cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
236
Views
0
Helpful
5
Replies
Highlighted
C K Beginner
Beginner

Block of Public IP sharing between VLANs

Hi All,

 

I have a scenario where our office has been assigned 6 public IPs (below are hypothetical IPs) 95.175.10.20/21 block from ISP.

 

1st IP:    95.175.10.17

Last IP:  95.175.10.22

 

Hardware:

Cisco router: 4300

Cisco Switch: 2960 PoE

           

My router WAN port takes the first IP 95.175.10.17, LAN port of the router is connected to a Cisco switch. DHCP on the switch dishes out Private IPs 192.168.1.1/24 to the default VLAN 1. Everything is open inbound and outbound on the router and traffic is flowing all fine. Users connected to any LAN port on the switch can access the internet.

 

Now a different department of our office wants to use one of the available public IP for their server. 95.175.10.18

I have to put this server on a separate VLAN so that no one from the first VLAN can access it. But it should be accessible via its public IP from outside.

 

Question:

1) How do i route the traffic to internet from the 2nd VLAN with the 2nd available public IP 95.175.10.17

 

Thanks

 

Kind Regards,

CK

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: Block of Public IP sharing between VLANs

Hi @C K ,

 

On the switch:
You must ensure that the vlan are created and the ports associated with the corresponding vlan.
In addition, the port of the switch that connects to the router must remain in trunk mode.

 

On the router:
You must create subinterfaces in the interface that connects to the switch, encapsulating the packages with the tag of the corresponding vlan.
For example

R (config) #int fa0/0

R (config-if) #no ip address
R (config) #int fa0/0.1
R (config-subif) #encapsulation dot1q 1

R (config-subif) #ip address <gateway vlan 1> <mask>

R (config-subif) #ip nat inside

R (config) #int fa0/0.2
R (config-subif) #encapsulation dot1q 2

R (config-subif) #ip address <gateway vlan 2> <mask>

R (config-subif) #ip nat inside

 

Assuming that you already have NAT patched for VLAN 1, you only need to configure static NAT for server vlan 2

 

R (config) #ip nat inside source static <ip server vlan 2> 95.175.10.18

 

To deny access of devices from vlan 1 to server vlan 2:

 

R (config) #access-list 2 deny <network vlan1> <wilcard>

R (config) #access-list 2 permit any

 

R (config) #int fa0/0.2
R (config-subif) #ip access-group 2 out

 

Regards

 

 

 

5 REPLIES 5
Participant

Re: Block of Public IP sharing between VLANs

You can solve this with NAT pools, I posted a detailed configuration in another thread:

 

https://community.cisco.com/t5/routing/multiple-wan-ip-addresses-and-multiple-inside-hosts/td-p/2181351

 

Cheers,

Sam

VIP Advisor

Re: Block of Public IP sharing between VLANs

1. You need to create Another VLAN 2 example : put the server in that VLAN with IP configured.

2. Create a Static NAT Entry for incoming traffic public IP to Private IP address.

3. if you do not like other VLAN1 to access that new Server, then add VLAN ACL to not to allow .

 

make sense ?

 

BB
*** Rate All Helpful Responses ***
C K Beginner
Beginner

Re: Block of Public IP sharing between VLANs

Hi Balaji,

 

Server needs to have fully routable public IP.

Will i still be able to route it via my router?

 

Basically the spare IPs i have on the WAN can they be re-used  on VLANS for servers etc?

 

Thanks

Advocate

Re: Block of Public IP sharing between VLANs

Hi @C K ,

 

On the switch:
You must ensure that the vlan are created and the ports associated with the corresponding vlan.
In addition, the port of the switch that connects to the router must remain in trunk mode.

 

On the router:
You must create subinterfaces in the interface that connects to the switch, encapsulating the packages with the tag of the corresponding vlan.
For example

R (config) #int fa0/0

R (config-if) #no ip address
R (config) #int fa0/0.1
R (config-subif) #encapsulation dot1q 1

R (config-subif) #ip address <gateway vlan 1> <mask>

R (config-subif) #ip nat inside

R (config) #int fa0/0.2
R (config-subif) #encapsulation dot1q 2

R (config-subif) #ip address <gateway vlan 2> <mask>

R (config-subif) #ip nat inside

 

Assuming that you already have NAT patched for VLAN 1, you only need to configure static NAT for server vlan 2

 

R (config) #ip nat inside source static <ip server vlan 2> 95.175.10.18

 

To deny access of devices from vlan 1 to server vlan 2:

 

R (config) #access-list 2 deny <network vlan1> <wilcard>

R (config) #access-list 2 permit any

 

R (config) #int fa0/0.2
R (config-subif) #ip access-group 2 out

 

Regards

 

 

 

VIP Advisor

Re: Block of Public IP sharing between VLANs

OHello

1) Do just want outside users access this server or do you require certain access from your current Lan users vlan?

2) Will there be any Lan users in this new server vlan

3) Is your wan rtr performing the NAT - do have control of this rtr

4) As you have created a second vlan what device is providing the inter vlan routing - rtr or switch? 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards