Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

806 router in hotel environment

Status
Not open for further replies.

jsallmann

MIS
Sep 14, 2002
7
US
Hello group,
We are currently setting up a 806 router with the firewall feature set for one of our clients. The hotel where this will reside currently has a dsl connection. Internally they will have two office pcs and 5 quest rooms connected to the dsl line. The office pcs are on a 192.168.1.0 network and the guest rooms will have a 192.168.2.0 ip address. My question is what is the best way to configure the 806 router so that the guest rooms 192.168.2.0 are denied access to the office pcs 192.168.1.0. The dsl line is connected to the 806 which in turn connects to a switch which in turn connects to all office and guest rooms.All pcs need access to the internet through the dsl line but the guest rooms must be prohibited from accessing the office pcs.

Thank you very much.
 
You can't block it at the 806. It will only control access to the internet, the switch controls access between the guest rooms, the office and the 806. You would have to block it at the switch (if possible) or with a firewall between the switch and the office pc's.
 
Thank you for your response. I believe we'll use VLANS for this solution.
 
You can do it with the router. You're going to have to route traffic anyway with the separate nets.

The switch is a layer2 device(unless it's vlan capable in which case vlans are a cute and efficient way of handling the issue->remember in the future you will have to provision your network with compatible network aware switches though)..

Sample situation:
Host A ->office 192.168.2.4 looks for 192.168.1.5.
Host 192.168.2.4 will not be able to get a response from
arp in it's broadcast domain.(unless the router is doing proxy arp, which is what usually is configured in similar scenarios, and will have to be disabled)

Unable to get a response locally , ip hosts send to their default gateway, which is the routers internal secondary
192.168.2.0 interface. The router looks at the routing table for this(even though it knows the 192.168.1.0 interface is directly connected)which you have configured with a null route for hosts from the 192.168.2.0 destined
for the 192.168.1.0 network.

You don't even need an acl.

MMD
CCNA/CCDA
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top