I am using a Cisco 1841 router and I have 2 sub interfaces configured. F0/1.10 and 1.20.
I would like to stop the devices on VLAN 10 accessing VLAN 20 and visa versa.
VLAN 10 is on 10.10.10.1 and VLAN 20 10.10.20.1
I have configured the following access control lists
access-list 19 deny 10.10.10.0 0.0.0.255
access-list 19 permit any
access-list 29 deny 10.10.20.0 0.0.0.255
access-list 29 permit any
And applied them to the outbound side of the sub interfaces
interface f0/1.10
ip access-group 29 out
interface f0/1.20
ip access-group 19 out
The trouble is I can still ping across the networks.
Any help greatly appreciated, full configuration is below if you need it.
Thanks,
Full config:
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.201 10.10.10.255
ip dhcp excluded-address 10.10.20.201 10.10.20.255
!
ip dhcp pool 10.10.10.0/24
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool 10.10.20.0/24
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8 8.8.4.4
!
!
vpdn enable
!
!
interface FastEthernet0/0
description Fibre WAN Interface
no ip address
ip broadcast-address 0.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
description LAN Interface
no ip address
ip broadcast-address 10.10.10.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip access-group 29 out
ip nat inside
no cdp enable
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip access-group 19 out
ip nat inside
no cdp enable
!
interface Serial0/0/0
no ip address
ip broadcast-address 0.0.0.0
shutdown
no fair-queue
clock rate 2000000
!
interface Dialer1
description ADSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname bne001-indigointegrated@surfdsluk
ppp chap password 0 T57Gfc09Hjd5SQw
ppp ipcp route default
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
!
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 10.10.20.0 0.0.0.255
access-list 19 deny 10.10.10.0 0.0.0.255
access-list 19 permit any
access-list 20 permit 10.10.10.0 0.0.0.255
access-list 29 deny 10.10.20.0 0.0.0.255
access-list 29 permit any
dialer-list 1 protocol ip permit
no cdp run
control-plane
line con 0
line aux 0
line vty 0 4
access-class 20 in
login
!
scheduler allocate 20000 1000
end
Best Answer
You're using a standard access list, so only source addresses are referenced. Going out of VLAN 10, for example, your source addresses are 10.10.10.0, but its access list has 10.10.20.0 which won't match and doesn't do what you think.
You need extended access lists to specify the destinations which is one option keeping with the access lists idea.
Another option if you need complete routing isolation between interfaces is to use VRF-lite if your software supports it.