Hi
i want to disable the communication between the cpe's connected to the CMTS . to do this i have applied the below access rule to config file. but it dasn't seems to work. pls advice me.
access-list 102 permit ip any host 10.1.0.1
access-list 102 permit ip any host 10.1.0.2
access-list 102 deny ip any 10.1.0.0 0.0.7.255
access-list 102 permit ip any any
interface BVI1
ip address 10.1.0.1 255.255.248.0
ip access-group 102 in
## running config file ##
Router#show running-config
Building configuration...
Current configuration : 3887 bytes
!
! Last configuration change at 16:03:07 UTC+5 Fri Oct 28 2011
!
version 12.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service udp-small-servers max-servers no-limit
!
hostname SatLink
!
boot-start-marker
boot system flash slot1:ubr7100-ik8su2-mz.123-23.BC5.bin
boot-end-marker
!
!
clock timezone UTC+5 5
clock calendar-valid
cable admission-control preempt priority-voice
no cable qos permission create
no cable qos permission update
cable qos permission modems
cable time-server
!
cable config-file 3MD_2MU.cm
service-class 1 max-upstream 2048
service-class 1 guaranteed-upstream 10
service-class 1 max-downstream 5120
service-class 1 max-burst 1600
cpe max 3
timestamp
!
cable config-file 5MD_2MU.cm
service-class 1 max-upstream 2048
service-class 1 guaranteed-upstream 10
service-class 1 max-downstream 5120
service-class 1 max-burst 1600
cpe max 3
!
no aaa new-model
ip subnet-zero
no ip routing
!
!
no ip cef
ip name-server 4.4.4.4
ip name-server 4.4.8.8
ip dhcp excluded-address 10.1.3.0 10.1.7.254
ip dhcp excluded-address 10.1.0.1
ip dhcp relay information option
no ip dhcp relay information check
!
ip dhcp pool CableModems
network 10.1.0.0 255.255.248.0
bootfile 3MD_2MU.cm
next-server 10.1.0.2
default-router 10.1.0.1
option 7 ip 10.1.0.2
option 4 ip 10.1.0.2
option 2 hex 0000.4650
dns-server 4.4.4.4 4.4.8.8
lease 7 0 10
!
!
!
!
!
!
bridge irb
!
!
interface FastEthernet0/0
no ip address
ip access-group 101 in
ip access-group 101 out
no ip route-cache
no ip mroute-cache
duplex half
speed auto
no keepalive
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
no cdp enable
!
interface Cable1/0
no ip address
no ip route-cache
no ip mroute-cache
load-interval 30
no cable packet-cache
cable downstream channel-id 0
cable downstream annex B
cable downstream modulation 64qam
cable downstream interleave-depth 32
cable downstream frequency 399000000
no cable downstream rf-shutdown
cable downstream rf-power 56
cable upstream 0 frequency 30000000
cable upstream 0 docsis-mode tdma
cable upstream 0 channel-width 3200000
cable upstream 0 minislot-size 2
cable upstream 0 power-level 0
cable upstream 0 modulation-profile 1
no cable upstream 0 shutdown
cable arp filter request-send 3 2
cable arp filter reply-accept 3 2
cable dhcp-giaddr policy
no keepalive
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.100.2 255.255.255.0 secondary
ip address 10.1.0.2 255.255.248.0
no ip route-cache
!
ip default-gateway 192.168.100.1
ip classless
no ip http server
no ip http secure-server
!
!
access-list 101 deny udp any any eq bootps
access-list 101 deny udp any any eq bootpc
access-list 101 permit ip any any
access-list 102 permit ip any host 10.1.0.1
access-list 102 permit ip any host 10.1.0.2
access-list 102 deny ip any 10.1.0.0 0.0.7.255
access-list 102 permit ip any any
no cdp run
!
nls resp-timeout 1
cpd cr-id 1
!
bridge 1 protocol ieee
bridge 1 route ip
alias exec scm show cable modem
alias exec scmr show cable modem remote
alias exec snr show controllers cable 1/0 | i SNR
alias exec summ show cable modem summary total
!
line con 0
line aux 0
line vty 0 4
login
line vty 5 15
login
!
end
Looks like your denying communication to the CM, not to the CPEs.
Your dhcp pool says the CMs are on 10.1.0.0/21. Judging by the show run, your CPEs *may* be on 192.168.100.0/24 ?
Your ACL allows to 10.1.0.1, 10.1.0.2, denies to the rest of the network, and allows everything else. Wouldnt you want to deny your CPE traffic (192.168.100.0/24) ?
Not really sure how the bridge-group virtual interfaces work on the Cisco's, but maybe give that a shot.