Vlans with Public IP addresses - 254 Public IP's are in hand

Unanswered Question
Nov 7th, 2009
User Badges:

Can we configure VLAN's/ Vlan Interfaces with Public IP addresses ?

I have 30 offices/Vlans in the same building ( so 30 vlans) sharing the 10MB connection to internet. All these offices/vlans don't need to talk to each other , they just need internet access and should be visible from internet (running own email server etc).


If I assign the private IP's to VLAN' and configure their gateway as the IP of the internet router, they all should be able to browse internet as cisco 1841 is doing NATing.


Can I create VLAN interfaces ( 30 in total) with public IP address on LAN and then PC's within the LAN will use that IP for internet browsing . Shall I assign public ip address to each PC /server in the LAN.


Switches are Cisco 3350 L3 , and router is 1841 ( connecting to internet).


I have 254 Public Ip address available to make this work.


Many thanks for the help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 11/07/2009 - 02:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Salman,

I see some points of attention:


giving public ip address to end user PC means exposing it to the internet without protection


if you try to subnet a /24 space you can get up to 32 /29 IP subnets this means up to 6 hosts including L3 switch(es) for subnet and this can be too small to accomodate users if you have more then 5 users per office.


I understand that the C1841 can be a bottleneck but it is the only way to provide internet access to offices with more then 5 users.


NAT is not supported on C3350 so the C1841 is the only NAT capable device.


I would keep the current configuration.


I would rather think of getting a second router to implement stateful NAT.


Hope to help

Giuseppe



s.nasheet Sat, 11/07/2009 - 03:07
User Badges:

Hi Giuseppe,


Thanks.


I main job is to relplace Neatgear switches and replace with cisco 3350 L3 switches.


I am visiting client next week and then I will only find out how is there existing configuration loook like, as at the moment I am not very sure myself.


I will keep you updated and seek further advise once I am finished my site survery.


Thankyou for your time.

Muhammad Anser Khan Sat, 11/07/2009 - 03:22
User Badges:

Dear Nasheet,


This is not a best practice to assign vlans on the public IP or servers directly with the public IPs. This is also a security flaw in the network that everyone can hit the server directly with the public IP. Also can access switches/routers via public IP (in default settings)


What you can you to do static NATing on Cisco 1841 for all your servers and dynamic NATing for internet users.


I will recommend you to create sub-interfaces on the router(Router on a stick) instead of creating SVI(interface vlan x) on the switches in such scenario.


Regards,

Anser


Giuseppe Larosa Sat, 11/07/2009 - 03:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Anser,

I agree with you just one note:


inter vlan routing can still be made by L3 switches.


All is needed is a layer link between core switches and the C1841 to reach the internet so C1841 doesn't need a lot of subinterfaces.


So with some hierarchy in network at least a pair of core switches that aggregate the L3 switches would be fine.


Hope to help

Giuseppe


Actions

This Discussion