Can I configure a /30 transport network and a /29 usable on the same router?

ktylman
ktylman used Ask the Experts™
on
Can I configure a /30 transport network and a /29 usable on the same router, it would be a Cisco 891.  Comcast used to just give us a /29 usable which we configured on our 891 and everything was great.  Now they give us a /30 for transport and a /29 usable.  The only way I know how to do it is to have one router with one interface facing the internet with the /30 and one IP address from the /29 on the other interface.  Then use a second router with one interface with an IP address from the /29 and point the default route to the first router.  My client is not crazy about buying 2 routers for every location.  I was able to get Comcast to provision only the /29 but it was a big hassle and there internal ACLs were causing all kinds of problems.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jody LemoineNetwork Architect
Commented:
Absolutely. There are multiple ways to do it, depending on your needs.

If you want to just use the /29 as a NAT pool, you can configure the /30 on the WAN interface and start adding NAT entries using the /29 addresses, keeping the LAN interface private.

If you need a different configuration, post an outline of what you'd like and I'll advise as best I can. You won't likely need two routers regardless.

Jody

Author

Commented:
I would like to have an IP address from the /29 on an interface, maybe a VLAN interface, and be able to control access to it with an ACL and be able to telnet into it.  However your idea is interesting.  Would the default route to the Comcast side of the /30 apply to both subnets?  Could I do static NAT's with this configuration?  I assume I would control access to both subnets with the ACL on the WAN interface.  Trying to get my head around this...
Network Architect
Commented:
The default route would only be on the WAN interface with the /30 and inbound ACLs would also be applied on this interface.

If you want to actually put the /29 on a VLAN so that machines can be physically assigned IP addresses from this range, that's certainly possible. On the other hand, if you're just using the /29 as a NAT pool, that gives you two more addresses to work with – NAT pools not being subject to the normal restrictions on actual IP subnets.

You could do something like this:

interface GigabitEthernet0
 description WAN
 ip address 206.0.113.2 255.255.255.252
 ip nat outside
!
interface Vlan1
 description LAN
 ip address 172.24.0.1 255.255.252.0
 ip nat inside
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 206.0.113.1
!
ip access-list extended ACL_NAT
 permit ip 172.24.0.0 0.0.3.255 any
!
ip nat pool NAT_Pool_WAN 192.0.2.0 192.0.2.0 prefix-length 29
ip nat inside source list ACL_NAT pool NAT_Pool_WAN overload
ip nat inside source static 172.24.0.2 192.0.2.1
ip nat inside source static 172.24.0.3 192.0.2.2
ip nat inside source static 172.24.0.4 192.0.2.3
ip nat inside source static 172.24.0.5 192.0.2.4
ip nat inside source static 172.24.0.6 192.0.2.5
ip nat inside source static 172.24.0.7 192.0.2.6
ip nat inside source static 172.24.0.8 192.0.2.7

This applies the /30 to the WAN, sets your NAT overload to use the first address in your /29 pool and statically assigns 1:1 NAT entries to the remaining seven addresses.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I am liking this.  Wouldn't the IP NAT inside command go on the LAN interface.  Also if I need a VPN tunnel I assume the crypto map command would go on GigabitEthernet0.  And if I don't need to assign machines IP addresses on the 172.24.0.0 I don't need a VLAN interface in this network.
Jody LemoineNetwork Architect
Commented:
The "ip nat inside" would go on the LAN interface, per the above configuration.

If you're using a crypto map for VPN, you'll definitely put that on the WAN interface and source from the /30. (I advise using Tunnel interfaces rather than crypto maps for modern configurations, but that's another topic.)

I only used 172.24.0.0 as an example of a private IPv4 address range. You would substitute that and the Vlan1 interface with whatever private IPv4 range and interface you're using for your LAN.

Author

Commented:
I was confusing the /29 with the private network.  My bad.  Thanks for your quick and very helpful response!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial