Cisco 3750 - Public VLAN routing

Nicholas Beard · ‎12-09-2011

Hi everyone,

I have a quick query which i need ratified before proceeding. I have the following scenario -

Two Cisco 3750v2 switches with stackwise
ISP allocated block of /26 (64 addresses)
8 customers each with a VLAN and SVI
Internet facing VLAN and SVI
Default route to ISP router

Lets say the ISP has given me the network range 10.10.10.0/26 (we'll assume this is routable on the internet for the purposes of this example) and a default gateway to the internet of 10.10.10.1 within this range. I have configured a public facing VLAN as follows -

VLAN 300

name PUBLIC

int VLAN 300

IP Address 10.10.10.2 255.255.255.252

I have then created a default route as follows -

ip route 0.0.0.0 0.0.0.0 10.10.10.1

With this configured, the switch can successfully route upstream to the internet with no problems.

I have then moved onto the customers and depending on what service they have purchased, I have subnetted the 10.10.10.0/26 range into smaller subnets. See as follows -

Customer A - 10.10.10.4/30

Gateway IP - 10.10.10.5

Useable IPs - 10.10.10.6

Customer B - 10.10.10.8/29

Gateway IP - 10.10.10.9

Useable IPs - 10.10.10.10 - 10.10.10.14

This continues for each customer depending on how many IP's the have purchased. I have then assigned these IP ranges to a customer VLAN and SVI as follows -

Customer A

VLAN 10

name CUST-A-VLAN

int VLAN 10

ip address 10.10.10.5 255.255.255.252

Customer B

VLAN 20

name CUST-B-VLAN

int VLAN 20

ip address 10.10.10.9 255.255.255.248

It is then up to the customer as to what equipment they use and how they NAT or firewall their internal networks. My question to the community would be, is this the mose efficient and approriate method for performing this solution based on the two 3750 switches provided?

Thanks

Nick

Latchum Naidu · ‎12-09-2011

Hi Nick,

The above looks fine for me.
Make sure the inter vlan routing working perfect.

And even if each customer use different device (firewall/router) to perform NAT but all requests comes to your STACK only as the default route for the whole subnet defined here and pointing to ISP. So you may need to think about the cpu burden on the STACK.

Please rate the helpfull posts.
Regards,
Naidu.

mousmani · ‎12-09-2011

Hi Nick ,

This will work. but if i understand correctly both are two different customers and merge at your switch.

this can be security concern with intervlan routing ?

If this is not concern then no issues this will work. however think of future customer growth on these switches.

Also in case in furture you have some additional ISP added. say ISP-2 as a backup ISP. this will not scale much

Nicholas Beard · ‎12-09-2011

Mohammed,

Thanks for the response, yes all 8 customers all different and therefore have to be secure. In order to ensure security I have performed the following -

Set all customer uplink ports to access ports

interface FastEthernet1/0/2

description CUST-B-VL20-ACCESS-ACT

switchport access vlan 20

switchport mode access

mls qos vlan-based

lacp port-priority 1

channel-protocol lacp

channel-group 2 mode active

Apply access lists to customer VLAN SVI to prevent access between VLANs (I have used private IPs only as an example)

ip access-list extended CUST-B-VL20-ACL

deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.50.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.80.0 0.0.0.255

permit ip any any

In order to address the scalability concern, this is a datacenter with an active and primary feed provided by the ISP as a breakout to the internet. There will be no requirement to add additional ISPs.

You mentioned "future customer growth on these switches". What would be your concerns based on the above configuration if the customers were to grow to fill the switch? If this was the case I would simply add to the switch stack. As the gentleman (Latchum) above mentioned, my major concern is with the stack CPU burden, but the acid test and benchmark for this will be when the first few customers go live.

Thanks

Nick

Latchum Naidu · ‎12-09-2011

Hi Nick,

As long as you have seperate SVI for each customer and restricting access between them it is fine.

And for now you may not need to think more about your STACK cpu, because the nating part will be done on the customer device (router/firewall) whcih consume more cpu load. So your STACK will handle only router (static default route) so this may not more burden on your STACK.

I have the same kind of setup at one of my data center where I have /23 subnet and all customers (nearly 15) go to internet via this subnet only. But I have 2951r at edge (facing internet) and in LAN I have 4507r.

Please let me know if you need any suggestions or have any concerns.

Please rate the helpfull posts.
Regards,
Naidu.

mousmani · ‎12-09-2011

Hi Nick ,

No issues with cpu at this point you have very very kess customer connected as of now

Just focus on customer security related things.

Your above config will work.

A route-map will be very easy for this kind of setup instead of adding / deleting subnets from access-list from each SVI. This will be easy if you use route-maps.

Using route-maps will also help in future in case you add another ISP etc..

You can play much better with route-maps only access-list doesn't allow much flexiblity.