Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
0
Helpful
5
Replies

Block of Public IP sharing between VLANs

Go to solution
C K
Level 1
Level 1

‎05-13-2019 08:18 AM

Hi All,

 

I have a scenario where our office has been assigned 6 public IPs (below are hypothetical IPs) 95.175.10.20/21 block from ISP.

 

1st IP:    95.175.10.17

Last IP:  95.175.10.22

 

Hardware:

Cisco router: 4300

Cisco Switch: 2960 PoE

           

My router WAN port takes the first IP 95.175.10.17, LAN port of the router is connected to a Cisco switch. DHCP on the switch dishes out Private IPs 192.168.1.1/24 to the default VLAN 1. Everything is open inbound and outbound on the router and traffic is flowing all fine. Users connected to any LAN port on the switch can access the internet.

 

Now a different department of our office wants to use one of the available public IP for their server. 95.175.10.18

I have to put this server on a separate VLAN so that no one from the first VLAN can access it. But it should be accessible via its public IP from outside.

 

Question:

1) How do i route the traffic to internet from the 2nd VLAN with the 2nd available public IP 95.175.10.17

 

Thanks

 

Kind Regards,

CK

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎05-13-2019 09:55 AM

Hi @C K ,

 

On the switch:
You must ensure that the vlan are created and the ports associated with the corresponding vlan.
In addition, the port of the switch that connects to the router must remain in trunk mode.

 

On the router:
You must create subinterfaces in the interface that connects to the switch, encapsulating the packages with the tag of the corresponding vlan.
For example

R (config) #int fa0/0

R (config-if) #no ip address
R (config) #int fa0/0.1
R (config-subif) #encapsulation dot1q 1

R (config-subif) #ip address <gateway vlan 1> <mask>

R (config-subif) #ip nat inside

R (config) #int fa0/0.2
R (config-subif) #encapsulation dot1q 2

R (config-subif) #ip address <gateway vlan 2> <mask>

R (config-subif) #ip nat inside

 

Assuming that you already have NAT patched for VLAN 1, you only need to configure static NAT for server vlan 2

 

R (config) #ip nat inside source static <ip server vlan 2> 95.175.10.18

 

To deny access of devices from vlan 1 to server vlan 2:

 

R (config) #access-list 2 deny <network vlan1> <wilcard>

R (config) #access-list 2 permit any

 

R (config) #int fa0/0.2
R (config-subif) #ip access-group 2 out

 

Regards

 

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Sam Smiley
Level 3
Level 3

‎05-13-2019 09:31 AM

You can solve this with NAT pools, I posted a detailed configuration in another thread:

 

https://community.cisco.com/t5/routing/multiple-wan-ip-addresses-and-multiple-inside-hosts/td-p/2181351

 

Cheers,

Sam

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-13-2019 09:32 AM

1. You need to create Another VLAN 2 example : put the server in that VLAN with IP configured.

2. Create a Static NAT Entry for incoming traffic public IP to Private IP address.

3. if you do not like other VLAN1 to access that new Server, then add VLAN ACL to not to allow .

 

make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
C K
Level 1
Level 1
In response to balaji.bandi

‎05-13-2019 09:57 AM

Hi Balaji,

 

Server needs to have fully routable public IP.

Will i still be able to route it via my router?

 

Basically the spare IPs i have on the WAN can they be re-used  on VLANS for servers etc?

 

Thanks

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎05-13-2019 09:55 AM

Hi @C K ,

 

On the switch:
You must ensure that the vlan are created and the ports associated with the corresponding vlan.
In addition, the port of the switch that connects to the router must remain in trunk mode.

 

On the router:
You must create subinterfaces in the interface that connects to the switch, encapsulating the packages with the tag of the corresponding vlan.
For example

R (config) #int fa0/0

R (config-if) #no ip address
R (config) #int fa0/0.1
R (config-subif) #encapsulation dot1q 1

R (config-subif) #ip address <gateway vlan 1> <mask>

R (config-subif) #ip nat inside

R (config) #int fa0/0.2
R (config-subif) #encapsulation dot1q 2

R (config-subif) #ip address <gateway vlan 2> <mask>

R (config-subif) #ip nat inside

 

Assuming that you already have NAT patched for VLAN 1, you only need to configure static NAT for server vlan 2

 

R (config) #ip nat inside source static <ip server vlan 2> 95.175.10.18

 

To deny access of devices from vlan 1 to server vlan 2:

 

R (config) #access-list 2 deny <network vlan1> <wilcard>

R (config) #access-list 2 permit any

 

R (config) #int fa0/0.2
R (config-subif) #ip access-group 2 out

 

Regards

 

 

 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎05-13-2019 11:23 AM - edited ‎05-13-2019 11:25 AM

OHello

1) Do just want outside users access this server or do you require certain access from your current Lan users vlan?

2) Will there be any Lan users in this new server vlan

3) Is your wan rtr performing the NAT - do have control of this rtr

4) As you have created a second vlan what device is providing the inter vlan routing - rtr or switch? 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card