Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
0
Helpful
4
Replies

Prevent Duplicate IP's

keithatwood
Level 1
Level 1

‎04-02-2012 12:57 PM - edited ‎03-07-2019 05:55 AM

I've got the following scenario

ISP  ---   1.1.1.1 /30  ---- (2821)  ---  2.2.2.1 /27  ----   2.2.2.2 /27  Tenant (1)

                                                                     ----  2.2.2.3 /27  Tenant (2)

I'd like to make sure that Tenant 2 cannot mistakenly misconfigure their router and cause a Duplicate IP conflict with another Tenant.

All of the Tenants connect to Cisco 2970's

Tenants use whatever router of their choosing.

Thanks for the suggestions.

Labels:
0 Helpful
4 Replies 4

Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3

‎04-02-2012 03:14 PM

Hi Keith,

Your question is not clear.

do you want to modify the authentication/authorization attributes AAA to the router in order tenant do not have rights to miscofigure it? Eg. you can provide them with read only view, or you can remove the section to make changes to the interface config.

Otherwise you can configure your 2821 router as DHCP server and it can assign IP to the tenants interfaces.

Hope that helps

Vasilis

0 Helpful

manish arora
Level 6
Level 6
In response to Vasileios Bouloukos MSc, ITIL, CCIE

‎04-02-2012 03:37 PM

Hi Keith,

here are few options that I can think of :-

1> As Vasilis mentioned , you can use your 2821 work as a DHCP for all the devices that are connecting to your L2 Switch, this is a good and easy  way if your Tenants are not asking for a Static Public IP which they ask for when they need whitelisting at different locations etc.

2>  Since you are distributing Connectivity , it make you an ISP , and you should have Subneted your range 2.2.2.0/27 in smaller chunks like /30's or /31's and provided those to your Tenants using multiple vlans and router on Stick kinda secure environment.

3> If option 1 & 2 both are not something that you can use , then you can try making static ARP entries on the  2821 and then have Port security with one MAC address permitted per Port on the 2970. But this is really Lame workaround as your Tenant have to tell you their MACs and you will have to do a lot of non-smart Hardware which is always Lame. ;-)

Thanks

Manish

0 Helpful

keithatwood
Level 1
Level 1
In response to manish arora

‎04-03-2012 11:21 AM

Thanks for the feedback!

I did consider the DHCP option, however, we have told tenants they would get their own permanent static IP. To do this by DHCp I would have to create reservations, which puts me back at requesting their MAC addresses.

I did also consider the /30 subnetting, but with only a /27 I'm gonna reduce my useable IP's from 30 to 8.

0 Helpful

manish arora
Level 6
Level 6
In response to keithatwood

‎04-03-2012 04:06 PM

Hi Keith,

You can also try making use of Private / Secondary VLANs with VACLs, I have not personally used these myself but I am aware that some ISPs make use of these.

Here's the link that you can use to understand VACLs on Secondary VLANs :-

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml#vlan_access

Please test it in a Lab before making changes to the Production.

Manish

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card