Creating Sub Int's or Secondaries, Hmmmmmm?????

Posted on 2004-09-01
Last Modified: 2011-04-14
Im using a 2621 Cisco router for my personal home router.  My DSL service has 5 static IP's that are deliverd to me via  a bridge (vaguely, a DSL modem router combo that I have passing ALL the trafic to the cisco) and currently I have one of the five ip's as the outside (FA0/0) address and I have the other four rotting in cyber space so to say.  
My object is this:
I would like to Have two of the other public (wan) ip's  be an out side in to an ftp server, and second to be an outside in to a HTTP server. (one IP address for each service) At t he same time I would like to apply ACL's to each IP address.
SO...  My question is this....
Would it be better to use seconday interface ip adress scheme, or create sub interfaces, and if I create sub interfaces or secondaries, can I aplly independant acl's to each of them?
thanks in advance for your wisdom!
Question by:CCNPwanabe
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 43

Expert Comment

ID: 11962415
I'm assuming you are running NAT on the router?

If so, you don't want to assign the public IP addresses to the router.  You want to create static NAT entries pointing to the inside server's IP address:

ip nat inside source static 68.x.x.10 (FTP Server)
ip nat inside source static 68.x.x.11 (WEB Server)

Where, 68.x.x.10 is one of the public IP addresses and is your FTP server...

If you want to apply ACL's to the IP addresses, you should create an inbound access-list on the interface connected to your ISP.  You can restrict what ports are allowed to be forwarded to the inside server.  For example, to restrict the web server to only HTTP traffic, define the following list:

access-list 101 permit tcp any 68.x.x.10 eq 80

This is not the complete list and will break your connection to your ISP if you apply it as is to your outside interface.  You need to specify other permits and let the "deny any" at the end of the list take care of the rest.
LVL 11

Expert Comment

ID: 11968236
It would be better to use static NAT to map these public IPs to private IPs inside your network.

Sub-interfaces are for services that encapsulate several separate subnets over a single physical link, such as frame relay DLCIs, ATM PVCs, or 802.1q VLANs.  None of these apply to your situation.

Secondary addresses are for multiple IP address ranges on the same segment.  This is never a very good idea, but is sometimes these easiest way to resolve some legacy issues that you don't have.


Author Comment

ID: 11973717
Alright, thats good.  An kinda waht I suspectde.  I was however looking for an easy way to secure (so to say) each ip address in its own special way.  Is it posible to apply multiple access-groups  in to one intercace.  I dont want to have to re-write one access list, i would rather just set up mulitle and apply each to the outside interface... can this be done or do I have to use just one?
thanks for your replies (both of you)
LVL 43

Accepted Solution

JFrederick29 earned 125 total points
ID: 11973987
You can only apply one access-list to an interface but you can have multiple access-list statements.  Using notepad to copy/modify and paste the access-list really speeds up ACL modifications.

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 17 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question