cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2452
Views
0
Helpful
11
Replies

An IP Address question

Safar Safarov
Level 1
Level 1

Hello,

I just thought if it's possible to make sure that only approved IP addresses for each of divisions of a company can be used.

Case scenario:

I have Public IP addresses range: pu.bl.ic.0/24

My gateway is: pu.bl.ic.254/24

Now on other side of router (no NAT) I have switch which connects divisions' routers to the internet.

The question is:

How can I assign for a port one/more public addresses and be sure that only this port is using it/them. Thing is I have only one 24 bit public Network ID provided to me by ISP. One IP address of the range is used for ISP's gateway. So I have 253 addresses to be distributed among divisions. However to avoid IP address conflicts I have to be sure that only dedicated for a division IP address/es is/are used by the division.

Router is 2821.

Switch is 2950.

I hope I have explained the issue correctly

Thanks.

2 Accepted Solutions

Accepted Solutions

to explain subnetting, I need to know what do you know about subneting and routing

in short: yes, you can split your /24 pool in many /29 (or any other size) netwoks, you should of course follow the mask borders.

then in first scenarioo you may  need for every /29 a linknet subnet, which connects /29 to your boarder router, if your /29 lays "behind" devision's router like this:

ISP(.254) <--->(.253) CISCO2821 (subif.X) <--linknetX/30-->ROUTER--subnetX/29

or you can use your /29 subnet without linknet and "directly connect to a boader router:

ISP(.254) <--->(.253) CISCO2821 (subif.X) <--subnetX/29-->ROUTER

it this case you don't need any ACL, because the wrong configured router will not be routed.

The problem is you'll lose too many IP's from your /24 pool because of subnetting rules. How many devision do you have?

I think if you would  take a CATALYST 3550 (L3 switch) and replace your 2950 with it, you could do some IP fltering directly on physical interface, it this case you would not need the subnetting, you would save the IP space and don't have problems with routing.

View solution in original post

Hi,

you can think about L3 switch as a router with a very limited "funny" features because it has very very weak processor, and if a cirtain feature is not supported in HW then you can'T really use it in a production.  E.g. L3 switch has  limited number of  ACL entries, has a limited routing size table, can't do any tunneling on so on. If you plan for your network only a simple Internet access without any addittionl services then c3550 would be enough, but I suggest top keep a c2821 router as edge router and place c3550 as distribution/access device, so you will separate the function of devices and it will be easier to manage your network.   

View solution in original post

11 Replies 11

Hi,

if I correctl understand your question you need just a correctly configured DHCP server. You can also spit the whole range into multiply subnets for each division, it will simplyfa, may be , the administaration.

Konstatin, I guess you understood me correct, however DHCP is not the option in our case. What about splitting into multiple subnets? I'm a little bit confused. What mask then should be on the link to ISP? now I set it to 24 bit. Any examples on it?

ok, then you should explain us a little bit more about you network.

1. is it a normal "enterprise" network, or it's like small service provider

2. why do you want all end-devices get a public IP address? Can you assign it manually or should it be done some-how automatic?

3. should the  departments be able to comunicate to each other?

4. is it possible to use NAT?

Ok. Look:

1. It's like small ISP

2. Not devices, but routers of each division. Every router at divisions has NAT enabled. Devices will be WAN interfaces of divisions' routers, IP addresses will be set up manualy on each interface of each router.

3. Divisions should not have access to each other.

4. No.

More info: The main router will work like transition point of internet to the routers of divisions.

Who will setup the IP address on each router? the devision self or it will be done centraly?

I'm afraid without any additional tricks, like PPPoE it's not really possible to be sure that IP address are not "duplicated"

But you can configure on every devision interface the dynamic IP address and set DHCP serevr on the cisco2821 and assign staticly the IP to a cirtain MAC address.

Each division will setup IP address/es by itself on their routers.

The issue is while some divisions will have per one public IP Address the others will have per 5 or more due to external services they need to provide (like Mail Server, SharePoint and staff like that).

THe other thing I was thinking about is PACL. Thus, I can restrict some ip addresses to go via specified port. The thing is that I have no idea how can I split one /24 bit subnet into multiple. And then specify Access Lists per port. If I have pu.bl.ic.253/24 IP address set on WAN interface of my 2821 and default route set to pu.bl.ic.254/24, then if I will add to VLans any of pu.bl.ic/1-252 with restrictions of any masks I will get overlapping error. From other side - will the route work if I will specify /30 mask instead of /24?

In this case:

I have pu.bl.ic.0/24 subnet given by ISP

I have static route to ISP's router which IP address is pu.bl.ic.254/24 (as provided by ISP)

Config example:

interface GigabitEthernet0/0

description iNET-WAN

ip address pu.bl.ic.253 255.255.255.252

duplex auto

speed auto

no cdp enable

!

interface Vlan10

ip address pu.bl.ic.250 255.255.255.252

!

interface Vlan11

ip address pu.bl.ic.246 255.255.255.248

!

ip route 0.0.0.0 0.0.0.0 pu.bl.ic.254

What do you think?

to explain subnetting, I need to know what do you know about subneting and routing

in short: yes, you can split your /24 pool in many /29 (or any other size) netwoks, you should of course follow the mask borders.

then in first scenarioo you may  need for every /29 a linknet subnet, which connects /29 to your boarder router, if your /29 lays "behind" devision's router like this:

ISP(.254) <--->(.253) CISCO2821 (subif.X) <--linknetX/30-->ROUTER--subnetX/29

or you can use your /29 subnet without linknet and "directly connect to a boader router:

ISP(.254) <--->(.253) CISCO2821 (subif.X) <--subnetX/29-->ROUTER

it this case you don't need any ACL, because the wrong configured router will not be routed.

The problem is you'll lose too many IP's from your /24 pool because of subnetting rules. How many devision do you have?

I think if you would  take a CATALYST 3550 (L3 switch) and replace your 2950 with it, you could do some IP fltering directly on physical interface, it this case you would not need the subnetting, you would save the IP space and don't have problems with routing.

Konstantin,

will I need a router in case of L3 switch?

Hi,

you can think about L3 switch as a router with a very limited "funny" features because it has very very weak processor, and if a cirtain feature is not supported in HW then you can'T really use it in a production.  E.g. L3 switch has  limited number of  ACL entries, has a limited routing size table, can't do any tunneling on so on. If you plan for your network only a simple Internet access without any addittionl services then c3550 would be enough, but I suggest top keep a c2821 router as edge router and place c3550 as distribution/access device, so you will separate the function of devices and it will be easier to manage your network.   

Krasnoperov
Level 1
Level 1

Hi ,if yuo want to be sure,you can make pppoe server on your router, and give to every of your devisions name and pass, and assign them ip-to-every-pppoesession

Krasnaperov,

good suggestion. However in our case PPPoE is not acceptable. But, just to know in future could you please post an example of config?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco