cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
632
Views
0
Helpful
6
Replies

disable intervlan on rooter switched port

t80243280
Level 1
Level 1

Hi,

I cannot find a way to separate vlan between each other.

See my attachment first.

The rooter got 1 nic and 4 switch port..vlan are attached to the switched port on the rooter.

I want vlan 1 and 40 get access to Internet (my Wan pc)

I don t want VLAN 1 access to VLAN 40

I add this rule:see attachment 2

thinking that VLAN 1 will no more access to VLAN 40 ...it works but i am not able to ping 192.168.0.1 or toping my computer on the WAN.

What should i do to separate VLAN but allow them to reach Internet. I my real life i have a cisco 881 (1 WAN port + 4 switched port)

thanks for help

6 Replies 6

Vishesh Verma
Level 1
Level 1

Your configuration looks correct. It is probably some problem with packet tracer or if you forgot to assign default gateways on computers.

This requirement can also be fulfiled via VRF(virtual routing and forwarding).

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

-Vishesh

acampbell
VIP Alumni
VIP Alumni

Ioic,

Your access list needs a little work.

As you have proved 192.1680.0/24 is blocked to 192.168.10.0/24 but it is also blocking to the WAN

Rewrite your access list

!

no access-list 105

access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 105 permit ip any any

!

This will now block to VLAN 40 but will allow to the WAN

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

i try your suggestions but VLAN 40 is not blocked..and they both get access to the WAN PC.

in attachment my packettracer file.

Hi,

Router(config)#access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

Router(config)#access-list 100 permit ip 192.168.0.0 0.0.0.255 any

Router(config)#int Vlan1

Router(config-if)#ip access-group 100 in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

hi,

I probably missed an acl chapter, deny always override permit ?...for security sake !!?

so any is not any

I will try..thanks for help

Hi,

there is no overriding concept here, the ACL is processed top down and once a match it ain't processed any further so we always start by the most specific statements and so here when a pc in vlan 1 wants to ping a pc in vlan 40,it will match the deny statement.

when a pc in vlan 1 wants to access any other destination it won't match first deny statement but will match the permit statement.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco