Creating Sub Int's or Secondaries, Hmmmmmm?????

Posted on 2004-09-01
Last Modified: 2011-04-14
Im using a 2621 Cisco router for my personal home router.  My DSL service has 5 static IP's that are deliverd to me via  a bridge (vaguely, a DSL modem router combo that I have passing ALL the trafic to the cisco) and currently I have one of the five ip's as the outside (FA0/0) address and I have the other four rotting in cyber space so to say.  
My object is this:
I would like to Have two of the other public (wan) ip's  be an out side in to an ftp server, and second to be an outside in to a HTTP server. (one IP address for each service) At t he same time I would like to apply ACL's to each IP address.
SO...  My question is this....
Would it be better to use seconday interface ip adress scheme, or create sub interfaces, and if I create sub interfaces or secondaries, can I aplly independant acl's to each of them?
thanks in advance for your wisdom!
Question by:CCNPwanabe
  • 2
LVL 43

Expert Comment

ID: 11962415
I'm assuming you are running NAT on the router?

If so, you don't want to assign the public IP addresses to the router.  You want to create static NAT entries pointing to the inside server's IP address:

ip nat inside source static 68.x.x.10 (FTP Server)
ip nat inside source static 68.x.x.11 (WEB Server)

Where, 68.x.x.10 is one of the public IP addresses and is your FTP server...

If you want to apply ACL's to the IP addresses, you should create an inbound access-list on the interface connected to your ISP.  You can restrict what ports are allowed to be forwarded to the inside server.  For example, to restrict the web server to only HTTP traffic, define the following list:

access-list 101 permit tcp any 68.x.x.10 eq 80

This is not the complete list and will break your connection to your ISP if you apply it as is to your outside interface.  You need to specify other permits and let the "deny any" at the end of the list take care of the rest.
LVL 11

Expert Comment

ID: 11968236
It would be better to use static NAT to map these public IPs to private IPs inside your network.

Sub-interfaces are for services that encapsulate several separate subnets over a single physical link, such as frame relay DLCIs, ATM PVCs, or 802.1q VLANs.  None of these apply to your situation.

Secondary addresses are for multiple IP address ranges on the same segment.  This is never a very good idea, but is sometimes these easiest way to resolve some legacy issues that you don't have.


Author Comment

ID: 11973717
Alright, thats good.  An kinda waht I suspectde.  I was however looking for an easy way to secure (so to say) each ip address in its own special way.  Is it posible to apply multiple access-groups  in to one intercace.  I dont want to have to re-write one access list, i would rather just set up mulitle and apply each to the outside interface... can this be done or do I have to use just one?
thanks for your replies (both of you)
LVL 43

Accepted Solution

JFrederick29 earned 125 total points
ID: 11973987
You can only apply one access-list to an interface but you can have multiple access-list statements.  Using notepad to copy/modify and paste the access-list really speeds up ACL modifications.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How does VLAN work? Scenario: (please read the question) 11 121
EIGRP Multicast vs Unicast 7 64
Running a 2nd company from the same location 3 43
Choice of router 8 23
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question