lv4
asked on
How to split Public IPs from ISP to multiple internal networks.
Hi,
I'm looking to set up a test network within the same building as my live network. My ISP has provided me with a range of 6 public IP addresses. Let's say:
- subnet is 15.16.17.16/29
- GW is 15.16.17.17/29
- Usable IPs 15.16.17.18 - .22/29
- BA is 15.16.17.23/29
I currently have a 2911 router with one of the WAN ports configured as 15.16.17.18/29 which is the default gateway for my LAN at 192.168.0.0/24. I have another 2911 router that I would like to be on its own subnet of lets say 172.16.0.0/24 to use as a test network but have its own internet connection.
My question is, can I use one of the allocated IP ranges from my ISP like, 15.16.17.19/29 and have that be the default gateway of the 172.16.0.0/24 LAN?
I currently have PAT configured on the first router translating to all the public IPs of 15.16.17.18 - .22 from the 192.168.0.0 network. I'm assuming I will have to change that to just translate to a single IP of 15.16.17.18/29.
I have done some research and read one way to do so is to place a L3 switch in front of the router and separate the networks with VLANs. I'm really confused on that. I know what VLANs are but I do not understand the concept of doing that and ending up with two networks with separate public IP addresses.
I'm looking to set up a test network within the same building as my live network. My ISP has provided me with a range of 6 public IP addresses. Let's say:
- subnet is 15.16.17.16/29
- GW is 15.16.17.17/29
- Usable IPs 15.16.17.18 - .22/29
- BA is 15.16.17.23/29
I currently have a 2911 router with one of the WAN ports configured as 15.16.17.18/29 which is the default gateway for my LAN at 192.168.0.0/24. I have another 2911 router that I would like to be on its own subnet of lets say 172.16.0.0/24 to use as a test network but have its own internet connection.
My question is, can I use one of the allocated IP ranges from my ISP like, 15.16.17.19/29 and have that be the default gateway of the 172.16.0.0/24 LAN?
I currently have PAT configured on the first router translating to all the public IPs of 15.16.17.18 - .22 from the 192.168.0.0 network. I'm assuming I will have to change that to just translate to a single IP of 15.16.17.18/29.
I have done some research and read one way to do so is to place a L3 switch in front of the router and separate the networks with VLANs. I'm really confused on that. I know what VLANs are but I do not understand the concept of doing that and ending up with two networks with separate public IP addresses.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
For prevent subnets to talk you need to configure access list on default gateway interface (SVI, or physical interface).
Simplest access list to prevent all private address access (without special addresses) to other networks example:
access-list 100 deny ip any 172.16.0.0 0.15.255.255
access-list 100 deny ip any 10.0.0.0 0.255.255.255
access-list 100 deny ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any
If you apply it to interface VLAN or physical interface then it should be set in IN direction
interface Vlan X
ip access-group 100 in
That will drop any traffic entering router (or exit VLAN if applied to SVI) that have destination address in private IP range (on that interface), and forward only traffic to public IP address space. :)
Simplest access list to prevent all private address access (without special addresses) to other networks example:
access-list 100 deny ip any 172.16.0.0 0.15.255.255
access-list 100 deny ip any 10.0.0.0 0.255.255.255
access-list 100 deny ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any
If you apply it to interface VLAN or physical interface then it should be set in IN direction
interface Vlan X
ip access-group 100 in
That will drop any traffic entering router (or exit VLAN if applied to SVI) that have destination address in private IP range (on that interface), and forward only traffic to public IP address space. :)
ASKER
Thank you Predrag. As soon as I am able to configure this I will let you know if all goes well! Thanks again!
ASKER
Just configured everything last night and it went very smooth. Thanks for all the help!
You're welcome.
ASKER
So basically all I have to do is translate one private address to one public address is what you're saying.
I guess my only concern is will the two subnets of 192.168.0.0 and 192.168.1.0 be able to communicate? Overall, I do not want them to. From you're explanation, it seems the two subnets are on switches which are just connected to different ports at the router.