Link to home
Create AccountLog in
Avatar of lv4
lv4

asked on

How to split Public IPs from ISP to multiple internal networks.

Hi,

I'm looking to set up a test network within the same building as my live network. My ISP has provided me with a range of 6 public IP addresses. Let's say:

- subnet is 15.16.17.16/29
- GW is 15.16.17.17/29
- Usable IPs 15.16.17.18 - .22/29
- BA is 15.16.17.23/29

I currently have a 2911 router with one of the WAN ports configured as 15.16.17.18/29 which is the default gateway for my LAN at 192.168.0.0/24. I have another 2911 router that I would like to be on its own subnet of lets say 172.16.0.0/24 to use as a test network but have its own internet connection.

My question is, can I use one of the allocated IP ranges from my ISP like, 15.16.17.19/29 and have that be the default gateway of the 172.16.0.0/24 LAN?

I currently have PAT configured on the first router translating to all the public IPs of 15.16.17.18 - .22 from the 192.168.0.0 network. I'm assuming I will have to change that to just translate to a single IP of 15.16.17.18/29.

I have done some research and read one way to do so is to place a L3 switch in front of the router and separate the networks with VLANs. I'm really confused on that. I know what VLANs are but I do not understand the concept of doing that and ending up with two networks with separate public IP addresses.
ASKER CERTIFIED SOLUTION
Avatar of Predrag Jovic
Predrag Jovic
Flag of Poland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of lv4
lv4

ASKER

Of course the default gateway must be in the subnet as the hosts! Glad you understood what I was trying to say.

So basically all I have to do is translate one private address to one public address is what you're saying.

I guess my only concern is will the two subnets of 192.168.0.0 and 192.168.1.0 be able to communicate? Overall, I do not want them to. From you're explanation, it seems the two subnets are on switches which are just connected to different ports at the router.
For prevent subnets to talk you need to configure access list on default gateway interface (SVI, or physical interface).
Simplest access list to prevent all private address access (without special addresses) to other networks example:


access-list 100 deny ip any 172.16.0.0 0.15.255.255
access-list 100 deny ip any 10.0.0.0 0.255.255.255
access-list 100 deny ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any

If you apply it to interface VLAN or physical interface then it should be set in IN direction
interface Vlan X
 ip access-group 100 in

That will drop any traffic entering router (or exit VLAN if applied to SVI) that have destination address in private IP range (on that interface), and forward only traffic to public IP address space. :)
Avatar of lv4

ASKER

Thank you Predrag. As soon as I am able to configure this I will let you know if all goes well! Thanks again!
Avatar of lv4

ASKER

Just configured everything last night and it went very smooth. Thanks for all the help!
You're welcome.