While working on a customer’s router config he requested the following to be done.
- 3 LAN subnets
- IP’s must assigned by DHCP.
- All 3 subnets must have access to internet.
- Devices on each LAN should not be able to communicate with each other.
As the customer had a Cisco 881 the easiest way this could be achieved is with VLANs. Here’s how I did it.
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
dns-server 220.233.0.3 58.96.1.28 8.8.8.8
default-router 192.168.1.1
!
ip dhcp pool LAN2
network 192.168.2.0 255.255.255.0
dns-server 220.233.0.3 58.96.1.28 8.8.8.8
default-router 192.168.2.1
!
ip dhcp pool LAN3
network 192.168.3.0 255.255.255.0
dns-server 220.233.0.3 58.96.1.28 8.8.8.8
default-router 192.168.3.1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 3
no ip address
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
ip address 58.96.0.0 255.255.255.254
ip nat outside
ip virtual-reassembly in
rate-limit output 9800000 1250000 2500000 conform-action transmit exceed-action drop
duplex full
speed 100
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
description LAN2
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
description LAN3
ip address 192.168.3.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
!
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 192.168.0.0 0.0.3.255
access-list 1 permit any
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip any any
!
What if, you want VLAN 1 to communicate with VLAN 2 only, that’s to say isolalet VLAN 3 as a Guest subnet ?
In that case the easiest solution would be to leave the ACL 103 in place and remove the other two. This will prevent devices on VLAN 3 accessing other two VLANs. The only downside to this approach is that traffic from other VLANs will go into VLAN 3 and it’s only the return traffic that will be blocked.
If we’re to fully isolate the traffic to/from VLAN 3, leave all 3 ACLs in place and remove any line that that doesn’t have VLAN 3’s IP addresses.
the acl is wrong ,the source should be the other 2 vlan ip address instead of its own address.
or you need to change the “ip access-group xxx in” to ” ip access-group xxx out” if you dont want to change the acl.