Albert,
I had a case where one of the VLANs on the internal network should only
access the internet, not the internal portion of the network. The purpose
was to allow guests at the company to hook in and access the internet
without giving them access to the internal network or using a modem and give
realistic training on the company's product (which uses a web gateway).
I put a reflexive ACL on the VLAN's subinterface on the router to ensure
that only traffic to and from the internet was allowed. Basically, the list
let outgoing traffic out to the internet and opened a hole through for
return traffic. That's it. Nothing else.
HTH,
Karen
*********** REPLY SEPARATOR ***********
On 6/11/2001 at 9:39 AM Albert Lu wrote:
>Hello group,
>
>I'm trying to get ideas for a network design.
>
>Essentially, there would be two networks, lets say 172.0.0.0 network and the
>192.0.0.0 network. What I'm looking to accomplish is to have about 8 routers
>interconnected together, and both networks would run through them. However,
>each network is not allowed to learn about the other. That is, if I'm in the
>172 network, I cannot ping hosts in the 192 network.
>
>Each router would have a switch, that would separate the two networks into
>two vlans, so hosts in one vlan cannot reach the other. It gets complicated
>when the traffic needs to be routed to another router.
>
>I hope I made sense, if I didn't, then please feel free to email me.
>
>Regards,
>
>Albert
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=8051&t=7967
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
