Solved: Re: Representing a VLAN with a unique Public IP ( shared office

s.nasheet · ‎06-01-2010

Hi,

Can Cisco 3350 L3 switch be configured with different vlans and each vlan use its own public IP address to get to the internet.

My goal is to give each vlan a public IP address .Basically this is a shared accommodation and each vlan/office is an independent office. Hosts in one vlan doesn’t required to talk to the hosts in another vlan but all hosts need internet.

Hosts will communicate within a office/vlan by using LAN ip addressing but will use public IP address ( NATing) to go on internet.

I have public 128 IP addresses in hand which can be assigned to offices/vlans. Each office/Vlan need to be identified with a unique public IP address.

I guess I need to do sub-netting on my public IP address block and assign a each vlan with /32 mask. ( I don’t know how......)

Cisco PIX will be configured to do Nating. But switches need to be configured to represent vlan with public IP.

I was thinking to create a loopback address for each vlan with /32 mask and use that interface for NATing /PATing.

Any recommendations please ? Can any other design be used to achieve the same result?

Regards

Salman

Ganesh Hariharan · ‎06-02-2010

Ganesh,

Thanks for the response.

For some reason, sales people have agreed this design with customer and ordered a block of 128 ip addresses for this. Another reason is that as this is a shared building ,each offfice in a building will have their own mail/ ftp/web servers which requires a public IP's anyway to run their web based services.

I have 30 offices in a building and all offices will use the same internet connection (10MB). All offices will use PIX and 4x 3550 L3 switches.

Switch managment is not a issue at the moment as once I am telneted/ssh'ed into PIX , I will hop over to switches via PIX.

Can Vlan inerface be used with a secondary IP addess, primary ip will be the vlan subnet ip and secondary IP will be the one of the public IP. All PC's with the vlan will use public IP as a gateway to internet ? not sure if this is possible, may natiing will not required in this case.

for example.

Vlan 10 - ip range 172.16.10.0./24

vlan int 10

ip address 172.16.10.1 255.255.255.0

ip address 81.54.66.x 255.255.255.255 secondary

Host in the vlan will have a gateway of 81.54.66.x

Can you think of any other design options to make it work ?

Thanks

Salman

Salman,

Let concentrate with single office design as you have common infrastructure in 30 offices.As you said all office will use a pix with 4*3550 switches, so what i would suggest for accessing the internet for office users you can have two option either create proxy server and nat that server on pix for internet connectivity and browsing purpose or make natting configuration on pix interface to do the same as 3550 switches are not having the natting funcationality.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#mixing_nat

For easy design just try to acehive the task with pix and l3 switch,that why i am not preferring secondary ip address concept.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Ganesh Hariharan · ‎06-01-2010

Hi,
Can Cisco 3350 L3 switch be configured with different vlans and each vlan use its own public IP address to get to the internet. 
My goal is to give each vlan a public IP address .Basically this is a shared accommodation and each vlan/office  is an independent office. Hosts in one vlan doesn’t required to talk to the hosts in another vlan but all hosts need internet.
Hosts
will communicate within a office/vlan by using LAN ip addressing but
will use public IP address ( NATing) to go on internet.
I
have public 128 IP addresses in hand which can be assigned to
offices/vlans. Each office/Vlan need to be identified with a unique
public IP address.
I guess I need to do sub-netting on my public IP address block and assign a each vlan with   /32 mask. ( I don’t know how......)
Cisco PIX  will be configured to do Nating. But switches need to be configured to represent vlan with public IP.
I was thinking to create a loopback address for each vlan with /32 mask and use that interface for NATing /PATing.
 
Any recommendations please ? Can any other design be used to achieve the same result?
Regards
Salman

Hi Salman,

Just for your information cisco 3350 does not support natting as you said you have pix to do the natting for inetrnet access,My question is why you want a office to be recoginse by unique public ip address and how many office you have and all are having same pix firewall with l3 switches.

Is this a requirement to mange these switches over the inetrnet or from other need.

Hope to help !!

Ganesh.H

s.nasheet · ‎06-01-2010

Ganesh,

Thanks for the response.

For some reason, sales people have agreed this design with customer and ordered a block of 128 ip addresses for this. Another reason is that as this is a shared building ,each offfice in a building will have their own mail/ ftp/web servers which requires a public IP's anyway to run their web based services.

I have 30 offices in a building and all offices will use the same internet connection (10MB). All offices will use PIX and 4x 3550 L3 switches.

Switch managment is not a issue at the moment as once I am telneted/ssh'ed into PIX , I will hop over to switches via PIX.

Can Vlan inerface be used with a secondary IP addess, primary ip will be the vlan subnet ip and secondary IP will be the one of the public IP. All PC's with the vlan will use public IP as a gateway to internet ? not sure if this is possible, may natiing will not required in this case.

for example.

Vlan 10 - ip range 172.16.10.0./24

vlan int 10

ip address 172.16.10.1 255.255.255.0

ip address 81.54.66.x 255.255.255.255 secondary

Host in the vlan will have a gateway of 81.54.66.x

Can you think of any other design options to make it work ?

Thanks

Salman

Ganesh Hariharan · ‎06-02-2010

Ganesh,

Thanks for the response.

For some reason, sales people have agreed this design with customer and ordered a block of 128 ip addresses for this. Another reason is that as this is a shared building ,each offfice in a building will have their own mail/ ftp/web servers which requires a public IP's anyway to run their web based services.

I have 30 offices in a building and all offices will use the same internet connection (10MB). All offices will use PIX and 4x 3550 L3 switches.

Switch managment is not a issue at the moment as once I am telneted/ssh'ed into PIX , I will hop over to switches via PIX.

Can Vlan inerface be used with a secondary IP addess, primary ip will be the vlan subnet ip and secondary IP will be the one of the public IP. All PC's with the vlan will use public IP as a gateway to internet ? not sure if this is possible, may natiing will not required in this case.

for example.

Vlan 10 - ip range 172.16.10.0./24

vlan int 10

ip address 172.16.10.1 255.255.255.0

ip address 81.54.66.x 255.255.255.255 secondary

Host in the vlan will have a gateway of 81.54.66.x

Can you think of any other design options to make it work ?

Thanks

Salman

Salman,

Let concentrate with single office design as you have common infrastructure in 30 offices.As you said all office will use a pix with 4*3550 switches, so what i would suggest for accessing the internet for office users you can have two option either create proxy server and nat that server on pix for internet connectivity and browsing purpose or make natting configuration on pix interface to do the same as 3550 switches are not having the natting funcationality.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml#mixing_nat

For easy design just try to acehive the task with pix and l3 switch,that why i am not preferring secondary ip address concept.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

s.nasheet · ‎06-02-2010

Hi Ganesh,

Thanks for the reply.

I have decided to go with a different design. Now PIX will do the NATing a I will create the static NAT entries to map local server IP with a public IP's.

Rest will remain same, each office will be in its own vlan and will create the default -gateway towards the PIX inside interface.

Thanks for all help. I will test the config and will let you with the result.

Thanks

Salman

Representing a VLAN with a unique Public IP ( shared office)?