Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Advice on bridge with NAT, plus locking down bridge to single IP address

I have a 2911 router that has been in service for about 3 years now, and not really been touched in that time.  There are 5 VLANs on the private side all on sub-interfaces of Gi0/0, these are configured with private IP addresses and "ip nat inside".  Gi0/1 has a public IP address in a /29 range and "ip nat outside" connected to a leased line a.


There is going to be a tenant in the building who are to use our internet connection, but nothing else, so now we have to provide them with a single IP address which they will assign to their own firewall.


My Intention is to add another VLAN as Gi0/0.100, assign the IP address that is currently on Gi0/1 to this, then set Gi0/1 as ip unnumbered to Gi0/0.100.  


I have 2 questions with this:

Firstly, will it work and does this look like the correct way to achieve what is needed?

Secondly, i want to limit the tenant to only be able to use the public IP address from the /29 range we allocate to them, and if they try to use any other then it doesn't allow them AND has no negative impact on the rest of the network/setup including any NAT rules that include other IP addresses in the /29 range.  Could you offer some guidance on this point please?







This sounds like an interesting setup, but your provided solution does not sound good at all. There are ways you can work that in, but it is not a good idea. Your router is a router and not a firewall. This setup could best be done on a firewall for the restrictions.


I think the best solution would be to put a new switch in front of your router, and then you would connect your WAN link into that switch – your router to the switch and their firewall to the switch. This would allow your router and their firewall to both be on the same /29 WAN IP block.


Since their link is not directly attached to your router that dramatically improves your security. You could go a step farther and put an outbound ACL on your inside interface to block the IP you provided them. This prevents them from coming to your inside network via your WAN interface. I would assume you have some ACL on your WAN interface to block generic traffic attacks (if not look into it), but if so, just add that new IP to the deny list and lock it out there too.


You can use a high end or dummy switch. It depends on your network and level of control. Obviously at managed switch will give you greater controls including SNMP, NetFlow, and other things if desired, but an unmanaged switch would work for this situation as well.


If you wanted to use your existing LAN switch you could do that too. You would isolate your WAN traffic on a pure L2 VLAN. This is a safe method but does put a heavy burden on your switch. This, however, is an option if you don’t have a budget for another switch. It would be my last option though if I could avoid it.


Please don't forget to rate any helpful post.

There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan
Content for Community-Ad