Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

vlan / access

Hello,

I have a few newbie questions regarding vlans and limiting access.

1. How can I assing the 2 onboard FastEthernet ports on a 2811 to separate VLANs?

2. In the absence of being able to assign these two ports to VLANs, I am trying to assign different subnets to these two onboard ports:

interface FastEthernet0/0

description LAN1

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

ip nat inside

!

interface FastEthernet0/1

description LAN2

ip address 10.10.20.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

ip nat inside

I need to limit access between the 2 networks. What is the easiest way to do this? I have tried:

ip access-list extended limitaccess

deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip any any

But that does not seem to be working as I can still ping from one subnet to the other. What am I missing?

Thanks for your help.

Farah

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: vlan / access

Farah...

This is a router, so the 2 interfaces are inherently on separate broadcast domains. They are the equivalent of 2 VLANs as long as you plug them into separate devices or ports on a switch that belong to different VLANs. The thing you are missing in the above config is that you have not applied the access list. Try this:

interface f0/0

ip access-group limitaccess in

interface f0/1

ip access-group limitaccess in

Now based on that, you may want to tweak and maybe even make 2 separate ACLs so you can define different policies for both.

Saro

2 REPLIES
New Member

Re: vlan / access

Farah...

This is a router, so the 2 interfaces are inherently on separate broadcast domains. They are the equivalent of 2 VLANs as long as you plug them into separate devices or ports on a switch that belong to different VLANs. The thing you are missing in the above config is that you have not applied the access list. Try this:

interface f0/0

ip access-group limitaccess in

interface f0/1

ip access-group limitaccess in

Now based on that, you may want to tweak and maybe even make 2 separate ACLs so you can define different policies for both.

Saro

New Member

Re: vlan / access

Thanks a lot Saro. I guess I was defining the access lists but not really using them. Adding that that to the interface as you suggested did the trick.

127
Views
0
Helpful
2
Replies
CreatePlease to create content