Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1489
Views
0
Helpful
1
Replies

Multiple subnets from ISP, how to route?

stmurrman
Level 1
Level 1

‎01-24-2014 01:27 PM - edited ‎03-07-2019 05:47 PM

Currently we have a fairly simple setup conencting to our ISP. Our ISP has given us the following L3 info:

Default gateway: 53.141.130.241

Router/Firewall Outside interface: 53.141.130.244

Subnet: 255.255.255.248

Available IPs: 53.141.130.245-246

Internal IPs: 53.141.120.128/28

The ISP connects to our external switch that our external firewall also connects to, both ports are part of the same L2 vlan.

Our firewall has the IP 53.141.130.244/29 with a default gw of 53.141.130.241. On the firewall the extrernal IPs used (for mips, vips, etc)

are in the 53.141.120.128/28 block.

This setup works, but it forces me to use the firewall for everything since it is essentially our edge router, as all traffic from the ISP goes to

53.141.130.244. I'd like to move that IP (53.141.130.244) to a VLAN interface and let that VLAN handle the routing, but not sure how to do that. The goal is to have other devices parallel to our firewall (vpn, dmz, etc.) devices that would have to use an IP from the "available IPs" from our ISP I guess, 53.141.130.245-246.

I know I could assign 53.141.130.244 to a vlan and define a default route pointing to 53.141.130.241. But how do I handle the 53.141.120.128/28

subnet? The ISP doesn't do any vlan tagging.

Potential config on switch:

interface vlan2

  description connection to isp

  ip address 53.141.130.244 255.255.255.248

!

ip route 0.0.0.0 0.0.0.0 53.141.130.241

ip route 53.141.120.128 255.255.255.240 53.141.130.245 (The external firewall interface)

Other external devices:

All other external devices will be sitting in the same VLAN and should be able to ARP out and figure out where to go. WIth the internal gateway address now defined on the vlan (.244) and the firewall using one of the "available IPs (.245)", that only leaves one more IP in that range to use (.246). So I should be able to assign that to my vpn/dmz device, right?

This seems feasible, but I'm not sure about the internal IP block (53.141.120.128/28), is there any way for a device with one of these IPs to be dropped in to the external vlan? Since the vlan is a different subnet I have no idea how that would work.

Clear as mud? I'm just trying to move more of our devices to the edge, it's just something that would work better for us currently. I *know* most DMZs and other gear hang off of the firewall, this is a different case that would take a much larger post to describe :/ It involves politics and too many managers!

So, any ideas?


Labels:
0 Helpful
1 Reply 1

Jeff Van Houten
Level 5
Level 5

‎01-25-2014 06:28 AM

What happened to .242 and .243? A /29 is 8 ip addresses with 6 hosts.

And, surely your internal network isn't the address range they gave you, correct? Those are just additional addresses they will route to you at .244. That have a static that says 53.whatever/28 is at whatever.244/29. If you are setting up a new device with 2 interfaces, why wouldn't you put the external interface in the same vlan as the firewall, with an address of .245 /29 and the internal interface would be on your true internal network. Why would your new device need to even know about 53.whatever/28 ?

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card