Solved: Cisco 881 - Two Subnets talking. Don't want them to...

todd.rhodes · ‎10-31-2012

Hi all,

As the title says I have two Subnets 72(LAN) and 73(Wireless) and currently they can talk to each other. I.E, 73 Subnet can ping 72 etc etc.

Have only one router straight to one switch. Using Two Physical ports on the Router for each Subnet...

Is this an easy fix or do I need to start over to get this right?

Below is the config (Ive taken out the crud that isn't important) Ignore VLAN3 (Just playing with some Video Equipment)

no ip source-route

!

ip dhcp excluded-address 192.168.72.1 192.168.72.49

ip dhcp excluded-address 192.168.72.236 192.168.72.254

ip dhcp excluded-address 192.168.73.1 192.168.73.49

!

ip dhcp pool LUNZ

network 192.168.72.0 255.255.255.0

default-router 192.168.72.1

dns-server 202.50.246.41 202.50.246.42

!

ip dhcp pool Wireless

network 192.168.73.0 255.255.255.0

default-router 192.168.73.1

dns-server 202.50.246.41 202.50.246.42

!

no ip bootp server

no ip domain lookup

ip domain name eth.green.bizoservices.com

ip cef

no ipv6 cef

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

switchport access vlan 3

no ip address

!

interface FastEthernet2

switchport access vlan 2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

duplex full

speed 100

!

interface FastEthernet4.4090

description MANAGEMENT

encapsulation dot1Q 4090

ip address 172.23.1.214 255.255.255.248

!

interface FastEthernet4.4093

encapsulation dot1Q 4093

ip address 116.199.222.62 255.255.255.252

ip nat outside

ip virtual-reassembly in

!

interface Vlan1

description LAN

ip address 192.168.72.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan2

description WirelessLAN

ip address 192.168.73.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan3

description Video Unit

ip address 192.168.74.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip http path flash:

!

ip nat inside source list 10 interface FastEthernet4.4093 overload

ip nat inside source list 20 interface FastEthernet4.4093 overload

ip route 0.0.0.0 0.0.0.0 116.199.222.61

ip route 192.168.248.0 255.255.255.0 172.23.1.209

ip route 202.50.246.248 255.255.255.255 172.23.1.209

!

ip access-list standard snmp

permit 202.50.246.10

permit 202.50.246.11

permit 202.50.246.141

permit 202.50.246.131

!

logging trap debugging

access-list 1 deny any

access-list 10 permit 192.168.72.0 0.0.0.255

access-list 20 permit 192.168.73.0 0.0.0.255

no cdp run

end

acampbell · ‎10-31-2012

Todd

Try adding this to the config

These acess lists should block Vlan1 <----> Vlan 2

!

access-list 172 deny ip 192.168.72.0 0.0.0.255 192.168.73.0 0.0.0.255

access-list 172 permit ip any any

!

access-list 173 deny ip 192.168.73.0 0.0.0.255 192.168.72.0 0.0.0.255

access-list 173 permit ip any any

!

int vlan 1

access-group 172 in

!

int vlan 2

access-group 173 in

!

To remove if no good

!

int vlan 1

no access-group 172 in

!

int vlan 2

no access-group 173 in

!

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

View solution in original post

acampbell · ‎10-31-2012

Todd

Try adding this to the config

These acess lists should block Vlan1 <----> Vlan 2

!

access-list 172 deny ip 192.168.72.0 0.0.0.255 192.168.73.0 0.0.0.255

access-list 172 permit ip any any

!

access-list 173 deny ip 192.168.73.0 0.0.0.255 192.168.72.0 0.0.0.255

access-list 173 permit ip any any

!

int vlan 1

access-group 172 in

!

int vlan 2

access-group 173 in

!

To remove if no good

!

int vlan 1

no access-group 172 in

!

int vlan 2

no access-group 173 in

!

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

todd.rhodes · ‎11-04-2012

That worked perfectly. Thanks so much for the prompt help