Help please.
We have a Cisco 2621 router acting as an interface between a VLAN switch and a firewall.
The requirement is that ALL traffic from the devices connected to VLANS on the switch is routed to the firewall.
This happens when the router to firewall Fast ethernet port is up (Fas0/0) but when its down, devices can talk from one VLAN to another.
I'm sure the problem is with the access-list somewhere but I don't know where??
Can you spot what I've done wrong?
Config:
interface FastEthernet0/0
description Connection to Firewall
ip address 192.168.100.18 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to VLAN switch
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1
description vlan 13 port 3
encapsulation dot1Q 13
ip address 192.168.101.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.2
description vlan 14 port 4
encapsulation dot1Q 14
ip address 192.168.102.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.3
description vlan 15 port 5
encapsulation dot1Q 15
ip address 192.168.103.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.4
description vlan 16 port 6
encapsulation dot1Q 16
ip address 192.168.104.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.5
description vlan 17 port 7
encapsulation dot1Q 17
ip address 192.168.105.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.6
description vlan 18 port 8
encapsulation dot1Q 18
ip address 192.168.106.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.7
description vlan 19 port 9
encapsulation dot1Q 19
ip address 192.168.107.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.8
description vlan 20 port 10
encapsulation dot1Q 20
ip address 192.168.108.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.9
description vlan 21 port 11
encapsulation dot1Q 21
ip address 192.168.109.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.10
description vlan 22 port 12
encapsulation dot1Q 22
ip address 192.168.110.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
ip classless
ip route 0.0.0.0 0.0.0.0 Null0
no ip http server
!
access-list 50 permit 0.0.0.2 255.255.255.252
access-list 101 deny ip any host 192.168.100.17
access-list 101 deny ip any host 192.168.100.18
access-list 101 deny ip any host 192.168.101.17
access-list 101 deny ip any host 192.168.102.17
access-list 101 deny ip any host 192.168.103.17
access-list 101 deny ip any host 192.168.104.17
access-list 101 deny ip any host 192.168.105.17
access-list 101 deny ip any host 192.168.106.17
access-list 101 deny ip any host 192.168.107.17
access-list 101 deny ip any host 192.168.108.17
access-list 101 deny ip any host 192.168.109.17
access-list 101 deny ip any host 192.168.110.17
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip any any
no cdp run
route-map filter permit 10
match ip address 50
set ip next-hop 192.168.100.17
!
!
dial-peer cor custom
!
!
!
We have a Cisco 2621 router acting as an interface between a VLAN switch and a firewall.
The requirement is that ALL traffic from the devices connected to VLANS on the switch is routed to the firewall.
This happens when the router to firewall Fast ethernet port is up (Fas0/0) but when its down, devices can talk from one VLAN to another.
I'm sure the problem is with the access-list somewhere but I don't know where??
Can you spot what I've done wrong?
Config:
interface FastEthernet0/0
description Connection to Firewall
ip address 192.168.100.18 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to VLAN switch
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1
description vlan 13 port 3
encapsulation dot1Q 13
ip address 192.168.101.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.2
description vlan 14 port 4
encapsulation dot1Q 14
ip address 192.168.102.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.3
description vlan 15 port 5
encapsulation dot1Q 15
ip address 192.168.103.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.4
description vlan 16 port 6
encapsulation dot1Q 16
ip address 192.168.104.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.5
description vlan 17 port 7
encapsulation dot1Q 17
ip address 192.168.105.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.6
description vlan 18 port 8
encapsulation dot1Q 18
ip address 192.168.106.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.7
description vlan 19 port 9
encapsulation dot1Q 19
ip address 192.168.107.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.8
description vlan 20 port 10
encapsulation dot1Q 20
ip address 192.168.108.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.9
description vlan 21 port 11
encapsulation dot1Q 21
ip address 192.168.109.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
interface FastEthernet0/1.10
description vlan 22 port 12
encapsulation dot1Q 22
ip address 192.168.110.17 255.255.255.252
ip access-group 101 in
no ip proxy-arp
ip policy route-map filter
!
ip classless
ip route 0.0.0.0 0.0.0.0 Null0
no ip http server
!
access-list 50 permit 0.0.0.2 255.255.255.252
access-list 101 deny ip any host 192.168.100.17
access-list 101 deny ip any host 192.168.100.18
access-list 101 deny ip any host 192.168.101.17
access-list 101 deny ip any host 192.168.102.17
access-list 101 deny ip any host 192.168.103.17
access-list 101 deny ip any host 192.168.104.17
access-list 101 deny ip any host 192.168.105.17
access-list 101 deny ip any host 192.168.106.17
access-list 101 deny ip any host 192.168.107.17
access-list 101 deny ip any host 192.168.108.17
access-list 101 deny ip any host 192.168.109.17
access-list 101 deny ip any host 192.168.110.17
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip any any
no cdp run
route-map filter permit 10
match ip address 50
set ip next-hop 192.168.100.17
!
!
dial-peer cor custom
!
!
!