02-09-2014 01:16 AM - edited 03-07-2019 06:05 PM
Hi,
I cannot find a way to separate vlan between each other.
See my attachment first.
The rooter got 1 nic and 4 switch port..vlan are attached to the switched port on the rooter.
I want vlan 1 and 40 get access to Internet (my Wan pc)
I don t want VLAN 1 access to VLAN 40
I add this rule:see attachment 2
thinking that VLAN 1 will no more access to VLAN 40 ...it works but i am not able to ping 192.168.0.1 or toping my computer on the WAN.
What should i do to separate VLAN but allow them to reach Internet. I my real life i have a cisco 881 (1 WAN port + 4 switched port)
thanks for help
02-09-2014 02:04 AM
Your configuration looks correct. It is probably some problem with packet tracer or if you forgot to assign default gateways on computers.
This requirement can also be fulfiled via VRF(virtual routing and forwarding).
http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/
-Vishesh
02-09-2014 05:21 PM
Ioic,
Your access list needs a little work.
As you have proved 192.1680.0/24 is blocked to 192.168.10.0/24 but it is also blocking to the WAN
Rewrite your access list
!
no access-list 105
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 105 permit ip any any
!
This will now block to VLAN 40 but will allow to the WAN
Regards,
Alex.
Please rate useful posts.
02-10-2014 10:27 AM
02-10-2014 11:18 AM
Hi,
Router(config)#access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
Router(config)#access-list 100 permit ip 192.168.0.0 0.0.0.255 any
Router(config)#int Vlan1
Router(config-if)#ip access-group 100 in
Regards
Alain
Don't forget to rate helpful posts.
02-10-2014 11:47 AM
hi,
I probably missed an acl chapter, deny always override permit ?...for security sake !!?
so any is not any
I will try..thanks for help
02-10-2014 12:18 PM
Hi,
there is no overriding concept here, the ACL is processed top down and once a match it ain't processed any further so we always start by the most specific statements and so here when a pc in vlan 1 wants to ping a pc in vlan 40,it will match the deny statement.
when a pc in vlan 1 wants to access any other destination it won't match first deny statement but will match the permit statement.
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide