Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
209
Views
0
Helpful
1
Replies

Hiding one IP from the next

miguel__sanchez
Level 1
Level 1

‎02-17-2004 09:39 PM - edited ‎03-02-2019 01:40 PM

Hello,

I am wanting to splice out a T1 to be used by 10 different businesses in a complex. I want to keep each internet line to each business inaccessible from the next at the hardware (router) level. Which is the best Cisco Router to use and what specific function allows this to happen? Much obliged,

Miguel

Labels:
0 Helpful
1 Reply 1

konigl
Level 7
Level 7

‎02-18-2004 07:54 PM

I imagine doing this with a 2600 series router, running IP Plus IOS software image; plus a Cisco Catalyst 10/100 switch that does VLANs.

On the router, set up the LAN interface to do 802.1Q trunking using subinterfaces; and assign ten VLANs, each with a private Class C IP network address. For example, VLAN 10 is IP network 192.168.10.0, VLAN 20 is IP network 192.168.20.0, etc. (mask 255.255.255.0 on each). "Plus" version of the IOS lets you do LAN subinterfaces.

Do network address translation and/or port address translation, such that each Class C network maps to one of your real-world IP addresses. (This assumes you have at least 12 real-world IP addresses: one for PAT for each of the ten VLANs, one for the router's WAN interface, and one for the router's default gateway on the other end of that T1. Any extra real-world IP addresses can be reserved for static mapping through to web servers, e-mail servers etc. located behind the router on the VLANs.) "Plus" version of the IOS gets you NAT/PAT.

On the router, run extended access control lists that deny traffic among the private IP networks, but permit all other traffic to come in and go out the T1. Any router IOS version can do this. (Or, if you get a 3550 or 3750 switch with IP routing capability, you can do the EACLs on the switch at "wire speed" and let the router keep its CPU cycles for routing out the WAN interface.)

On the switch, configure at least one access switch port per business in the complex, and run a Cat5 or better cable to their network. (This assumes the businesses are within 100m of the router and switch, and there is UTP cable to them. If distances are further and you must use fiber, use media converters to go from copper to fiber, ride the fiber, and break it back out to copper at the other end.)

Only one port on the switch should be configured as a VLAN trunk port, the one connected to the router.

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents