10-26-2015 08:03 PM - edited 03-08-2019 02:27 AM
Hello,
I am getting handed a SINGLE 1Gbps Ethernet link from my ISP with a /24 block of public IPs. I have this coming by December. I am also looking into having backup provider within a year, so keep that in mind. I have several customers in my building I am going to provide internet access for. My question is how to provide all my customers a Highly Available default route for their firewalls?
I am going to be in control of my /24 of IPs, and I also have 2 Cisco 6509-Es with Dual Sup 720s I would like to use for this project.
My question is how do I split the single link from my ISP to feed into both 6509s? Do I need another switch? Obviously one with redundant power...
Do I then just bring the ISP links into the 6509s as access ports and create HSRP Vlan interfaces on each 6509? I would then point my customers firewalls to .2 IP address in my block.
My default route will be .1(ISPs Router) in my /24 block of IPs.
I am brainstorming this now to come up with the best config. Please any thoughts or ideas are welcome on how to accomplish this.
Solved! Go to Solution.
10-26-2015 10:30 PM
In private VLAN, you have primary VLAN and secondry VLAN. It is like you devide one VLAN to serveral VLANs. Secondry VLANs can not see each other(seperate broadcast domain), but can see primary VLAN. In your case you put your public IP on primary VLAN 10 or any VLAN, lets say 1.1.1.1/24. ( you can config HSRP)
You give each customer some public addresses.
customer1 1.1.1.100-105/24 gateway 1.1.1.1 -secondry vlan 500 primary vlan 10
customer2 1.1.1.106-107/24 gateway 1.1.1.1 -secondry vlan 501 primary vlan 10
customer3 1.1.1.108-111/24 gateway 1.1.1.1 -secondry vlan 502 primary vlan 10
If you noticed, they share only one range of IP but they can not see each other.
There are several kinds of secondry vlan. (isolated, community, ..)
Customers with the same community vlan can see each other in layer 2, but can not see customer in isolated vlan or a customer in different community vlan.
Isolated vlan only see primary VLAN. My example above was isolated VLAN.
It is only basic explanation. Hope it is helpful.
Masoud
10-26-2015 10:02 PM
Hello,
If you do not want to waste IP,and have high avalability, give each customer two links. I suppose you can provide ethernet since you are in the same building.
1- first way
A- Create a vlan for each customer.
B- Create interface vlan for each customer and configure HSRP or VRRP with private IP.
C- Give each customer a private address to put it on their link and your private address for default route and a subnet of public address. 8 private addresses for each customer( 3 for your side for HSRP and 1 or 2 or 3 for customer)
2- second way by private VLAN
A- Put the whole range on one SVI (HSRP or VRRP configured) which is primary vlan.
B- Put your customers in isolated VLANs.
In this way you are not wasting any IP and you are able to keep your customer seperated. You do not need to have any access-list to block your customers from another.
Hope it helps,
Masoud
10-26-2015 10:12 PM
I think I like option 2. Can you elaborate more on private VLANS? I have never used them before. :)
What is the customers network legitimately need to talk? Like to send email to each other. Would that work with private VLANS?
10-26-2015 10:30 PM
In private VLAN, you have primary VLAN and secondry VLAN. It is like you devide one VLAN to serveral VLANs. Secondry VLANs can not see each other(seperate broadcast domain), but can see primary VLAN. In your case you put your public IP on primary VLAN 10 or any VLAN, lets say 1.1.1.1/24. ( you can config HSRP)
You give each customer some public addresses.
customer1 1.1.1.100-105/24 gateway 1.1.1.1 -secondry vlan 500 primary vlan 10
customer2 1.1.1.106-107/24 gateway 1.1.1.1 -secondry vlan 501 primary vlan 10
customer3 1.1.1.108-111/24 gateway 1.1.1.1 -secondry vlan 502 primary vlan 10
If you noticed, they share only one range of IP but they can not see each other.
There are several kinds of secondry vlan. (isolated, community, ..)
Customers with the same community vlan can see each other in layer 2, but can not see customer in isolated vlan or a customer in different community vlan.
Isolated vlan only see primary VLAN. My example above was isolated VLAN.
It is only basic explanation. Hope it is helpful.
Masoud
10-26-2015 10:40 PM
So with this setup would Customer A be able to communicate with Customers B servers? Remember that is OK, but I would like to keep broadcast domains and such under control if possible.
10-26-2015 10:49 PM
If they are in community VLAN, they can see each other directly in layer 2
edited : *********************************************
10-26-2015 10:49 PM
I am OK with them seeing each other at Layer 3 only. I take it the 6509 would do the routing?
How does that work? Wont all computers try to directly connect to the device in the same subnet without attempting to go thru a L3 device?
10-26-2015 11:05 PM
I am sorry. I was wrong about isolated VLAN. If you put customers in isolated VLAN, they can not see each other even in layer 3. If you need two customers see each other, you need either to put them in community vlan or to configure two seperae primary vlans. In this way, a customer can other in L3. As I said before, this method is less felexible. It is mostly prefered by data center which hosts customers servers.
11-02-2015 08:42 PM
So if all the customers are in the same community VLAN, that is essentially the same as a normal VLAN correct?
11-02-2015 08:50 PM
From one perspective yes. Customers in community VLAN can communicate directly in L2; however, SVI is created for primary vlan associated with community VLAN.
11-02-2015 09:34 PM
OK.
Next question. What is the best way to limit each customer to only 20mpbs of bandwidth?
11-03-2015 05:58 AM
ISPs with more customers usually have seperate devices to control bandwidth. You should be able to limit each customer on correspending SVI on your 6500 since you have only a few customers. There are two major ways to limit bandwidth: police and shape. Shape works smoother than police, but has some limitation to control egress traffic. I do not have enough information on traffic shapping. You shoud ask your question in a seperate post. I am sure you will get better answers.
Some rates to my previous answers much appreciated.
Masoud
11-03-2015 09:01 AM
OK.
Next question. What is the best way to limit each customer to only 20mpbs of bandwidth?
Hi William,
Check out the below link on Qos on Policing and shaping difference for bandwidth limitation.
Hope it Helps..
-GI
10-26-2015 10:50 PM
If you have enough IPs and your customers have their own firewal, I will prefer my first solution. Because your hands are more open and and network is scalable and changes are easier.
10-26-2015 10:41 PM
Your WAN configuration varies depending on the type of link and and also routing your service provider offers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide