1. Home
  2. Cisco Systems
  3. isolate vlans from each other

isolate vlans from each other

cisco 2651XM router IOS: c2600-adventerprisek9-mz.124-15.T8.bin

I have a vlan1 on 172.16.0.x and a vlan192 on 192.168.0.x. Both vlans are routed through Dialer0 so they can surf the internet. At the moment both these vlans can ping each other. I want to isolate vlan1 and valn192 from each other so neither network can ping the other but I still want them both to access the internet. How can I do this? Here is a small section of my current config Thanks for any advice.

interface Vlan1 ip address 172.16.1.30 255.255.0.0 ip nat inside ip virtual-reassembly ! interface Vlan192 ip address 192.168.0.10 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Dialer0 ip nat outside

ip nat inside source list 1 interface Dialer0 overload ip nat inside source list 2 interface Dialer0 overload ! access-list 1 permit 172.16.0.0 0.0.255.255 access-list 2 permit 192.0.0.0 0.255.255.255 dialer-list 1 protocol ip permit

Reply to
tg
Loading thread data ...

Just a nit-pick, your 172 VLAN is 172.16.x.x. "I have a vlan1 on 172.16.0.x and a vlan192 on 192.168.0.x."

conf t

ip access-list e ACL.172.in deny 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 permit ip any any

ip access-l e ACL.192.in deny 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 permit ip any iny

interface Vlan1 ip access-group ACL.172.in in

int vl 192 ip access-group ACL.192.in in

end

! Once you are happy with the changes, save them copy run start

Your problem descripton and question was by the way exemplary. Perfectly expressed - in my view.

sh ip access-l ! To see what you actually have.

Good luck.

Reply to
bod43

Sorry a few typos. Did not try it on a router.

conf t

ip access-list e ACL.172.in deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 permit ip any any

ip access-l e ACL.192.in deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 permit ip any any

interface Vlan1 ip access-group ACL.172.in in

int vl 192 ip access-group ACL.192.in in

end

! Once you are happy with the changes, save them copy run start

sh ip access-l ! To see what you actually have.

Reply to
bod43

ok bod thanks very much for your feedback.

Reply to
tg

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.