Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
55
Helpful
18
Replies

How to create a HA L3 Default Gateway for Customers Firewalls

Go to solution
William Reed
Level 1
Level 1

‎10-26-2015 08:03 PM - edited ‎03-08-2019 02:27 AM

Hello,

I am getting handed a SINGLE 1Gbps Ethernet link from my ISP with a /24 block of public IPs. I have this coming by December. I am also looking into having backup provider within a year, so keep that in mind. I have several customers in my building I am going to provide internet access for. My question is how to provide all my customers a Highly Available default route for their firewalls?

I am going to be in control of my /24 of IPs, and I also have 2 Cisco 6509-Es with Dual Sup 720s I would like to use for this project.

 

My question is how do I split the single link from my ISP to feed into both 6509s? Do I need another switch? Obviously one with redundant power...

Do I then just bring the ISP links into the 6509s as access ports and create HSRP Vlan interfaces on each 6509? I would then point my customers firewalls to .2 IP address in my block.

 

My default route will be .1(ISPs Router) in my /24 block of IPs.

 

I am brainstorming this now to come up with the best config. Please any thoughts or ideas are welcome on how to accomplish this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to William Reed

‎10-26-2015 10:30 PM

In private VLAN, you have  primary VLAN and secondry VLAN. It is like you devide one VLAN to serveral VLANs. Secondry VLANs can not see each other(seperate broadcast domain), but can see primary VLAN. In your case you put your public IP on primary VLAN 10 or any VLAN, lets say 1.1.1.1/24. ( you can config HSRP)

You give each customer some public addresses.

customer1    1.1.1.100-105/24 gateway 1.1.1.1 -secondry vlan 500 primary vlan 10

customer2    1.1.1.106-107/24 gateway 1.1.1.1  -secondry vlan 501 primary vlan 10

customer3    1.1.1.108-111/24 gateway 1.1.1.1  -secondry vlan 502 primary vlan 10

 

If you noticed, they share only one range of IP but they can not see each other.

There are several kinds of secondry vlan. (isolated, community, ..)

Customers with the same community vlan can see each other in layer 2, but can not see customer in isolated vlan or a customer in different community vlan.

Isolated vlan only see primary VLAN. My example above was isolated VLAN.

 

It is only basic explanation. Hope it is helpful.

Masoud

 

 

 

 

 

 

 

 


 

View solution in original post

18 Replies 18

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎10-26-2015 10:02 PM

Hello,

If you do not want to waste IP,and have high avalability, give each customer two links. I suppose you can provide ethernet since you are in the same building.

1- first way

A- Create a vlan for each customer.

B- Create interface vlan for each customer and configure HSRP or VRRP with private IP.

C- Give each customer a private address to put it on their link and your private address for default route and a subnet of public address. 8 private addresses for each customer( 3 for your side for HSRP and 1 or 2 or 3 for customer)

 

2- second way by private VLAN

A- Put the whole range on one SVI (HSRP or VRRP configured)  which is primary vlan.

B- Put your customers in isolated VLANs.

In this way you are not wasting any IP and you are able to keep your customer seperated. You do not need to have any access-list to block your customers from another.

 

 

Hope it helps,

Masoud

 

 

 

Go to solution
William Reed
Level 1
Level 1
In response to Masoud Pourshabanian

‎10-26-2015 10:12 PM

I think I like option 2. Can you elaborate more on private VLANS? I have never used them before. :)

 

What is the customers network legitimately need to talk? Like to send email to each other. Would that work with private VLANS?

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to William Reed

‎10-26-2015 10:30 PM

In private VLAN, you have  primary VLAN and secondry VLAN. It is like you devide one VLAN to serveral VLANs. Secondry VLANs can not see each other(seperate broadcast domain), but can see primary VLAN. In your case you put your public IP on primary VLAN 10 or any VLAN, lets say 1.1.1.1/24. ( you can config HSRP)

You give each customer some public addresses.

customer1    1.1.1.100-105/24 gateway 1.1.1.1 -secondry vlan 500 primary vlan 10

customer2    1.1.1.106-107/24 gateway 1.1.1.1  -secondry vlan 501 primary vlan 10

customer3    1.1.1.108-111/24 gateway 1.1.1.1  -secondry vlan 502 primary vlan 10

 

If you noticed, they share only one range of IP but they can not see each other.

There are several kinds of secondry vlan. (isolated, community, ..)

Customers with the same community vlan can see each other in layer 2, but can not see customer in isolated vlan or a customer in different community vlan.

Isolated vlan only see primary VLAN. My example above was isolated VLAN.

 

It is only basic explanation. Hope it is helpful.

Masoud

 

 

 

 

 

 

 

 


 

Go to solution
William Reed
Level 1
Level 1
In response to Masoud Pourshabanian

‎10-26-2015 10:40 PM

So with this setup would Customer A be able to communicate with Customers B servers? Remember that is OK, but I would like to keep broadcast domains and such under control if possible.

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to William Reed

‎10-26-2015 10:49 PM

If they are in community VLAN, they can see each other directly in layer 2

 

edited : *********************************************

 

Go to solution
William Reed
Level 1
Level 1
In response to Masoud Pourshabanian

‎10-26-2015 10:49 PM

I am OK with them seeing each other at Layer 3 only. I take it the 6509 would do the routing?

 

How does that work? Wont all computers try to directly connect to the device in the same subnet without attempting to go thru a L3 device?

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to William Reed

‎10-26-2015 11:05 PM

I am sorry. I was wrong about isolated VLAN. If you put customers in isolated VLAN, they can not see each other even in layer 3. If you need two customers see each other, you need either to put them in community vlan or to configure two seperae primary vlans. In this way, a customer can  other in L3. As I said before, this method is less felexible. It is mostly prefered by data center which hosts customers servers.

Go to solution
William Reed
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-02-2015 08:42 PM

So if all the customers are in the same community VLAN, that is essentially the same as a normal VLAN correct?

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to William Reed

‎11-02-2015 08:50 PM

From one perspective yes. Customers in community VLAN can communicate directly in L2; however, SVI is created for primary vlan associated with community VLAN.

Go to solution
William Reed
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-02-2015 09:34 PM

OK.

Next question. What is the best way to limit each customer to only 20mpbs of bandwidth?

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to William Reed

‎11-03-2015 05:58 AM

ISPs with more customers usually have  seperate devices to control bandwidth. You should be able to limit each customer on correspending SVI on your 6500 since you have only a few customers. There are two major ways to limit bandwidth: police and shape. Shape works smoother than police, but has some limitation to control egress traffic. I do not have enough information on traffic shapping. You shoud ask your question in a seperate post. I am sure you will get better answers.

Some rates to my previous answers much appreciated.

Masoud

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to William Reed

‎11-03-2015 09:01 AM 

OK.
Next question. What is the best way to limit each customer to only 20mpbs of bandwidth?

Hi William,

Check out the below link on Qos on Policing and shaping difference for bandwidth limitation.

Qos sample

Hope it Helps..

-GI

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to William Reed

‎10-26-2015 10:50 PM

If you  have enough IPs and your customers have their own firewal, I will prefer my first solution. Because your hands are more open and and network is scalable and changes are easier.

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to William Reed

‎10-26-2015 10:41 PM

Your WAN configuration varies depending on the type of link and and also routing your service provider offers.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card