cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
0
Helpful
5
Replies

Block of Public IP sharing between VLANs

C K
Level 1
Level 1

Hi All,

 

I have a scenario where our office has been assigned 6 public IPs (below are hypothetical IPs) 95.175.10.20/21 block from ISP.

 

1st IP:    95.175.10.17

Last IP:  95.175.10.22

 

Hardware:

Cisco router: 4300

Cisco Switch: 2960 PoE

           

My router WAN port takes the first IP 95.175.10.17, LAN port of the router is connected to a Cisco switch. DHCP on the switch dishes out Private IPs 192.168.1.1/24 to the default VLAN 1. Everything is open inbound and outbound on the router and traffic is flowing all fine. Users connected to any LAN port on the switch can access the internet.

 

Now a different department of our office wants to use one of the available public IP for their server. 95.175.10.18

I have to put this server on a separate VLAN so that no one from the first VLAN can access it. But it should be accessible via its public IP from outside.

 

Question:

1) How do i route the traffic to internet from the 2nd VLAN with the 2nd available public IP 95.175.10.17

 

Thanks

 

Kind Regards,

CK

1 Accepted Solution

Accepted Solutions

luis_cordova
VIP Alumni
VIP Alumni

Hi @C K ,

 

On the switch:
You must ensure that the vlan are created and the ports associated with the corresponding vlan.
In addition, the port of the switch that connects to the router must remain in trunk mode.

 

On the router:
You must create subinterfaces in the interface that connects to the switch, encapsulating the packages with the tag of the corresponding vlan.
For example

R (config) #int fa0/0

R (config-if) #no ip address
R (config) #int fa0/0.1
R (config-subif) #encapsulation dot1q 1

R (config-subif) #ip address <gateway vlan 1> <mask>

R (config-subif) #ip nat inside

R (config) #int fa0/0.2
R (config-subif) #encapsulation dot1q 2

R (config-subif) #ip address <gateway vlan 2> <mask>

R (config-subif) #ip nat inside

 

Assuming that you already have NAT patched for VLAN 1, you only need to configure static NAT for server vlan 2

 

R (config) #ip nat inside source static <ip server vlan 2> 95.175.10.18

 

To deny access of devices from vlan 1 to server vlan 2:

 

R (config) #access-list 2 deny <network vlan1> <wilcard>

R (config) #access-list 2 permit any

 

R (config) #int fa0/0.2
R (config-subif) #ip access-group 2 out

 

Regards

 

 

 

View solution in original post

5 Replies 5

Sam Smiley
Level 3
Level 3

You can solve this with NAT pools, I posted a detailed configuration in another thread:

 

https://community.cisco.com/t5/routing/multiple-wan-ip-addresses-and-multiple-inside-hosts/td-p/2181351

 

Cheers,

Sam

balaji.bandi
Hall of Fame
Hall of Fame

1. You need to create Another VLAN 2 example : put the server in that VLAN with IP configured.

2. Create a Static NAT Entry for incoming traffic public IP to Private IP address.

3. if you do not like other VLAN1 to access that new Server, then add VLAN ACL to not to allow .

 

make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

 

Server needs to have fully routable public IP.

Will i still be able to route it via my router?

 

Basically the spare IPs i have on the WAN can they be re-used  on VLANS for servers etc?

 

Thanks

luis_cordova
VIP Alumni
VIP Alumni

Hi @C K ,

 

On the switch:
You must ensure that the vlan are created and the ports associated with the corresponding vlan.
In addition, the port of the switch that connects to the router must remain in trunk mode.

 

On the router:
You must create subinterfaces in the interface that connects to the switch, encapsulating the packages with the tag of the corresponding vlan.
For example

R (config) #int fa0/0

R (config-if) #no ip address
R (config) #int fa0/0.1
R (config-subif) #encapsulation dot1q 1

R (config-subif) #ip address <gateway vlan 1> <mask>

R (config-subif) #ip nat inside

R (config) #int fa0/0.2
R (config-subif) #encapsulation dot1q 2

R (config-subif) #ip address <gateway vlan 2> <mask>

R (config-subif) #ip nat inside

 

Assuming that you already have NAT patched for VLAN 1, you only need to configure static NAT for server vlan 2

 

R (config) #ip nat inside source static <ip server vlan 2> 95.175.10.18

 

To deny access of devices from vlan 1 to server vlan 2:

 

R (config) #access-list 2 deny <network vlan1> <wilcard>

R (config) #access-list 2 permit any

 

R (config) #int fa0/0.2
R (config-subif) #ip access-group 2 out

 

Regards

 

 

 

OHello

1) Do just want outside users access this server or do you require certain access from your current Lan users vlan?

2) Will there be any Lan users in this new server vlan

3) Is your wan rtr performing the NAT - do have control of this rtr

4) As you have created a second vlan what device is providing the inter vlan routing - rtr or switch? 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco