IP Routing & Allocation Question

I have a dedicated T1 to the Internet. We are routed a /25 (dot 128) from our provider. I have a potential customer that is under a T1 contact until March of 2007. The customer would like a quote for service with (5) dedicated IP Addresses.

My question becomes how I can technically allocate these IP Addresses given what they are going to be using them for.

Assume that they will have some type of Cisco Router with (2) FE Ports. A few of the (5) static IPs will be assigned directly to PC’s on their LAN so they can be accessed via PC Anywhere. The same PC’s that will have public addresses will also have private addresses so other PC’s on their LAN with private addresses can access them, and so the computers can print to IP printers on their private LAN, etc.

Assume I give him (5) static IPs. One of those would get assigned to one of the FE ports on the computer that goes to the SM in bridge mode. The other FE port would be assigned one of the other static IPs, and a cable from that port would go to, lets say, a switch. This IP address on the second FE interface would then become the default gateway for the (3) remaining static IPs that he assigns to PC’s.

Now, for the PC’s that have public static addresses, when they bind secondary private addresses to those NICs, could I also assign a secondary IP address to the second FE interface, for example 10.10.10.1, and overload NAT from FE(2) to FE(1)? Or is it not possible to setup a Cisco port for NAT operations AND have a static IP assigned to it? I would use the ip default-gateway command on the Cisco and set that parameter to the IP of my edge router.

Does any of this make sense or is just a bad design? Would the routing get screwed up since there would be an IP address on the same logical subnet on two interfaces?

Their T1 provider right now is routing them 13 public IP addresses but he said they really only need 5.

What am I doing wrong? Should I just create a new subnet for them with a custom subnet mask other than .128? How would I have to set this up on my edge router?

Any help is appreciated.

msmith,

You will need to give them a 29 bit mask ( .248 ).
You will also need to assign the router a public IP address ( That will be their gateway). In all Router IP + 5 Static IP = 6 host.

On Cisco routers you can have secondary IP, You can also use ILS if you want.

I see no problem, it’s a standard request they are looking for.
Your client has 12 IP plus the router = 13, that’s 28 bits ( .240 ), or 13 host.

You will need 6 sequential IP to do what you want.

I don’t know of another router but Cisco and Linux/Unix router. Any good router can do what you want. You can also use Windows 2000 to do the routing.

So, was I correct when I said I would need a Cisco with (2) Ethernet interfaces? One for the SM and one for their LAN?

Would the interface connected to the SM get an IP address on my standard /25? And the second interface that goes to their LAN would get an IP and its mask would be the /29? And I could assign a secondary, private IP to this interface, and set it up for NAT overload? That way this interface would be the gateway for the public and private IPs?

What about the broadcast address for the /29. If I gave them a /29 that would be (2^3) - 2 = 6. So it would really be 8 IPs, 6 usable, or no?

If I allocated him a /29, I would have to add a static route in my edge router, wouldnt I?

Thanks for your help.

Yes, You will need a Router with 2 Ethernet Interface.
Could be Cisco, That’s the brand I use and many others. It’s very stable.

Would the interface connected to the SM get an IP address on my standard /25?
Yes, remember, you must have 6 sequential IPs.

And the second interface that goes to their LAN would get an IP and its mask would be the /29? Yes, Following the Sequence of the Eth0, assuming the 2nd interface is eth1.

And I could assign a secondary, private IP to this interface, and set it up for NAT overload?Yes, It’s tricky, Remember That’s another public IP you will loose. Are you familiar with Cisco Inter-VLAN Routing, ISL?


What about the broadcast address for the /29. If I gave them a /29 that would be (2^3) - 2 = 6. So it would really be 8 IPs, 6 usable, or no?
NO, You will have 6 in total. 1 must be used for ETH0. Another could be be for eth1, but you could use ie. 172.16.0.x, and route it ( On your T1 router ) or give the router another public IP ( Best practice ). You now have 4 available IPs for the user to use.
You have several ways of doing this.
Is the router property of the client or yours?
If it’s property of the client, chances are he is the one that must config his router. You must only provide him the IPs.

If I allocated him a /29, I would have to add a static route in my edge router, wouldnt I?
Don’t know

Thanks for your help.

Ok. I still am not really following the 6 IP addresses…

I look at it like this, correct me if I am wrong. I have a /25 from my T1 provider. All of my addresses have a subnet mask of 255.255.255.128. That equals out to (2^7) - 2 = 126 usable addresses, but 128 total. The first and last address are the network address and the broadcast address, respectively. So the base formula outputs the total number of addresses possible on the subnet (128), subtracting out network and broadcast gives me the physical number of addresses I can assign to hosts (126).

I would think that same theory would apply here? A /29 leaves (3) zero-bits in the mask. (2^3) - 2 tells me I have 6 usable addresses, but 8 total. One for the network, one for the broadcast, and 6 in between to physically assign to interfaces, hosts, etc.

So I would think eth0 would get an available address on my /25. So lets say I assign x.x.x.15/25 to eth0. The /29 would then start at x.x.x.16/29, which would actually be the network address. Usable IP’s would start at x.x.x.17/29 (eth1 interface, default gateway) and go to x.x.x.22/29 (hosts), and finally x.x.x.23/29 would be the broadcast address for the /29. I would issue the “ip default-gateway” command in global config of the router and point that command to the IP address of my edge Cisco router.

So my network notation for the allocated /29 would be x.x.x.16/29, just like my network notation for my /25 is x.x.x.0/25. Clients .18 - .22 on the /29 would have their default gateway programmed as x.x.x.17. If one of the static IPs would go to browse, their packets would be forwarded to .17, which would then forward the packet to my edge .1. Then .17 has a route to .1/25 because it has an interface that is directly connected, ergo its in the routing table.

Now, from the other side of the network (Internet-coming-in), if a packet was destined for one of the IPs on the customer’s /29, the Internet would see and treat that packet as if it was on my /25. I would think it would be the duty of my edge router to inspect that packet and determine what to do with it. Example:

Source IP: (google)
Destination IP: dot 18 on the customer’s /29.

I would think my core router would have to inspect that packet, determine if its destination is on the /29. If it is, it would need to forward that packet to the IP address of either eth0 or eth1 on their router.

ip route x.x.x.16 255.255.255.248 x.x.x.15 (Eth0)
ip route x.x.x.16 255.255.255.248 x.x.x.17 (Eth1)

Excuse my stupidity if I am way off here. Your help is highly appreciated.

I think you are making this way too complicated…

Set up the router to use NAT and assign each PC Anywhere Host a unique port, here’s how:

http://service1.symantec.com/SUPPORT/pc … ho&src=hot

This rrequires ONE public IP address, and will be more secure as the PC Anywhere hosts will not be open to the Internet. Each PC only needs one FE.

Also, you will also provide them with VPN support so remote users can access the LAN through the VPN and have access to printers, file servers, etc.

People THINK they need multiple IP’s, but that is rare. Most of what people need to do they can do with NAT and port forwarding. It’s important to use a good router though. We use Linksys RV042/82/16 as it has proven to be an excellent little router for the price.

I apologize if making things complicated is me simply trying to understand the theory behind subnetting.

The fact of the matter is that the customer demands public IP addresses, so I am not going to argue.

I am trying to provide the customer with what they want, provide them with a higher level of service than their current provider, and learn something along the way.

The object is to provide the requested service to the client, not to make one application run over the network.

The clients wants to purchase a service called “Internet”, he wants 5 static IP to use for what ever he wants ( PcAnywhere, hosting, Streaming, etc. ) He also wants a selected speed, 128, 256, 384, 512, 768 Kbps, etc.

I will assume msmith has done some routing using Cisco.

When you give a client a 30 bit mask you are actually allowing 2 host, but he can only use one, because the router needs one of the 2 IP.

The service you are providing is more professional than regular WISP service. In most cases ( Frame Relay, ADSL, ISDN, etc ) the router has one Ethernet and another serial. The serial is the one connected to the DSU (Digital Subscriber Unit ) This interface needs and IP, and if you are not using any routing protocol, the main router at the main office needs to know what ips are coming from what router.
Basic stuff.

The trick in question is how to allow NAT services, plus allow 4 more public IPs to 4 other host.

The simplest way is to have 2 routers or one router with 3 interface ( 1=WAN, 2=PUBLIC IP, 3=Private IP or NAT).
The other aproach is to have a router and configure it using ISL ( To sub divide the ETHernet interface .1 .2 .3 ).
This is a CISCO link that will help you
http://www.cisco.com/en/US/tech/tk389/t … 49fd.shtml

I apologize, I realize my post came off the wrong way.

Your customer may not know that they can change the ports on PC Anywhere. By presenting this option, you are saving them a lot of undue management, and improving the security. Putting the PC’s on the Internet with Public IP’s is a security risk, and frankly I don’t want their infected machine spewing onto my network…

with that said, if I were providing the customer exactly what they asked for (5 IP’s with Public Interfaces on the PC Anywhere machines) here is how I would set it up:

Edge Router --> Edge Switch (VLAN #xxx) --> AP --> SM (VLAN #xxx) --> Switch --> SOHO Router, Public PC Anywhere NIC’s

–> SOHO router --> PC Anywhere Private NIC, Other PC’s, Printers, Etc.

I would assign
3 IPs to the PC anywhere machine’s
1 to a SOHO router
1 as spare

This would give them a secure connection through my network, the public IP’s they asked for, and simple setup and management.

I would love to do it via VLANs, problem is I still don’t understand how I would have to configure my NOC switch and router to handle them.

If I put every customer on their own VLAN, I understand how that traffic would be segregated from eachother on a radio-level. Problem becomes once it gets back to the NOC, hits the switch, and goes out the router.

My edge switch has (4) terminations:

1. BHS to our site
2. Uplink to Cisco3662
3. Linux Server 1
4. Linux Server 2

Suppose I had (2) customers, I setup their radios so that they are VLAN100 and VLAN200. All is great, they can’t see eachother. What if a packet is generated from VLAN100 that needs to query my DNS Server? The port on the switch would have to be a member of VLAN100 as well in order to communicate. It would have to be a member of VLAN200, as well as VLANxxx for each customer on the LAN that needs DNS communication that is on its own VLAN. Same goes for the uplink to the Cisco.

What about when the packet comes back into the network? Does the Cisco or the switch need to tag it with the appropriate VLAN ID in order for the radio to process it, inbound?

Does the trunk from the Switch to the Cisco need to be configured as a dotq link?

VLANs make perfect sense when isolating radios…once it gets back to the NOC, I’m just confused.

Same questions apply when it comes to broadcast packets. One of the benefits of VLAns is broadcast control. If a CPE router on VLAN100 needs to broadcast to find the IP address of the edge router, that broadcast has to reach the port on the edge switch, so both the radio and the switch port would have to be on the same VLAN. Same goes for every customer?

Is it just me that doesn’t understand this stuff?

http://www.cisco.com/univercd/cc/td/doc ... kivlan.pdf

it is fairly simple (once you have done it a few times… .like all things I guess)…

The best way to do it is by means of Vlans as Jerry suggested, configuring your Switch would be straight forward…

it may be very lengthy to explain on paper and too many assumptions of your network will need to be made, but if you need help drop me a contact number and I can run through it with you…

Thanks vj. I might take you up on the offer. If it helps at all, the edge switch is a D-Link DES-3226.

Jerry,

Do you purchase that router through a distributor? Do you stock these? Let me know, I am including a routed & switched option in this proposal with a less expensive router (the Linksys) and need some pricing.

Thanks,

Matt

Typically we have the customer purchase it however you get it here:
http://www.newegg.com/Product/Product.a … 6833124160

Sometimes I will provide all of the equipment, and no installation but it needs to be a 249/mo connection or better and they need to be wavering a little (and it needs to be a slow month).

I only buy cisco, althoug D-link will/should work, I am not familiar with the interface on it (command set)

If you are looking for cheap CISCO kit, I would check out

Mark G. Metz
Network Hardware Resale LLC
79 Hudson Street, Suite 302
Hoboken, New Jersey 07030

Toll Free: 1-866-984-1484
Direct: 201-984-1489
Fax: 201-984-1485
Email: mmetz@networkhardware.com

We buy all our kit from them, excellent service and no problems so far.