Hi. I was hoping someone out there might be able to help me out. I work for a school and we have recently bought a cisco 837 router in order to connect 2 separate subnets to the internet. With my very limited knowledge and hours of reading I have managed to accomplish this. However, the 2 subnets must not be allowed to see each other as part of school regulations. I gather this might be possible using Access Control Lists but I'm having trouble finding any useful documentation on the subject as I'm a complete novice to routers and this isn't even my primary role at the school.
So any help in as simple a language as possible or direction to useful documentation would be most appreciated.
The 2 subnets are as follows:
Admin Network 192.168.6.x 255.255.255.0
Curriculum Network 192.168.0.x 255.255.255.0
Thanks for your time.
Solved! Go to Solution.
since your 837 has only one configurable Ethernet interface, access lists won´t work. The following is a creative solution to your problem and lets you keep your 837 and achieve your goal, rather than having to buy a more expensive router with two Ethernet interfaces. It requires a little bit of configuration of your clients as well.
Configure your Ethernet interfaces with a primary and a secondary address:
ip address 192.168.6.1 255.255.255.0
ip address 192.168.0.1 255.255.255.0 secondary
Add a second default gateway to your clients, which must be an unused IP address from their respective subnet range (e.g. a client with the IP address 192.168.6.2 would have the ´valid´ gateway of 192.168.6.1 and the ´invalid´ gateway 192.168.6.254
On all clients, add the following permanent static route from the DOS prompt (in this example the client is from the 192.168.0.0 subnet):
route -p add 192.168.6.0 mask 255.255.255.0 192.168.0.254
Note: The -p parameter is only supported on the route command for Windows NT 4.0, Windows 2000, Windows Millennium Edition, and Windows XP. This parameter is not supported by the route command for Windows 95 or Windows 98. If you have W95 or W98 clients you need to write a little batch file that runs every time the machine starts up, let me know if that is the case and I can help you with that.
So basically what you do is you tell your clients that in order to get to the other subnet they have to use a default gateway that does not exist, effectively prohibiting the clients to talk to the subnet.
Let me know if that is clear and if it works.
Thanks for the very quick response and the useful info.
Strangely enough it does make sense, which is a first for anything to do with Cisco! :)
Hopefully we may have time to give it a try today and I'll let you know how we get on.
Unfortunately we do have a few machines that run windows 98, so any further assistance with writing the batch file would be hugely appreciated. Especially since I have absolutely no experience with them.
Thanks again for the help.
P.S. I don't suppose you could point me in the direction of some useful sites with tutorials or similar documentation on configuring the router. The documentation that came with the router on CD is not a great deal of help and it keeps refering to "Cisco IOS Release 12.0 documentation set" for more detailed info, which I can't find. Cheers.
One thing I have noticed so far.
After setting up the invalid secondary gateway and running the route command at the dos prompt, the workstation was unable to connect to the internet via the default gateway. After a bit of guess-work I set the metric on the invalid gateway to 2 and left the default gateway metric at 1 (They were both on metric 1). This has solved the connection problem but now I'm wondering if I need to add a metric command to the route command at the dos prompt?
i.e. route -p add 192.168.6.0 mask 255.255.255.0 192.168.0.254 metric 2
Also, do you know if I need to define the interface number? (I'm guessing not.)
first, the batch file for your Windows 98 would work like this:
1. Open a Text Editor (e.g.Notepad or Wordpad) and type the route -p add line into the editor (since you got it to work with metric 2, you can change the metric to 2, metric 3 in my example was just that, an example). So type:
route add 192.168.6.0 mask 255.255.255.0 192.168.0.254 metric 2
and save the file with the name route.bat (the extension .bat is important, because that causes the machine to execute whatever is written in there). The @echo off command in the first line lets you hide the DOS window that is normally started by the batch file.
2. Add the file to the Startup folder of your Windows 98 client. This will ensure that the route gets added every time the client starts up. You can check if the route has been added by executing the command 'route print' from the DOS prompt of your clients.
Let me know if it's working and if you need more help.
You're a star! Thank you.
Unfortunately, I've run out of time today and hope to continue the task on monday.
One other thing. I've read elsewhere on these forums about how to set up a secondary ip address on the router ethernet0 interface. So I've managed that just fine. Except they suggested that the "ip fast switching same interface" should be enabled.
Is this true for the 837 and if so could you tell me how to enable it please? (Using the "show ip int" command tells me that it's currently disabled.)
I've looked and looked to no avail. :(
Thank you, thank you, thank you.
you can enable fast switching by typing the following command in interface configuration mode:
ip route-cache same-interface
I would not recommend it, unless your uplink has the same speed as your Ethernet (10MB(, since otherwise you might experience packet drops. With fast switching, destination IP addresses are stored in the high-speed cache to expedite packet forwarding, you can try and test it and turn it on to see if it improves response times.
Thanks for the info on the fast switching, I'll take your advice and leave it disabled.
Well, so far so good. I've configured the router and a collection of workstations running 2000 and 98 and I've configured a laptop for the other subnet and hooked it into the router. All those machines that I've run the route.bat/dos command on can't ping or see the laptop or the other router IP. Those that I haven't run the route.bat/dos command on can only see the router at the moment. I'm leaving the laptop connected over night because when we thought we'd cracked it the first time (before gaining your help) we discovered that the next day the router was merrily forwarding IPs accross the 2 subnets.
Cross your fingers, I think we've cracked it.
I'll confirm whether it's worked for sure in the next day or two.
Thank you so much for your help, you may have saved or school a considerable amount of money (which we don't have!).
Thanks very much for all your help. So far it seems to be working a treat, although it took a long time to go around all the workstations and run the dos prompt program. Still hopefully it's saved a packet.