[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

Cisco router: Help with network configuration

I never did advanced networking with Cisco routers (very basic) so I am not sure how would I go-ahead and something like the following:

Our ISP has assigned 3 subnets to our company one /22 and two /23 and Here is our network diagram. I will talk about /22 in this example. We will be assigning a gateway ip address provided by ISP to "our router eth1" doing that /22 will be available behind our router on "our router eth2" but I want to do is re-router /22 to our firewall so /22 will be available on "our firewall eth2". To do this first I will have assgin /30 ip address to "our router eth2", "our firewall eth1", "our firewall eth2" and I get those ip address splitting one of /23 ip ranges. Can you please clarify this for me? If I am on the right track and how would I do this? My main concern is how I am going to split /23 and re-routing the traffic

       | isp router eth1
---------------
ISP ROUTER
---------------
       |isp router eth2
       |
       |our router eth1
---------------
OUR ROUTER
---------------
       |our router eth2
       |
       |our firewall eth1
---------------
OUR FIREWALL
---------------
      |our firewall eth2
      |
---------------
/22 network goes here
---------------

Thanks,

Telman
0
telman
Asked:
telman
  • 3
  • 2
  • 2
1 Solution
 
harbor235Commented:
Yes you are on the right track, remember to account for future growth. Are the block contigous? it would make it alot easier if it were. I would carve up your /22 pulling out the /30s from the upper portion of the /22. This would allow you to use
the remainder for assignment behind your firewall. This would allow for easy aggregation of routes. If you need additional address space behind your router then assign one of the /23s.

for example: (10.1.0.0/22)
10.1.0.0/22
     10.1.0.0/23
          10.1.0.0/25        use for /30s
               10.1.4.0/30
               10.1.8.0/30
               10.1.16.0/30
               10.1.20.0/30
               10.1.24.0/30
                .
                .
               10.1.124.0/30
          10.1.0.64/25      reserverd for infrastructure
          10.1.0.128/24    use for assignment behing firewall  
     10.1.0.1/23             use for assignment behing your firewall


* An indent means the parent block has been subnetted, 1 /22 is the same as 2 /23s, both /23s have the same ident.
   1 /23 is the same as 4 /25s, the first /25 is for /30s and the second is in reserve. the last two /25s which is really a /24
   can be used as you see fit. So behind the firewall you couold use a /24 and a /23 all from the same block and still have the /23s left. This scenario leaves the remaining /23s for you to use and would allow for easy aggregation of routes. I do not know all your needs but this works. Do you understand my notation?

harbor235


0
 
telmanAuthor Commented:
Thank you Sir,

Here is my ip range:

xx.xxx.100.0/22
xx.xxx.114.0/23
xx.xxx.116.0/23

I was hoping to keep /22 as is so I will have more ip addresses behind the router, use one of my /23 subnet to get my /30's, would it be still possible or I have use upper portion of /22.

Also just to confim if understood you right in case I have split my /22.

1. Routing xx.xxx.100.0/22

a. I will need to split it two /23
b. Split one for /23 to two /24
c. Split one /24 to 4 /25
d. use for /25 to get my /30's

2. If I re-route xx.xxx.114.0/23 and xx.xxx.116.0/23 can I used /30 which I got from my /22. Please  note that  xx.xxx.114.0/23 and xx.xxx.116.0/23 will be routed to the different firewalls.



Thanks,

Telman


0
 
harbor235Commented:
You can do it the way you stated, you just need to make sure your ISP routes all the blocks to you and that you setup dynamic routing or static routing to route properly for all networks.  However the fact that you are using the other /23 for different firewalls and potentially other locations it makes better sense to break it up as I have detailed. Are you going to put 2048 hosts behind your firewall? My way allows you to use a /23 (1024 hosts + a /24 254 hosts). From my perspective
it makes more sense to have the /22 for one site a /23 for another and another /23 for the last one. You could use the /30s
for any point to points you needed to connect the sites. Giving seperate geographic regions a unique address range will make routing, and routing management easier.  It would just be easier the way I have discussed but you certainly could do it the other way.   ;}

harbor235
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Gen2003Commented:
Here are some tips before concrete tasks.

- Even having lot of public addresses it is good to use private IPs within your network and use NAT technology. That's because you never know how fast you will grow. Also it is another security advantage to hide your net from outside net.
- It is good practice to use top of addresses for small nets (P2P links with mask /30) meaning to begin splitting with the biggest net.
- Our Router (OR) , Our Firewall (OF)

So: OR ETH1 - will be assigned by ISP later
      OR ETH2 - split x.x.116.0 /23 and take x.x.116.253 /30 address (x.x.116.252 /30 net address with only 2 hosts)

      OF ETH1 - should be on the same net as OR ETH2 - x.x.116.254 /30
      OF ETH2 - Now think twice about applying NAT on OF and apply private address here. But in case you don't want it you can use x.x.100.1 /22 for it.

What now you will have to make is routes:
End users connected to OF ETH2 - should have addresses from x.x.100.0 /22 net with DG pointing to OF ETH2 (x.x.100.1 /22)

OF should have routes to:
x.x.100.0 /22 - OF ETH2
x.x.114.0 /23 - OF ETH2
x.x.116.252 /30 - OF ETH1
x.x.116.0 /23 - OF ETH2
Default route (all unknown hosts) - OR ETH2

OR should have routes to:
x.x.100.0 /22 - OF ETH1
x.x.114.0 /23 - OF ETH1
x.x.116.252 /30 - OR ETH2
x.x.116.0 /23 - OF ETH1
Default route (all unknown hosts) - ISPR ETH2

And ensure ISP has all routes to x.x.100.0, x.x.114.0 and x.x.116.0 to your OR ETH1.

So from now you have x.x.100.0 , x.x.114.0 and x.x.116.0 usable within your LAN behind FW. Hope your devices support VLSM (variable lengh subnet mask).

Regards.
0
 
Gen2003Commented:
P.S. If you still confused about splitting x.x.116.0 into x.x.116.252 you can even use (again) private addresses for that P2P link between OF and OR.
0
 
harbor235Commented:
> Even having lot of public addresses it is good to use private IPs within your network and use NAT technology. That's because you never know how fast you will grow. Also it is another security advantage to hide your net from outside net.

It depends, NAT does not work well in all apllications. You may want all your devices to be accessible from unique public addresses. What are your sites doing? Do you require public IPs for all your devices? If you have the blocks and want to use them then I would deploy them as discussed above. If there is a need to conserve addresses then you should use NAT.

harbor235
0
 
telmanAuthor Commented:
NAT will add more issues and it will make harder to troubleshoot the issues. That is why we want to use just public ip addresses.

Thanks you for your replies.

Telman
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now