New Office - 5 Public IPs assigned to individual Vlans

[imkidcable]

I'm trying to setup up a new office with different departments on a 5 vlan setup, however i was given 5 public IPs by my new ISP and i'd like to set all these departments up with a different public IP for better control and segregation of the networks. Here's what i had in mind, Any input on how I could accomplish this efficiently would be greatly appreciated.

ISP given addresses
xxx.xx.xxx.72 / 29
Router / default gateway = xxx.xx.xxx.73

Switch

Vlan1 Public
xxx.xx.xxx.74
Vlan1 private
192.168.1.1

Vlan2 Public
xxx.xx.xxx.75
Vlan2 private
192.168.2.1

Vlan3 Public
xxx.xx.xxx.76
Vlan3 private
192.168.3.1

Vlan4 Public
xxx.xx.xxx.77
Vlan4 private
192.168.4.1

Vlan5 Public
xxx.xx.xxx.78
Vlan5 private
192.168.5.1

------------
Some addition to the org. post.

I'm trying to setup up a new office with different departments on a 5 vlan setup, i'd like to set all these departments up with a different private IP for better control and segregation of the networks. Here's what i had in mind, Any input on how I could accomplish this efficiently would be greatly appreciated.


http://i.imgur.com/Gt3f2vS.png


I was able to make this configuration work in Cisco Packet Tracer using A generic router and 2960 switches. All end devices were able to DHCP.
However my ISP is informing me that i won't have access to the configuration of the router... how can i accomplish this purely in my HP 2620 switch?


here's my packet tracker show run from my router and management switch using only CISCO switches. http://pastebin.com/TUj6Wq29

 

[brshoemak]

Basically you're going to need to setup 1:1 NAT (one-to-one Network Address Translation) statements for each public IP and the associated VLAN.

Each statement would say, for example, all traffic originating from the 192.168.3.0 (/24 or whatever) network would translate to the xx.xx.xxx.76 public IP address.

Some idea about what equipment you are using/plan to use would be helpful as far as setup goes.

 

[imagoon]

Example of how it is done on Cisco ASA:

global (int_out) 3 8.8.8.3
global (int_out) 4 8.8.8.4
global (int_out) 5 8.8.8.10
global (int_out) 6 8.8.8.20
global (int_out) 7 8.8.8.21

nat (int_in) 0 access-list int_in_nat0_outbound
nat (int_in) 17231 access-list VoiceNetworkToNet
nat (int_in) 3 192.168.3.0 255.255.255.0
nat (int_in) 4 192.168.4.0 255.255.255.0
nat (int_in) 5 192.168.10.0 255.255.255.0
nat (int_in) 6 192.168.20.0 255.255.255.0
nat (int_in) 7 192.168.21.0 255.255.255.0

 

[yinan]

Giving them each a different public IP doesn't really segregate them. You are getting the segregation by using a VLAN. All you are doing by using a different public IP for each segment is limiting how many services you can provide to the outside world.

 

[imagoon]

Giving them each a different public IP doesn't really segregate them. You are getting the segregation by using a VLAN. All you are doing by using a different public IP for each segment is limiting how many services you can provide to the outside world.

Well it could. With what he described he could easily prevent the departments from ever communicating with each other.

 

[kevnich2]

Well it could. With what he described he could easily prevent the departments from ever communicating with each other.

I think what he's referring to is that the vlan's create the separation or possible separation between the departments - using different public IP's for each dept in no way actually creates the separation itself and I'm not actually sure what the OP wants to achieve by using different public IP's for each department.

 

[imkidcable]

My brain was dead tired when i wrote this and there have since been some revisions, please see below.

New Office - 5 private IPs assigned to individual Vlans - Internet Access

I'm trying to setup up a new office with different departments on a 5 vlan setup, i'd like to set all these departments up with a different private IP for better control and segregation of the networks. Here's what i had in mind, Any input on how I could accomplish this efficiently would be greatly appreciated.


http://i.imgur.com/Gt3f2vS.png


I was able to make this configuration work in Cisco Packet Tracer using A generic router and 2960 switches. All end devices were able to DHCP.
However my ISP is informing me that i won't have access to the configuration of the router... how can i accomplish this purely in my HP 2620 switch?


here's my packet tracker show run from my router and management switch using only CISCO switches. http://pastebin.com/TUj6Wq29

 

[yinan]

I will say it again, using 5 different public IPs does not give you better control and segregation.

You have your VLANs that all point to your central internal router, and as long as you do not set up routes between them, even with 1 external IP, they are still isolated. Even if they all go out the same interface.

 

[imkidcable]

If you look at the revision...the public IPs were removed.

 

[brshoemak]

I don't know who your ISP is or what kind of router they are using, but even if you can't touch the configuration on the router you should be able to call the ISP and have them put the router into bridge mode. Most ISPs will do this, but some will not or require an escalation to their their level 2 teams.

When the router is in bridge mode you would just take your own router and assign the xxx.xx.xxx.72 /29 address to the outside/WAN interface. You would probably have to reset both pieces of equipment afterwards, but it should come up without issue as long as they have done their part.

I have done this with Comcast/Verizon/TimeWarner/Charter/et al. usually with a Cisco ASA or router as the endpoint. At that point, you can setup your router however you want. I actually have a client I am going to see this morning who has their Cisco ASA 5505 behind a Comcast cable modem and has the static IPs assigned to the outside interface of the Cisco ASA.

 

[kevnich2]

Ok, your design NOW looks good. The exception is, you have to have a router, in your control, to route traffic between vlan's. If the only router on your network is your carrier's upstream router, you will need to purchase and install a router or a switch capable of layer 3 routing of your own to accomplish this.

 

[kevnich2]

Actually your switch HP 2620 looks like it has layer 3 routing capabilities. So you should be good. Just program those vlan's and then assign them the appropriate interface IP's and you should be good.

 

[drebo]

An HP 2620 cannot perform NAT, which is required for this.

You need an enterprise firewall or router to go between the 2620 and the ISP's router to NAT based on internal source IP address.

 

[kevnich2]

The op revised message simply wanted to route between vlans. - his switch will do that. In his revised message, nowhere does he mention wanting to have different public IP's. I'm pretty sure he's aware he will need a firewall for the Internet/wan portion of the network.

 

[drebo]

The op revised message simply wanted to route between vlans. - his switch will do that. In his revised message, nowhere does he mention wanting to have different public IP's. I'm pretty sure he's aware he will need a firewall for the Internet/wan portion of the network.

His diagram shows public IPs directly connected to the 2620 switch, which will not work.

Bottom line: OP needs to hire a consultant.