1. Home
  2. Cisco Systems
  3. Mulitple subnets on one Int, need to block communicationsbetween them but allow access to internet

Mulitple subnets on one Int, need to block communicationsbetween them but allow access to internet

On a 2600 Router. I have multiple subnets on a single interface and want to keep the 192.168.10.0 subnet from talking to the others. But I need it to be able to access the internet. This is what I have come up with. Can you guys shoot holes in it and tell me if it is correct or what I am doing wrong. Thanks!

interface Ethernet0/0 ip access-group 101 in ip access-group 102 out

interface Ethernet0/0 (inside) In access-list 101 permit 192.168.1.0 0.0.0.255 access-list 101 permit 192.168.2.0 0.0.0.255 access-list 101 permit 10.0.0.0 0.0.0.255 access-list 101 permit 192.168.10.0 0.0.0.255

Out access-list 102 deny 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 102 deny 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 deny 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255

Reply to
mcpaytas
Loading thread data ...

First of all, the access-list should have a statement, which PERMITS certain traffic. There is an explicit "DENY ALL" at the end of any access-list (even though it's not shown). So, your "Out" access-list blocks certain subnets, and then it has a remaining world (basically it does not allow anything).

Second, how do you configure multiple subnets on the interface? Do you have primary and secondary IP addresses configured? Do you have broad subnet mask (i.e. supernet)? If all your subnets are in one "flat" Layer 2 network, then what prevents user to put a broad subnetmask and access other subnets?

Practically, if you have switch(es), you should define VLANs for different subnets, create a trunk to your 2600 router, and create subinterfaces for each VLAN. However, based on the fact that you show interface name Ethernet versus FastEthernet, you may have an old 2600 router with 10 Mbit interface, and this scenario may not work for you.

Good luck,

Mike

------ Cisco IP Phone Headset Adapters

formatting link

Reply to
headsetadapter.com

Ok. I unfortunately don't have any switches capable of creating vlan's. That most certainly would be the way to go. Is there any way to block communications between subnets using just a

2600 router? Thanks!
Reply to
mcpaytas

Sure if they're on different interfaces of the router.

Reply to
Rod Dorman

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.