Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need Some Advice

In our building we provide bandwidth for some of the tenants. Currently they are assigned IP addresses randomly, in the /24 that our network uses, and connect to us via ethernet through an unmanaged switch. I need to renumber our network and therefore our in building customers as well. I obviously want to put them in their own network. The issue is some of the customers need only 1 IP address for one workstation. If I assign each customer a /30, would I not also have to add a secondary address on my router for each subnet? And would not each customer then need their own default gateway? Seems like a waste of space. If I assign let's say a /27 or /26 for all customers how can I keep their traffic separate? VLAN's? NAT through my PIX? Any advice would be appreciated.


Re: Need Some Advice

Assign the ip address space based on their needs, example as you said only 2 hosts, give them a /30. If a client needs more, give them a larger subnet. Separate the companies by vlan and access-lists. Set a switch port as a trunk port (for all customer vlans), connect the trunk port to your router. The router port will use subinterfaces that correspond to the vlan. ISL/dot1q encapsulation is configurable on Fast Ethernet interfaces. You can place an acl on each subinterface to limit access as you require. Each client would indeed need a default gateway pointing to the correct subinterface.

Router(config)# interface fastethernet 2.10

Router(config-subif)# encap isl 10 (encap dot1q)

Router(config-subif)#ip address

Router(config-subif)# exit

Router(config)# interface fastethernet 2.20

Router(config-subif)# encap isl 20

Router(config-subif)#ip address

See link:

You can use eigrp or whatever protocol you are using to advertise these routes back into the rest of your internal network (use the "passive-interface default" command to make the config easier, and "no passive-interface f0/0" to allow eigrp back into your network).

Hope it helps.


New Member

Re: Need Some Advice

Steve was quite right with his reply. There are a couple of 'gotchas' on this though. First, you will need to upgrade to a switch or hub that can support either Cisco ISL or IEEE 802.1q (dot1q in Cisco speak). Second, the router you are using MUST have a Fastethernet port to support subinterfaces and dot1Q. Cisco 2600's are the lowest end routers that support this I believe.

Dot1q is a VLAN technology so all their traffic would stay on their own VLAN. I think the best option is to give them each their own subnetted network and then NAT them out through your Pix. If you are just providing them with internet access then you should just be able to use a single NAT statement in the PIX to include the entire subnetted /24 network that you are using. Hope that makes sense!

New Member

Re: Need Some Advice

I think that the combination of the previos two suggestions is a great way to achieve this situation.

just connect a trunk between the switch and the router, make so many subifs as you need (be sure of use the same encapsulation for everyone).

In the switch , configure as port trunk (isl is the default encapsulation, im not really shure, check this) the port that connects the switch. Set the switch as vtp server, create the vlans with the same number that youve used in the subifs. asign ports to the vlans (as a next step you could make this dinamically using VMPS).

then in the pix , with 2 lines you can nat all the /24 or use x nat statements to nat with different pools.

A few samples:

nat (inside) 1 x.x.x.x

global (outside) b.b.b.b b.b.b.c netmask 255.255.255.x

global (outside) b.b.b.d <<<< used for pat

or you can use

nat (inside) 1 x.x.x.x

nat (inside) 2 x.x.x.y

global (outside) 1 b.b.b.b b.b.b.b.c netmask 255.255.255.x

global (outside) 2 c.c.c.c c.c.c.c.d netmask 255.255.255.x


I hope it helps