Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

disable intervlan on rooter switched port

Hi,

I cannot find a way to separate vlan between each other.

See my attachment first.

The rooter got 1 nic and 4 switch port..vlan are attached to the switched port on the rooter.

I want vlan 1 and 40 get access to Internet (my Wan pc)

I don t want VLAN 1 access to VLAN 40

I add this rule:see attachment 2

thinking that VLAN 1 will no more access to VLAN 40 ...it works but i am not able to ping 192.168.0.1 or toping my computer on the WAN.

What should i do to separate VLAN but allow them to reach Internet. I my real life i have a cisco 881 (1 WAN port + 4 switched port)

thanks for help

6 REPLIES

disable intervlan on rooter switched port

Your configuration looks correct. It is probably some problem with packet tracer or if you forgot to assign default gateways on computers.

This requirement can also be fulfiled via VRF(virtual routing and forwarding).

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

-Vishesh

Green

disable intervlan on rooter switched port

Ioic,

Your access list needs a little work.

As you have proved 192.1680.0/24 is blocked to 192.168.10.0/24 but it is also blocking to the WAN

Rewrite your access list

!

no access-list 105

access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 105 permit ip any any

!

This will now block to VLAN 40 but will allow to the WAN

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.
New Member

Re: disable intervlan on rooter switched port

i try your suggestions but VLAN 40 is not blocked..and they both get access to the WAN PC.

in attachment my packettracer file.

Purple

disable intervlan on rooter switched port

Hi,

Router(config)#access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

Router(config)#access-list 100 permit ip 192.168.0.0 0.0.0.255 any

Router(config)#int Vlan1

Router(config-if)#ip access-group 100 in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

disable intervlan on rooter switched port

hi,

I probably missed an acl chapter, deny always override permit ?...for security sake !!?

so any is not any

I will try..thanks for help

Purple

disable intervlan on rooter switched port

Hi,

there is no overriding concept here, the ACL is processed top down and once a match it ain't processed any further so we always start by the most specific statements and so here when a pc in vlan 1 wants to ping a pc in vlan 40,it will match the deny statement.

when a pc in vlan 1 wants to access any other destination it won't match first deny statement but will match the permit statement.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
190
Views
0
Helpful
6
Replies