Multi-tenant internet routing with 4431 and dedicated public IP blocks

johnyarborough · ‎01-07-2019

Maybe I am overthinking this but I'm trying to figure out the recommended way to configure our 4431's to act as the "provider edge" for a small multi-tenant environment. I want to take a public /24 network (assigned by our provider and advertised through our public BGP AS) and assign each tenant a small subnet (/27 - /30 sizes depending on need) so they bring in their own firewall appliances or other collocated equipment and safely use our address space by isolating their address space from other tenants.

So far, the most logical approach seems to be VLAN subinterfaces and assigning each tenant a VLAN. The 4431 router would have one IP from each subnet and the tenant equipment would get the rest. It seems like it would be a very basic ISP type setup. This seems like it would make things like bandwidth management, NetFlow tracking, QoS, etc, easy because it is logically separated and isolated.

Now, to add a little more complexity to this, I would like to make the routers highly available. We have 2 x 4431's, each connecting to a separate ISP and we present our assigned IP networks using BGP. We have used HSRP in the past with a single /24 that was not subnetted, but for these smaller blocks I have been looking at GLBP because it doesn't seem to consume the extra IP addresses that HSRP requires since it appears to be a layer 2 technology. I assume this would work on subinterfaces?

Another option that came up was to just use a single interface with secondary IP addresses, but I like the layer 2 isolation that VLAN's provide to prevent the tenants from even accidentally overlapping network settings with another tenant. I've also seen mention of PPPoE and ATM, QinQ, and probably others, which is why I'm here asking what the recommended way is for a small environment like this given the hardware I have.

I guess one of my biggest concerns is around the number of subinterfaces supported and number of VLAN's supported. I can't find any information about the maximums for these routers.

luis_cordova · ‎01-07-2019

Hi @johnyarborough,

In the datasheet of that device it is indicated that it supports the 802.1q encapsulation:

https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/data_sheet-c78-732542.html

Encapsulations

Generic routing encapsulation (GRE), Ethernet, 802.1q VLAN, Point-to-Point Protocol (PPP), Multilink Point-to-Point Protocol (MLPPP), Frame Relay, Multilink Frame Relay (MLFR) (FR.15 and FR.16), High-Level Data Link Control (HDLC), Serial (RS-232, RS-449, X.21, V.35, and EIA-530), and PPP over Ethernet (PPPoE)

I suppose that this includes all the technology (4093):

https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/n5k/commands/encapsulation-dot1q.html

encapsulation dot1Q

To enable IEEE 802.1Q encapsulation of traffic on a specified subinterface, use the encapsulation dot1q command. To disable encapsulation, use the no form of this command.

encapsulation dot1Q vlan-id

no encapsulation dot1Q vlan-id

vlan-id

VLAN to set when the interface is in access mode; valid values are from 1 to 4093, except for the VLANs reserved for internal switch use.

Regards

johnyarborough · ‎01-07-2019

@luis_cordova I know the range is technically up to 4094 (or thereabout depending on platform), but most platforms have a maximum number of configured VLAN's and it is usually somewhere between 256 and 1024. Although some lower end switches I've seen limited to around 64.

Georg Pauwen · ‎01-07-2019

Hello,

the 4331 supports a feature called Interchassis High Availability, you might want to have a look at that:

https://www.cisco.com/c/en/us/td/docs/routers/access/4400/software/configuration/guide/isr4400swcfg/bm_isr_4400_sw_config_guide_chapter_01100.html

johnyarborough · ‎01-07-2019

@Georg Pauwen Very interesting. I have never heard of this so I'll do some research and see if it fits my scenario for the HA portion. Thanks!