Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hiding one IP from the next


I am wanting to splice out a T1 to be used by 10 different businesses in a complex. I want to keep each internet line to each business inaccessible from the next at the hardware (router) level. Which is the best Cisco Router to use and what specific function allows this to happen? Much obliged,



Re: Hiding one IP from the next

I imagine doing this with a 2600 series router, running IP Plus IOS software image; plus a Cisco Catalyst 10/100 switch that does VLANs.

On the router, set up the LAN interface to do 802.1Q trunking using subinterfaces; and assign ten VLANs, each with a private Class C IP network address. For example, VLAN 10 is IP network, VLAN 20 is IP network, etc. (mask on each). "Plus" version of the IOS lets you do LAN subinterfaces.

Do network address translation and/or port address translation, such that each Class C network maps to one of your real-world IP addresses. (This assumes you have at least 12 real-world IP addresses: one for PAT for each of the ten VLANs, one for the router's WAN interface, and one for the router's default gateway on the other end of that T1. Any extra real-world IP addresses can be reserved for static mapping through to web servers, e-mail servers etc. located behind the router on the VLANs.) "Plus" version of the IOS gets you NAT/PAT.

On the router, run extended access control lists that deny traffic among the private IP networks, but permit all other traffic to come in and go out the T1. Any router IOS version can do this. (Or, if you get a 3550 or 3750 switch with IP routing capability, you can do the EACLs on the switch at "wire speed" and let the router keep its CPU cycles for routing out the WAN interface.)

On the switch, configure at least one access switch port per business in the complex, and run a Cat5 or better cable to their network. (This assumes the businesses are within 100m of the router and switch, and there is UTP cable to them. If distances are further and you must use fiber, use media converters to go from copper to fiber, ride the fiber, and break it back out to copper at the other end.)

Only one port on the switch should be configured as a VLAN trunk port, the one connected to the router.

Hope this helps.

CreatePlease login to create content