Re: Need to use an IP from an ISP provided /29 on another device for e

squarenupe33 · ‎05-12-2025

i have a cisco 4431 connected to my ISP. the ISP provided a single /29. I need to use an IP of the /29 on the WAN port of another device for Internet egress out that device. how can i share (VLAN) the /29 since the 4431 is receiving the /29 on a routed port? the rough diagram illustrates:

Jens Albrecht · ‎05-12-2025

Hello @squarenupe33,

create a static NAT entry on your 4431 to translate the internal address of this device to one of your /29 WAN addresses (.3 in your diagram).

Of course, limit the reachability from the internet to only those ports that really need to be exposed.

HTH!

M02@rt37 · ‎05-12-2025

Hello @squarenupe33

You can share the /29 subnet by configuring a software bridge on the 4431. This bridges the ISP-facing interface and the SASE-facing interface at L2, allowing both the router and the SASE edge to use IPs from the same /29. The 4431 uses a BVI for its IP, and the SASE edge can use another IP from the subnet.

See here: https://travelingpacket.com/2018/03/06/cisco-isr-4000-bridge-group-with-vlans/

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

squarenupe33 · ‎05-13-2025

i was able to implement the following config on the router:

interface GigabitEthernet0/0/1
no ip address
media-type sfp
negotiation auto
service instance 33 ethernet
encapsulation untagged
bridge-domain 33
!
interface BDI33
ip address 146.x.x.2 255.255.255.248

this config did bridge the routed port. i can ping, using the bdi33 as the source, the g/w of .1 and external IP 8.8.8.8. However the 4431 has a 8 port switch module and that is where i wanted to connect the SASE edge device using VLAN tagging. i was hoping to tag the ISP packets ingress with a VLAN tag so i can use that VLAN on a switch port to share the ISP's /29. do you know if that is possible. otherwise, i would have to use 2 routed ports on the 4431 and put them in the bridge group as g0/0/1 which would be a waste of the routed ports.

squarenupe33 · ‎05-13-2025

the 4431 router has the following interfaces:

RTR01-STF#sh ip int brie
Interface I P-Address OK? Method Status Protocol
GigabitEthernet0/0/0 66.x.x.21 YES NVRAM up up
GigabitEthernet0/0/1 unassigned YES manual up up
GigabitEthernet0/0/2 unassigned YES NVRAM down down
GigabitEthernet0/0/3 unassigned YES NVRAM down down
GigabitEthernet0/2/0 unassigned YES unset up up
GigabitEthernet0/2/1 unassigned YES unset down down
GigabitEthernet0/2/2 unassigned YES unset up up
GigabitEthernet0/2/3 unassigned YES unset up up
GigabitEthernet0/2/4 unassigned YES unset down down
GigabitEthernet0/2/5 unassigned YES unset up up
GigabitEthernet0/2/6 unassigned YES unset down down
GigabitEthernet0/2/7 unassigned YES unset down down
GigabitEthernet0 10.x.x.4 YES NVRAM up up
BDI33 16.x.x.2 YES manual up up
Vlan1 71.x.x.8 YES NVRAM up up
Vlan33 unassigned YES unset up up

i have a laptop connected to witch port g0/2/5 on the router with an IP address .3 in the ISP's /29. i cannot ping the ISP .1 or the .2 on the router interface BDI33 from the laptop.

squarenupe33 · ‎05-13-2025

updated image information

M02@rt37 · ‎05-13-2025

Hello @squarenupe33

You want to extend that bridged domain over to the switch module ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Need to use an IP from an ISP provided /29 on another device for egres