Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
2
Replies

vlan / access

Go to solution
farahs123456
Level 1
Level 1

‎10-24-2007 11:46 AM - edited ‎03-05-2019 07:17 PM

Hello,

I have a few newbie questions regarding vlans and limiting access.

1. How can I assing the 2 onboard FastEthernet ports on a 2811 to separate VLANs?

2. In the absence of being able to assign these two ports to VLANs, I am trying to assign different subnets to these two onboard ports:

interface FastEthernet0/0

description LAN1

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

ip nat inside

!

interface FastEthernet0/1

description LAN2

ip address 10.10.20.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

ip nat inside

I need to limit access between the 2 networks. What is the easiest way to do this? I have tried:

ip access-list extended limitaccess

deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip any any

But that does not seem to be working as I can still ping from one subnet to the other. What am I missing?

Thanks for your help.

Farah

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
saro
Level 1
Level 1

‎10-24-2007 01:13 PM

Farah...

This is a router, so the 2 interfaces are inherently on separate broadcast domains. They are the equivalent of 2 VLANs as long as you plug them into separate devices or ports on a switch that belong to different VLANs. The thing you are missing in the above config is that you have not applied the access list. Try this:

interface f0/0

ip access-group limitaccess in

interface f0/1

ip access-group limitaccess in

Now based on that, you may want to tweak and maybe even make 2 separate ACLs so you can define different policies for both.

Saro

View solution in original post

0 Helpful
2 Replies 2

Go to solution
saro
Level 1
Level 1

‎10-24-2007 01:13 PM

Farah...

This is a router, so the 2 interfaces are inherently on separate broadcast domains. They are the equivalent of 2 VLANs as long as you plug them into separate devices or ports on a switch that belong to different VLANs. The thing you are missing in the above config is that you have not applied the access list. Try this:

interface f0/0

ip access-group limitaccess in

interface f0/1

ip access-group limitaccess in

Now based on that, you may want to tweak and maybe even make 2 separate ACLs so you can define different policies for both.

Saro

0 Helpful

Go to solution
farahs123456
Level 1
Level 1
In response to saro

‎10-24-2007 02:19 PM

Thanks a lot Saro. I guess I was defining the access lists but not really using them. Adding that that to the interface as you suggested did the trick.

0 Helpful
Customers Also Viewed These Support Documents