11-03-2011 04:23 AM - edited 03-04-2019 02:08 PM
Hello,
I just thought if it's possible to make sure that only approved IP addresses for each of divisions of a company can be used.
Case scenario:
I have Public IP addresses range: pu.bl.ic.0/24
My gateway is: pu.bl.ic.254/24
Now on other side of router (no NAT) I have switch which connects divisions' routers to the internet.
The question is:
How can I assign for a port one/more public addresses and be sure that only this port is using it/them. Thing is I have only one 24 bit public Network ID provided to me by ISP. One IP address of the range is used for ISP's gateway. So I have 253 addresses to be distributed among divisions. However to avoid IP address conflicts I have to be sure that only dedicated for a division IP address/es is/are used by the division.
Router is 2821.
Switch is 2950.
I hope I have explained the issue correctly
Thanks.
Solved! Go to Solution.
11-03-2011 02:37 PM
to explain subnetting, I need to know what do you know about subneting and routing
in short: yes, you can split your /24 pool in many /29 (or any other size) netwoks, you should of course follow the mask borders.
then in first scenarioo you may need for every /29 a linknet subnet, which connects /29 to your boarder router, if your /29 lays "behind" devision's router like this:
ISP(.254) <--->(.253) CISCO2821 (subif.X) <--linknetX/30-->ROUTER--subnetX/29
or you can use your /29 subnet without linknet and "directly connect to a boader router:
ISP(.254) <--->(.253) CISCO2821 (subif.X) <--subnetX/29-->ROUTER
it this case you don't need any ACL, because the wrong configured router will not be routed.
The problem is you'll lose too many IP's from your /24 pool because of subnetting rules. How many devision do you have?
I think if you would take a CATALYST 3550 (L3 switch) and replace your 2950 with it, you could do some IP fltering directly on physical interface, it this case you would not need the subnetting, you would save the IP space and don't have problems with routing.
11-04-2011 01:43 AM
Hi,
you can think about L3 switch as a router with a very limited "funny" features because it has very very weak processor, and if a cirtain feature is not supported in HW then you can'T really use it in a production. E.g. L3 switch has limited number of ACL entries, has a limited routing size table, can't do any tunneling on so on. If you plan for your network only a simple Internet access without any addittionl services then c3550 would be enough, but I suggest top keep a c2821 router as edge router and place c3550 as distribution/access device, so you will separate the function of devices and it will be easier to manage your network.
11-03-2011 04:30 AM
Hi,
if I correctl understand your question you need just a correctly configured DHCP server. You can also spit the whole range into multiply subnets for each division, it will simplyfa, may be , the administaration.
11-03-2011 05:39 AM
Konstatin, I guess you understood me correct, however DHCP is not the option in our case. What about splitting into multiple subnets? I'm a little bit confused. What mask then should be on the link to ISP? now I set it to 24 bit. Any examples on it?
11-03-2011 05:49 AM
ok, then you should explain us a little bit more about you network.
1. is it a normal "enterprise" network, or it's like small service provider
2. why do you want all end-devices get a public IP address? Can you assign it manually or should it be done some-how automatic?
3. should the departments be able to comunicate to each other?
4. is it possible to use NAT?
11-03-2011 06:56 AM
Ok. Look:
1. It's like small ISP
2. Not devices, but routers of each division. Every router at divisions has NAT enabled. Devices will be WAN interfaces of divisions' routers, IP addresses will be set up manualy on each interface of each router.
3. Divisions should not have access to each other.
4. No.
More info: The main router will work like transition point of internet to the routers of divisions.
11-03-2011 09:06 AM
Who will setup the IP address on each router? the devision self or it will be done centraly?
I'm afraid without any additional tricks, like PPPoE it's not really possible to be sure that IP address are not "duplicated"
But you can configure on every devision interface the dynamic IP address and set DHCP serevr on the cisco2821 and assign staticly the IP to a cirtain MAC address.
11-03-2011 02:02 PM
Each division will setup IP address/es by itself on their routers.
The issue is while some divisions will have per one public IP Address the others will have per 5 or more due to external services they need to provide (like Mail Server, SharePoint and staff like that).
THe other thing I was thinking about is PACL. Thus, I can restrict some ip addresses to go via specified port. The thing is that I have no idea how can I split one /24 bit subnet into multiple. And then specify Access Lists per port. If I have pu.bl.ic.253/24 IP address set on WAN interface of my 2821 and default route set to pu.bl.ic.254/24, then if I will add to VLans any of pu.bl.ic/1-252 with restrictions of any masks I will get overlapping error. From other side - will the route work if I will specify /30 mask instead of /24?
In this case:
I have pu.bl.ic.0/24 subnet given by ISP
I have static route to ISP's router which IP address is pu.bl.ic.254/24 (as provided by ISP)
Config example:
interface GigabitEthernet0/0
description iNET-WAN
ip address pu.bl.ic.253 255.255.255.252
duplex auto
speed auto
no cdp enable
!
interface Vlan10
ip address pu.bl.ic.250 255.255.255.252
!
interface Vlan11
ip address pu.bl.ic.246 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 pu.bl.ic.254
What do you think?
11-03-2011 02:37 PM
to explain subnetting, I need to know what do you know about subneting and routing
in short: yes, you can split your /24 pool in many /29 (or any other size) netwoks, you should of course follow the mask borders.
then in first scenarioo you may need for every /29 a linknet subnet, which connects /29 to your boarder router, if your /29 lays "behind" devision's router like this:
ISP(.254) <--->(.253) CISCO2821 (subif.X) <--linknetX/30-->ROUTER--subnetX/29
or you can use your /29 subnet without linknet and "directly connect to a boader router:
ISP(.254) <--->(.253) CISCO2821 (subif.X) <--subnetX/29-->ROUTER
it this case you don't need any ACL, because the wrong configured router will not be routed.
The problem is you'll lose too many IP's from your /24 pool because of subnetting rules. How many devision do you have?
I think if you would take a CATALYST 3550 (L3 switch) and replace your 2950 with it, you could do some IP fltering directly on physical interface, it this case you would not need the subnetting, you would save the IP space and don't have problems with routing.
11-04-2011 01:34 AM
Konstantin,
will I need a router in case of L3 switch?
11-04-2011 01:43 AM
Hi,
you can think about L3 switch as a router with a very limited "funny" features because it has very very weak processor, and if a cirtain feature is not supported in HW then you can'T really use it in a production. E.g. L3 switch has limited number of ACL entries, has a limited routing size table, can't do any tunneling on so on. If you plan for your network only a simple Internet access without any addittionl services then c3550 would be enough, but I suggest top keep a c2821 router as edge router and place c3550 as distribution/access device, so you will separate the function of devices and it will be easier to manage your network.
11-03-2011 05:01 AM
Hi ,if yuo want to be sure,you can make pppoe server on your router, and give to every of your devisions name and pass, and assign them ip-to-every-pppoesession
11-03-2011 05:42 AM
Krasnaperov,
good suggestion. However in our case PPPoE is not acceptable. But, just to know in future could you please post an example of config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide