Representing a VLAN with a unique Public IP ( shared office)?

Answered Question
Jun 1st, 2010

Hi,

Can Cisco 3350 L3 switch be configured with different vlans and each vlan use its own public IP address to get to the internet.

My goal is to give each vlan a public IP address .Basically this is a shared accommodation and each vlan/office is an independent office. Hosts in one vlan doesn’t required to talk to the hosts in another vlan but all hosts need internet.

Hosts will communicate within a office/vlan by using LAN ip addressing but will use public IP address ( NATing) to go on internet.

I have public 128 IP addresses in hand which can be assigned to offices/vlans. Each office/Vlan need to be identified with a unique public IP address.

I guess I need to do sub-netting on my public IP address block and assign a each vlan with /32 mask. ( I don’t know how......)

Cisco PIX  will be configured to do Nating. But switches need to be configured to represent vlan with public IP.

I was thinking to create a loopback address for each vlan with /32 mask and use that interface for NATing /PATing.

Any recommendations please ? Can any other design be used to achieve the same result?

Regards

Salman

I have this problem too.
0 votes
Correct Answer by Ganesh Hariharan about 6 years 6 months ago

Ganesh,

Thanks for the response.

For some reason,  sales people have agreed this design with customer and ordered a block of 128 ip addresses for this. Another reason is that as this is a shared  building ,each offfice in a building will have their own mail/ ftp/web  servers which requires a public IP's anyway to run their web based services.

I have 30 offices in a building and all offices will use the same internet connection (10MB). All offices will use PIX and 4x 3550 L3 switches.

Switch managment is not a issue at the moment as once  I am telneted/ssh'ed into PIX , I will hop over to switches via PIX.

Can Vlan inerface be used with a secondary IP addess, primary ip will be the  vlan subnet ip and secondary IP will be the one of the public IP. All PC's with the vlan will  use public IP as a gateway to internet ? not sure if this is possible, may natiing will not required in this case.

for example.

Vlan 10 - ip range 172.16.10.0./24

vlan int 10

ip address 172.16.10.1 255.255.255.0

ip address 81.54.66.x 255.255.255.255  secondary

Host in the vlan will have a  gateway of 81.54.66.x

Can  you think of any other design options  to make it work ?

Thanks

Salman

Salman,

Let concentrate with single office design as you have common infrastructure in 30 offices.As you said all office will use a pix with 4*3550 switches, so what i would suggest for accessing the internet for office users  you can have two option either create proxy server and nat that server on pix for internet connectivity and browsing purpose or make natting configuration on pix interface to do the same as 3550 switches are not having the natting funcationality.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#mixing_nat

For easy design just try to acehive the task with pix and l3 switch,that why i am not preferring secondary ip address concept.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Tue, 06/01/2010 - 22:24

Hi,

Can Cisco 3350 L3 switch be configured with different vlans and each vlan use its own public IP address to get to the internet.

My goal is to give each vlan a public IP address .Basically this is a shared accommodation and each vlan/office is an independent office. Hosts in one vlan doesn’t required to talk to the hosts in another vlan but all hosts need internet.

Hosts will communicate within a office/vlan by using LAN ip addressing but will use public IP address ( NATing) to go on internet.

I have public 128 IP addresses in hand which can be assigned to offices/vlans. Each office/Vlan need to be identified with a unique public IP address.

I guess I need to do sub-netting on my public IP address block and assign a each vlan with /32 mask. ( I don’t know how......)

Cisco PIX  will be configured to do Nating. But switches need to be configured to represent vlan with public IP.

I was thinking to create a loopback address for each vlan with /32 mask and use that interface for NATing /PATing.

Any recommendations please ? Can any other design be used to achieve the same result?

Regards

Salman

Hi Salman,

Just for your information cisco 3350 does not support natting as you said you have pix to do the natting for inetrnet access,My question is why you want a office to be recoginse by unique public ip  address and how many office you have and all are having same pix firewall with l3 switches.

Is this a requirement to mange these switches over the inetrnet or from other need.

Hope to help !!

Ganesh.H

s.nasheet Tue, 06/01/2010 - 22:58

Ganesh,

Thanks for the response.

For some reason,  sales people have agreed this design with customer and ordered a block of 128 ip addresses for this. Another reason is that as this is a shared  building ,each offfice in a building will have their own mail/ ftp/web  servers which requires a public IP's anyway to run their web based services.

I have 30 offices in a building and all offices will use the same internet connection (10MB). All offices will use PIX and 4x 3550 L3 switches.

Switch managment is not a issue at the moment as once  I am telneted/ssh'ed into PIX , I will hop over to switches via PIX.

Can Vlan inerface be used with a secondary IP addess, primary ip will be the  vlan subnet ip and secondary IP will be the one of the public IP. All PC's with the vlan will  use public IP as a gateway to internet ? not sure if this is possible, may natiing will not required in this case.

for example.

Vlan 10 - ip range 172.16.10.0./24

vlan int 10

ip address 172.16.10.1 255.255.255.0

ip address 81.54.66.x 255.255.255.255  secondary

Host in the vlan will have a  gateway of 81.54.66.x

Can  you think of any other design options  to make it work ?

Thanks

Salman

Correct Answer
Ganesh Hariharan Wed, 06/02/2010 - 10:27

Ganesh,

Thanks for the response.

For some reason,  sales people have agreed this design with customer and ordered a block of 128 ip addresses for this. Another reason is that as this is a shared  building ,each offfice in a building will have their own mail/ ftp/web  servers which requires a public IP's anyway to run their web based services.

I have 30 offices in a building and all offices will use the same internet connection (10MB). All offices will use PIX and 4x 3550 L3 switches.

Switch managment is not a issue at the moment as once  I am telneted/ssh'ed into PIX , I will hop over to switches via PIX.

Can Vlan inerface be used with a secondary IP addess, primary ip will be the  vlan subnet ip and secondary IP will be the one of the public IP. All PC's with the vlan will  use public IP as a gateway to internet ? not sure if this is possible, may natiing will not required in this case.

for example.

Vlan 10 - ip range 172.16.10.0./24

vlan int 10

ip address 172.16.10.1 255.255.255.0

ip address 81.54.66.x 255.255.255.255  secondary

Host in the vlan will have a  gateway of 81.54.66.x

Can  you think of any other design options  to make it work ?

Thanks

Salman

Salman,

Let concentrate with single office design as you have common infrastructure in 30 offices.As you said all office will use a pix with 4*3550 switches, so what i would suggest for accessing the internet for office users  you can have two option either create proxy server and nat that server on pix for internet connectivity and browsing purpose or make natting configuration on pix interface to do the same as 3550 switches are not having the natting funcationality.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#mixing_nat

For easy design just try to acehive the task with pix and l3 switch,that why i am not preferring secondary ip address concept.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

s.nasheet Wed, 06/02/2010 - 11:31

Hi Ganesh,

Thanks for the reply.

I have decided to go with a different design. Now PIX will  do the NATing a I will create the static NAT entries to map local server IP with a public IP's.

Rest will remain same, each office will be in its own vlan and will create the  default -gateway towards the PIX inside interface.

Thanks for all  help.  I will test  the config and will let  you with the result.

Thanks

Salman

Actions

This Discussion