01-23-2010 07:09 AM - edited 03-04-2019 07:16 AM
HI Folks
Here is my scenario (SEE DIAGRAM)
We area small ISP. We are at present running Fiber connections to our clients. ALL Our Clients connect using PRIVATE IP addresses on the same subnet as the CORE ISP ROUTER, Eg CORE ISP ROUTER -Fast Ethernet address - 10.10.10.1/16 , client 1 - 10.10.10.2/16 ,client 2 -10.10.10.2/16 , client 3 - 10.10.10.3/16, client X..... We have about 50 clients connected in the same manner Etc.
CHALLENGE
I have acquired public addresses for our clients so they can take advantage of services such as MAIL and WWW servers on their premises. However I have been allocated only a small block of ip addresses. But I would like to make the most of my allocation. I m having a problem figuring out some design issues. Firstly All the clients terminate on the SAME physical interface FASTETHERNET 0 on the CORE ISP ROUTER. This is what I hope to achieve. I would like to Allocate each client with at least 2 public addresses, that is, 1 for internet access and 1 for the email server. I assume that I will have to use /30 or 255.255.255.252 for that. The question is how do I allocate /30 block per client as I know it is used to point to point links. I have seen the /30 block being used as i have described above. ( 1 internet and 1 email). But the how is the question?
I know if I can't achieve this the alternative is to allocate the clients /29. (255.255.255.248) which give allows 6 hosts but that is wasteful.
QUESTION - PUZZLE?
Can you assist with an alternative design?
On the CORE ISP ROUTER. I know I have configure a Static route to the clients. What else to I have configure???
On the CLIENT ROUTER. how and What do I have to configure. ??
If I have to deploy point to point links using the /30 scenario. How do I do it on the the CORE ISP ROUTER for all the clients....Secondary IP Addresses?
ANY DETAILED Examples for the above or similar scenarios? Any web links with the same?
ANY Idea can help.
Solved! Go to Solution.
01-23-2010 07:47 AM
HI Folks
Here is my scenario (SEE DIAGRAM)
We area small ISP. We are at present running Fiber connections to our clients. ALL Our Clients connect using PRIVATE IP addresses on the same subnet as the CORE ISP ROUTER, Eg CORE ISP ROUTER -Fast Ethernet address - 10.10.10.1/16 , client 1 - 10.10.10.2/16 ,client 2 -10.10.10.2/16 , client 3 - 10.10.10.3/16, client X..... We have about 50 clients connected in the same manner Etc.
CHALLENGE
I have acquired public addresses for our clients so they can take advantage of services such as MAIL and WWW servers on their premises. However I have been allocated only a small block of ip addresses. But I would like to make the most of my allocation. I m having a problem figuring out some design issues. Firstly All the clients terminate on the SAME physical interface FASTETHERNET 0 on the CORE ISP ROUTER. This is what I hope to achieve. I would like to Allocate each client with at least 2 public addresses, that is, 1 for internet access and 1 for the email server. I assume that I will have to use /30 or 255.255.255.252 for that. The question is how do I allocate /30 block per client as I know it is used to point to point links. I have seen the /30 block being used as i have described above. ( 1 internet and 1 email). But the how is the question?
I know if I can't achieve this the alternative is to allocate the clients /29. (255.255.255.248) which give allows 6 hosts but that is wasteful.
QUESTION - PUZZLE?
Can you assist with an alternative design?
On the CORE ISP ROUTER. I know I have configure a Static route to the clients. What else to I have configure???
On the CLIENT ROUTER. how and What do I have to configure. ??
If I have to deploy point to point links using the /30 scenario. How do I do it on the the CORE ISP ROUTER for all the clients....Secondary IP Addresses?
ANY DETAILED Examples for the above or similar scenarios? Any web links with the same?
ANY Idea can help.
You already asked a very similiar question before and received replies but here goes.
If you only want to allocate a /30 to each client then you cannot allocate any of the public addresses to router interfaces. What you do per customer is this, we will use client 2 with an IP of 10.10.10.2/16 as an example
1) leave the private addressing as it is on the customer end and on your ISP router end
2) allocate client 2 two of the public IP addresses eg. 195.10.10.0 255.255.255.252. So client 2 gets 2 IPs
195.10.10.1 for general internet access
195.10.10.2 for their mail server
3) add a route for these 2 addresses on your ISP router pointing to the client 2 end -
ip route 195.10.10.0 255.255.255.252 10.10.10.2
4) On the customer router they can use 1 of the IPs for internet access and one for a web server. Lets say the customer router has 2 fast ethernet interfaces
fa0/0 connects to customer LAN
fa0/1 connects to your ISP router
int fa0/0
ip nat inside
int fa0/1
ip nat outside
then for internet access -
access-list 101 permit ip any any
ip nat pool PBS 195.10.10.1 195.10.10.1 netmask 255.255.255.0
ip nat inside source list 101 pool PBS overload
and for the web server - assuming web server has a private address of 192.168.10.1
ip nat inside source static 192.168.10.1 195.10.10.2
The above will allow you to allocate just 2 public IPs to each client. You must ensure
1) that the public addresses are routed to you as the ISP from the internet
2) once they have been routed to you you must then ensure they are routed to the correct client
You may also want to look at securing connectivity between clients if you haven't already ie. all your clients share the same 10.10.10.x address space so you need to make sure they cannot talk directly to each other via these addresses. But you must also ensure that client 2 can indeed get to client 3 public addresses as they may want to exchange mail.
So restrict 10.10.10.x communication but allow the public addressing allocation.
Edit - note that because you are not applying any of the public IPs to the client router interface you will face issues with certain client requests. General internet access and mail server will work fine. But if the client then needs to allow it's employees to VPN into their network you will have a problem because the client router then needs a public IP to terminate the VPNs and this needs to be allocated to an interface. However you didn't ask for this and you can always either
1) keep some of your public addressing spare for contingencies
2) apply for more public addressing at some later date
Jon
01-23-2010 08:35 AM
Thanks So Much Mr Jo....
Had Repeat and provide more details to get a more accurate answer...
I this is very helpful. Since I think the clients may need VPN access in the near future. I think I will give them a PUBLIC point to point address .../30 (between the the ISP and Client). I will add it as a secondary IP address on the client side. SO both will have PUB+PRIV address or just leave at the public address. In this case what do you think about. Many Secondary IP Addresses on the CORE ISP ROUTER for every point to point link /30? Will this be possible OR is this recommended in this case?
You can do this but then the customer will have to do port forwarding for their mail server ie. if you are only allocating 2 addresses per client then if you use secondary addressing you already have used one of the 2 on your ISP router so the customer has to use the same 1 public IP for both general internet access and the mail server. It can be done.
Bear in mind that within your ISP network you can if you want route individual IPs to a client because you are in charge of the routing. So it may be a /30 would be fine for most clients but a few clients need more addressing but not enough to justify a /29. You can simply have host routes on your ISP router that connects to the clients.
You still summarise the entire address range to the rest of the Internet and within your network, assuming you have more than just this router you can summarise to the other devices and only have host specific routes on the actual ISP router that connects to clients.
So you do have flexibility in the way you do this. Remember the key thing is you are in charge of routing to your clients so you can allocate as you wish. If you do go down to host routes this increases your routing tables within your network, it should not affect either the rest of the internet or your clients.
Jon
01-24-2010 02:44 AM
Thanks Jon
One last thing. I have just purchased a 515 firewall ver6.3. I wish to add a mail server ,DNS , Web servers. Where do you think I should place it and what impact will it have on my address and the rest of my network.
The mail server, DNS and web servers what are they going to be used for ? By that i mean will these be used by your clients only, by your clients and internet users or by just internet users.
Also to help you further you need to provide details as to how your internal network is setup ie. which devices etc..
Jon
01-23-2010 07:47 AM
HI Folks
Here is my scenario (SEE DIAGRAM)
We area small ISP. We are at present running Fiber connections to our clients. ALL Our Clients connect using PRIVATE IP addresses on the same subnet as the CORE ISP ROUTER, Eg CORE ISP ROUTER -Fast Ethernet address - 10.10.10.1/16 , client 1 - 10.10.10.2/16 ,client 2 -10.10.10.2/16 , client 3 - 10.10.10.3/16, client X..... We have about 50 clients connected in the same manner Etc.
CHALLENGE
I have acquired public addresses for our clients so they can take advantage of services such as MAIL and WWW servers on their premises. However I have been allocated only a small block of ip addresses. But I would like to make the most of my allocation. I m having a problem figuring out some design issues. Firstly All the clients terminate on the SAME physical interface FASTETHERNET 0 on the CORE ISP ROUTER. This is what I hope to achieve. I would like to Allocate each client with at least 2 public addresses, that is, 1 for internet access and 1 for the email server. I assume that I will have to use /30 or 255.255.255.252 for that. The question is how do I allocate /30 block per client as I know it is used to point to point links. I have seen the /30 block being used as i have described above. ( 1 internet and 1 email). But the how is the question?
I know if I can't achieve this the alternative is to allocate the clients /29. (255.255.255.248) which give allows 6 hosts but that is wasteful.
QUESTION - PUZZLE?
Can you assist with an alternative design?
On the CORE ISP ROUTER. I know I have configure a Static route to the clients. What else to I have configure???
On the CLIENT ROUTER. how and What do I have to configure. ??
If I have to deploy point to point links using the /30 scenario. How do I do it on the the CORE ISP ROUTER for all the clients....Secondary IP Addresses?
ANY DETAILED Examples for the above or similar scenarios? Any web links with the same?
ANY Idea can help.
You already asked a very similiar question before and received replies but here goes.
If you only want to allocate a /30 to each client then you cannot allocate any of the public addresses to router interfaces. What you do per customer is this, we will use client 2 with an IP of 10.10.10.2/16 as an example
1) leave the private addressing as it is on the customer end and on your ISP router end
2) allocate client 2 two of the public IP addresses eg. 195.10.10.0 255.255.255.252. So client 2 gets 2 IPs
195.10.10.1 for general internet access
195.10.10.2 for their mail server
3) add a route for these 2 addresses on your ISP router pointing to the client 2 end -
ip route 195.10.10.0 255.255.255.252 10.10.10.2
4) On the customer router they can use 1 of the IPs for internet access and one for a web server. Lets say the customer router has 2 fast ethernet interfaces
fa0/0 connects to customer LAN
fa0/1 connects to your ISP router
int fa0/0
ip nat inside
int fa0/1
ip nat outside
then for internet access -
access-list 101 permit ip any any
ip nat pool PBS 195.10.10.1 195.10.10.1 netmask 255.255.255.0
ip nat inside source list 101 pool PBS overload
and for the web server - assuming web server has a private address of 192.168.10.1
ip nat inside source static 192.168.10.1 195.10.10.2
The above will allow you to allocate just 2 public IPs to each client. You must ensure
1) that the public addresses are routed to you as the ISP from the internet
2) once they have been routed to you you must then ensure they are routed to the correct client
You may also want to look at securing connectivity between clients if you haven't already ie. all your clients share the same 10.10.10.x address space so you need to make sure they cannot talk directly to each other via these addresses. But you must also ensure that client 2 can indeed get to client 3 public addresses as they may want to exchange mail.
So restrict 10.10.10.x communication but allow the public addressing allocation.
Edit - note that because you are not applying any of the public IPs to the client router interface you will face issues with certain client requests. General internet access and mail server will work fine. But if the client then needs to allow it's employees to VPN into their network you will have a problem because the client router then needs a public IP to terminate the VPNs and this needs to be allocated to an interface. However you didn't ask for this and you can always either
1) keep some of your public addressing spare for contingencies
2) apply for more public addressing at some later date
Jon
01-23-2010 08:19 AM
Thanks So Much Mr Jo....
Had Repeat and provide more details to get a more accurate answer...
I this is very helpful. Since I think the clients may need VPN access in the near future. I think I will give them a PUBLIC point to point address .../30 (between the the ISP and Client). I will add it as a secondary IP address on the client side. SO both will have PUB+PRIV address or just leave at the public address. In this case what do you think about. Many Secondary IP Addresses on the CORE ISP ROUTER for every point to point link /30? Will this be possible OR is this recommended in this case?
01-23-2010 08:35 AM
Thanks So Much Mr Jo....
Had Repeat and provide more details to get a more accurate answer...
I this is very helpful. Since I think the clients may need VPN access in the near future. I think I will give them a PUBLIC point to point address .../30 (between the the ISP and Client). I will add it as a secondary IP address on the client side. SO both will have PUB+PRIV address or just leave at the public address. In this case what do you think about. Many Secondary IP Addresses on the CORE ISP ROUTER for every point to point link /30? Will this be possible OR is this recommended in this case?
You can do this but then the customer will have to do port forwarding for their mail server ie. if you are only allocating 2 addresses per client then if you use secondary addressing you already have used one of the 2 on your ISP router so the customer has to use the same 1 public IP for both general internet access and the mail server. It can be done.
Bear in mind that within your ISP network you can if you want route individual IPs to a client because you are in charge of the routing. So it may be a /30 would be fine for most clients but a few clients need more addressing but not enough to justify a /29. You can simply have host routes on your ISP router that connects to the clients.
You still summarise the entire address range to the rest of the Internet and within your network, assuming you have more than just this router you can summarise to the other devices and only have host specific routes on the actual ISP router that connects to clients.
So you do have flexibility in the way you do this. Remember the key thing is you are in charge of routing to your clients so you can allocate as you wish. If you do go down to host routes this increases your routing tables within your network, it should not affect either the rest of the internet or your clients.
Jon
01-24-2010 01:35 AM
Thanks Jon
One last thing. I have just purchased a 515 firewall ver6.3. I wish to add a mail server ,DNS , Web servers. Where do you think I should place it and what impact will it have on my address and the rest of my network.
01-24-2010 02:44 AM
Thanks Jon
One last thing. I have just purchased a 515 firewall ver6.3. I wish to add a mail server ,DNS , Web servers. Where do you think I should place it and what impact will it have on my address and the rest of my network.
The mail server, DNS and web servers what are they going to be used for ? By that i mean will these be used by your clients only, by your clients and internet users or by just internet users.
Also to help you further you need to provide details as to how your internal network is setup ie. which devices etc..
Jon
01-24-2010 08:25 AM
(1)The mail,Dns , Servers are going to be used by internal and internet users. with 1 primary and 1 Secondary server. and accomping mail server.
(2) I have attached the 2 diagrams below of the current setup and the planned setup.
(3) Also I have read somewhere but not understood the option for ipunnumbered for Core router end for point to point point links.
The design is basic , based on limited and So anything you suggest will be very appriciated. Please comment and feel free to suggest the best practises.
Thanks again.
02-23-2010 09:26 AM
Thanks Mr Jon
The ISP up and running. your advice came in handy. Keep up the good work.
Cheers
02-23-2010 09:22 AM
Thanks Mate
The ISP up and going. your help appreciated. Keep the good work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide