Setting up an 1841 as a core router (This is not a production network)
I have setup 3 VLANs
VLAN 1 - Data (Can see VLAN 2)
VLAN 2 - Also Data (can see VLAN 1)
VLAN 3 - DMZ (VLAN 1 and 2 can access it but it can not access VLAN 1 or 2)
I have then used ACLs to allow traffic from VLAN 1 and 2 and this works fine and the servers in the DMZ can not access ot ping anything in VLAN 1 and 2 but they can ping the interfaces of these networks on the router. I would like to stop them being able to do this.
I have setup 3 VLANs
VLAN 1 - Data (Can see VLAN 2)
VLAN 2 - Also Data (can see VLAN 1)
VLAN 3 - DMZ (VLAN 1 and 2 can access it but it can not access VLAN 1 or 2)
I have then used ACLs to allow traffic from VLAN 1 and 2 and this works fine and the servers in the DMZ can not access ot ping anything in VLAN 1 and 2 but they can ping the interfaces of these networks on the router. I would like to stop them being able to do this.
Code:
Current configuration : 1422 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname VLAN_Router
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
description VLAN 3 - DMZ
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description VLAN1
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.255.0
ip access-group DMZ out
!
interface FastEthernet0/1.2
description VLAN2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group DMZ out
!
interface FastEthernet0/0/0
switchport mode access
!
interface FastEthernet0/0/1
switchport mode access
!
interface FastEthernet0/0/2
switchport mode access
!
interface FastEthernet0/0/3
switchport mode access
!
interface Serial0/1/0
ip address 10.10.10.10 255.0.0.0
ipv6 ospf cost 781
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.0.0
network 192.168.2.0
network 192.168.3.0
network 195.188.50.0
!
ip classless
!
!
ip access-list extended DMZ
permit tcp any any established
permit icmp any any echo-reply
deny ip any any
!
!
!
!
!
line con 0
logging synchronous
line vty 0 4
login
!
!
!
end