Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
805
Views
0
Helpful
7
Replies

Force an IP address on the other end

joel75941
Level 1
Level 1

‎02-04-2018 06:15 AM - edited ‎03-05-2019 09:52 AM

I may be overthinking this but here goes:

 

In a corporate environment or from an ISP, when you are issued a static IP address x.x.x.x, as in "Here, you must configure your router to use this IP address/mask/gateway"what is really happening on their end?

 

The only thing I can think of is that they are taking a L3 port, configuring the gateway there and setting up an ACL to only allow IP address x.x.x.x to communicate with it.  Is there any other way this scenario can be achieved?

 

Many thanks in advance.

Labels:
0 Helpful
7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

‎02-04-2018 07:54 AM

Hi

 

Doing a L3 port facing each L3 static hosts won't be the ideal solution.

Let's take an example.

You're assigning IP 1.1.1.1 to a host that has mac aaaa.bbbb.cccc and you don't want that this IP can be used by another host with mac dddd.eeee.ffff. With ACL on L3 you'll use only IP and it don't secure this type of scenario.

 

For ISP, just a parenthesis, depending of type of links you have, you can have DHCP or static. When static, you have a small subnet that interconnect your router and their. 1 IP is used on ISP side and the others are free to use on your site, they don't really care which one you want to use.

 

Lot of ISPs (not all) and few companies use DHCP snooping and ARP inspection features to secure this scenario. If all your network is DHCP then easy, if someone come with a static IP, as there's no binding in dhcp snooping database, traffic will be dropped. And if you have some static hosts, you need to manually create an acl to authorize that traffic. In that way, you can secure your network.

 

Here doc that shows you config for DHCP and non-DHCP clients:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swdynarp.html#wp1039773

 

Hope this is what you were requesting.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Georg Pauwen
VIP
VIP

‎02-04-2018 07:57 AM

Hello,

 

what are you after ? Do you want to imitate provider level security at the edge ? There really is a mass of measures ISPs (can) take, a lot of them are geared towards BGP. Antispoofing ACLs/RFC 1918 ACLs/Infrastructure ACLs/Classification ACLs are also included.

 

Have a look at the document below, it gives a comprehensive overview of possible protection mechanisms:

 

Service Provider Security

 

https://www.cisco.com/c/en/us/about/security-center/service-provider-infrastructure-security.html

0 Helpful

joel75941
Level 1
Level 1
In response to Georg Pauwen

‎02-04-2018 09:40 AM

Genuine curiosity I guess.  From an admin perspective, if a provider/corporate tells me to use 63.241.14.5/24 for internet connectivity to my router for local networking, I'm thinking why do I have to use this IP?  Why won't it work if I statically assign 63.241.14.6/24 for example? 

 

I get that .6 might be in use for something else, but the idea of forcing me to use a particular IP address when the subnet realistically doesn't call for it; I've been reading through the ODOM/Lammle books for the CCNA exam and I haven't come across any forced situation like this.  Or maybe I have, and I'm just too dense to realize it.  That's why I've posed the question, hoping someone can shed some light on the topic.

 

Not so much the security aspect, just the concept of how it's possible to do this.  Right now I'm thinking there's no way to "force" an IP, only "filter"the traffic via ACL.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to joel75941

‎02-04-2018 11:12 AM

A common setup with an ISP is that they may well allocate a /30 for the actual link and then allocate a larger subnet to the customer for NAT purposes etc. 

 

If they do this they need to route that subnet to the customer so they need to know the next hop IP address which is why they tell the customer which one to use. 

 

Jon

0 Helpful

joel75941
Level 1
Level 1
In response to Jon Marshall

‎02-04-2018 02:15 PM

Okay, but what if they are assigning just the single IP address?  What if I'm handling NAT on my side via PAT?  There shouldn't be any need for next hop entries in their routing table since the IP address they 'assign' me is directly connected, and all traffic appears to be coming from that directly connected IP.  It should still boil down to making sure I'm in the same subnet (which I would be if I use .6 instead of .5 on a /24).

 

I appreciate the response, but I'm still a bit confused...I mean I'm pretty sure I'm still misunderstanding something here.  I guess it's also possible that the configuration I was given isn't normal either.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to joel75941

‎02-04-2018 02:24 PM - edited ‎02-04-2018 02:24 PM

If they are giving a single IP it would usually be from a /30 so they would want to make sure you used the right one. 

 

It is possible I suppose that a provider may use a shared public subnet for many customers so it would matter that you used the correct IP but I have not come across this setup. 

 

If they are giving you a subnet as already said they usually leave it up to you providing you don't use their IP end of the link and they don't need to route another subnet to you. 

 

Jon

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to joel75941

‎02-04-2018 11:43 AM

In your example, using another IP won't work because on ISP side, for routing purpose the next-hop is .5 and not .6.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card