networks is automatic. It is the same for all layer 3 interfaces on the router. There is no specific configuration necessary to enable routing between these directly connected interfaces...

Jarzabek_Waclaw
Level 1
Level 1
In response to Georg Pauwen

‎10-09-2018 12:37 PM

Ok, but what should I do when I want to separate these two networks?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Jarzabek_Waclaw

‎10-09-2018 12:52 PM

Separate mean, you do not like to communicate each other ? if yes you can create an ACL and apply to the interface.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jarzabek_Waclaw
Level 1
Level 1
In response to balaji.bandi

‎10-09-2018 01:20 PM

Thanks for help.

I'll just make deny ACL for both networks.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jarzabek_Waclaw

‎10-09-2018 12:55 PM

If you would give us more explanation about your environment and about what you are trying to accomplish then we might be able to provide more helpful suggestions. Based on the little bit presented so far I would suggest that there could be a couple of alternatives for you to consider. The frequent solution for keeping two subnets separated would be to configure access lists and to apply these access lists to the appropriate interfaces/subinterfaces to prevent communication between the subnets. An alternative to consider might be to use vrf (or vrf lite) to provide separation between the subnets.

 

HTH

 

Rick

HTH

Rick

Jarzabek_Waclaw
Level 1
Level 1
In response to Richard Burts

‎10-10-2018 10:09 AM

Well, that's simple network with 1 router and 2 networks, but looks like i screw something up.
I did that:

I removed access lists and create them again

 

access-list 1 deny 192.168.200.0 0.0.0.255
access-list 3 deny 172.16.0.0 0.0.0.255

Then I assigned

to port 0/1.3 - ACL 1 as in
to port 0/1.4 - ACL 3 as out

 

And I blocked internet access :(
Any ideas? Seriously, I'm newbie...

0 Helpful

chrihussey
VIP Alumni
VIP Alumni
In response to Jarzabek_Waclaw

‎10-10-2018 12:09 PM

So an access-list has an implicit "deny all" at the end. Once you define the deny entries, you need to allow all else. So in your case:

!
access-list 1 deny 192.168.200.0 0.0.0.255
access-list 1 permit any
!
!
interface GigabitEthernet0/1.3
 ip access-group 1 out
!
!
access-list 3 deny 172.16.0.0 0.0.0.255
access-list 3 permit any
!
!
interface GigabitEthernet0/1.4
 ip access-group 3 out
!
!

 

This is probably the simplest way to accomplish what you are trying to do. It denies any packets with the source IPs of one network from being allowed onto the other and allows all else.

 

Hope this helps

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card