Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3437
Views
0
Helpful
5
Replies

Router VLAN isolation

Go to solution
locus2007
Level 1
Level 1

‎06-29-2012 09:01 AM - edited ‎03-07-2019 07:31 AM

Hi,

I am fighting with problem isolating Vlans. It is 876 router and the idea is one connection to internet using Router ADSL WAN with Vlans I add Vlan2 to FE1 and Dynamic nat, DHCP for VLAN2 only and it works but  I cant make ACL to isolate VLAN1 from VLAN2 and vice versa.

interface Loopback0

ip address 172.0.0.1 255.255.255.0

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 8/48

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

switchport access vlan 2

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication

ppp chap

ppp chap

ppp pap

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 2 interface Dialer0 overload

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 remark VLAN2

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.0.0.0 0.255.255.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=4

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip any host xx.xx.xxx.xxx

dialer-list 1 protocol ip permit

I tryed make ACL 190 with dest 192.168.0.0 to deny and aply to outbond to Vlan2 interface but it still close comunication to Dialer0 and Vlan1 too.

Thnaks for any idea

Janekx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to locus2007

‎07-03-2012 12:41 PM

yes, thats the way to go. If you really don't want any communication between Vlan1 and Vlan2, then just build a new zone-pair V2-to-Internet with the needed inspection and you're done.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎06-29-2012 10:29 AM

Which IOS-Version are you running?

Both VLANs are member of the in-zone. With older IOS-releases all traffic inside a zone is allowed. If you upgrade to a newer 15.x-version you can build a zone-pair "in-zone" to "in-zone" and controle there which traffic should be allowed.

But in your situation the better solution could be to use different zones for Vlan1 and Vlan2.

0 Helpful

Go to solution
locus2007
Level 1
Level 1
In response to Karsten Iwen

‎07-02-2012 09:02 AM

It is running 12.4.15T7

So add zone V2 fo Vlan2 and add zone to FW to get acces to internet and zone V2 to V1 restrict in friewall?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to locus2007

‎07-03-2012 12:41 PM

yes, thats the way to go. If you really don't want any communication between Vlan1 and Vlan2, then just build a new zone-pair V2-to-Internet with the needed inspection and you're done.

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎07-04-2012 02:41 AM 

Hi, 
I am fighting with problem isolating Vlans. It is 876 router and the idea is one connection to internet using Router ADSL WAN with Vlans I add Vlan2 to FE1 and Dynamic nat, DHCP for VLAN2 only and it works but  I cant make ACL to isolate VLAN1 from VLAN2 and vice versa.
interface Loopback0
ip address 172.0.0.1 255.255.255.0
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto 
!
interface ATM0.1 point-to-point
pvc 8/48 
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication 
ppp chap 
ppp chap
ppp pap
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark VLAN2
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.0.0.0 0.255.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any host xx.xx.xxx.xxx
dialer-list 1 protocol ip permit
I tryed make ACL 190 with dest 192.168.0.0 to deny and aply to outbond to Vlan2 interface but it still close comunication to Dialer0 and Vlan1 too. 
Thnaks for any idea 
Janekx


Hello,

What  I understand from the above requirement you dont want vlan 2 to communicate with other interface, I hope you can create an acl and apply that in IN bound direction of Vlan 2.

Hope it Help !!

Ganeshh Iyer

0 Helpful

Go to solution
locus2007
Level 1
Level 1
In response to Ganesh Hariharan

‎07-04-2012 04:37 AM

The Acls not works for me but zones works well and I can manage firewall diferently for Vlan1 and Vlan2 in zone-pairs.

Thanks for help

Jan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card