Re: Need some advice

mitchel · ‎10-07-2002

In our building we provide bandwidth for some of the tenants. Currently they are assigned IP addresses randomly, in the /24 that our network uses, and connect to us via ethernet through an unmanaged switch. I need to renumber our network and therefore our in building customers as well. I obviously want to put them in their own network. The issue is some of the customers need only 1 IP address for one workstation. If I assign each customer a /30, would I not also have to add a secondary address on my router for each subnet? And would not each customer then need their own default gateway? Seems like a waste of space. If I assign let's say a /27 or /26 for all customers how can I keep their traffic separate? VLAN's? NAT through my PIX? Any advice would be appreciated.

donewald · ‎10-07-2002

Yes you can assign secondaries for each /30 and would need to if you were going to segment your customers as you mentioned. They would need their own default GW as well but some in small installs like to use Proxy Arp to avoid this. ... as you can imagine this gets ugly. Possibly a bigger subnet if security is not a concern. If the clients are coming into the same unmanaged (assuming this is not capable of VLANs) switch then creating a bunch of different networks might be a mute point since all the clients are already on the same L2 and need not pass through a router to get to devices off that switch if they can manipulate their IP/Mask.

DHCP makes addressing very nice, especially when you need to change something.

Best way to do this, in my opinion, is to get a router/switch that is capable of VLAN segmentation. Put customers in one or mulitple VLANs and your devices in another. This would not allow these customers to access your "protected" equipment without going through your router (either trunk sub-interface or separate interface) where you can implement whatever security/QOS/redirection/etc you want.

There are a zillion different ways to do this depending on specifics of architecture, budget, PIX location/interfaces, etc. I hope this helps you out some.

Regards,

Don

mitchel · ‎10-08-2002

Thanks Don. I do have a managed switch which I can deploy for this. So you are saying put building customers in one VLAN, our network in another? I can't use DHCP as some of these customers host their own email and web sites. I can assign a /26 for all, add an address in this range to the fast ethernet interface for their default gateway. I also have some colo customers that I think should be put in their own VLAN. I do have an additional fast ethernet interface on my 7206 that I could us but we send all traffic through a Packeteer bandwidth manager so not sure what I can run through this additional interface. Anyway when you say trunk sub interface I am not sure exactly what you mean. I think I need to do some studying on VLAN's and trunking before I proceed. If you have any suggestions on where I can find good info on VLAN's that would be great. Thanks again,

Mitchel

donewald · ‎10-08-2002

Mitchel,

Even with customers that host their own static services you can still deploy DHCP if you want. These static addresses can either be left out of what will be issued or you can bind HW (MAC) addresses to specific IP's so they always get the same one.

All trunking basically is is a link that multiple vlans traverse. The traffic is able to be separated with trunking/tagging headers (802.1q or ISL). If you have a switch that is capable of VLAN segmentation use them. This will not only increase overall performance (limiting BCAST domain size) but increase the effectiveness of your security model. Here is a URL that might help explain a bit more in detail/better what trunking is and how VLAN segmentation can help you. Also show you how to configure on the router side as well.

http://www.cisco.com/warp/customer/473/50.shtml

Hope this helps,

Don

rbergma · ‎10-08-2002

int f0/1

ip address 10.0.0.1 255.255.255.252

ip address 10.0.0.5 255.255.255.252 secondary

ip address 10.0.0.9 255.255.255.252 secondary

you can create secondary ip's for a single interface in this manner

broadcast traffic is still visible by all