2

I have an ADSL connection which has a /29 subnet allocated to it, giving me 6 usable IP addresses. Currently this has a cheap Netgear ADSL router attached, which has a built in switch. There are 3 servers attached, each with a public IP address. Each of these servers is in our DMZ, and has a second network connection to the internal firewall, but I don't think that's important for this question.

Because the Netgear router's switch is so simple, each of these 3 servers can access the other servers, via the router's switch. What I require is for each of these servers to be isolated from the others, and have no access to them.

I intend to replace the router with something more suitable, such as a Cisco 1801, which also has a built-in switch, but supports VLANs on this switch. However, I'm not sure what the best method of achieving the goal is. I'm not sure if the firewall on that router applies to connections to its switch, or only routed connections. And I get the feeling that VLANs should be involved here, but I'm not sure how!

What is the best way for me to achieve the requirement of an ADSL connection with a /29 subnet, where the attached devices have no connectivity to each other?

hmallett
  • 2,455
  • 14
  • 26

1 Answers1

2

I don't know about the 1801, bu I use a Cisco 1811 to do exactly this. You can assign a VLAN to every port on the switch :

interface FastEthernet1
 switchport access vlan 1

interface FastEthernet2
 switchport access vlan 2

etc.

interface Vlan1
 ip address <IP-ADDRESS-INTERNAL-1> <NETMASK>
 ...

interface Vlan2
 ip address <IP-ADDRESS-INTERNAL-2> <NETMASK>
 ...

 etc.

These VLANs are separated by default. You can also assign a switchport to access all the VLANs (for monitoring or whatever).

To link each VLAN to one public IP address you can use a few NAT rules like :

ip nat inside source static <IP-INTERNAL-IP-1> <IP-EXTERNAL-IP-1>
ip nat inside source static <IP-INTERNAL-IP-2> <IP-EXTERNAL-IP-2>
etc.

and turn on nat on Fe0 (the WAN connection) :

interface FastEthernet0
ip nat outside
...

Make sure that you buy a cisco 18xx with built-in ADSL on Fe0, otherwise you'll spend a lot of money on a extra ADSL module.

Jasper
  • 1,084
  • 10
  • 10
  • So where you have IP-ADDRESS-INTERNAL-x you'd put each of the 6 public IP addresses? Also the 1801 has 1xADSL and 1xFE, whereas your 1811 has 2xFE, so should be OK. – hmallett Jul 06 '10 at 23:06
  • No, those are the internal IP addresses, with some nat rules you would link them to the public addresses. I updated my answer to reflect this. – Jasper Jul 07 '10 at 11:59