04-02-2012 12:57 PM - edited 03-07-2019 05:55 AM
I've got the following scenario
ISP --- 1.1.1.1 /30 ---- (2821) --- 2.2.2.1 /27 ---- 2.2.2.2 /27 Tenant (1)
---- 2.2.2.3 /27 Tenant (2)
I'd like to make sure that Tenant 2 cannot mistakenly misconfigure their router and cause a Duplicate IP conflict with another Tenant.
All of the Tenants connect to Cisco 2970's
Tenants use whatever router of their choosing.
Thanks for the suggestions.
04-02-2012 03:14 PM
Hi Keith,
Your question is not clear.
do you want to modify the authentication/authorization attributes AAA to the router in order tenant do not have rights to miscofigure it? Eg. you can provide them with read only view, or you can remove the section to make changes to the interface config.
Otherwise you can configure your 2821 router as DHCP server and it can assign IP to the tenants interfaces.
Hope that helps
Vasilis
04-02-2012 03:37 PM
Hi Keith,
here are few options that I can think of :-
1> As Vasilis mentioned , you can use your 2821 work as a DHCP for all the devices that are connecting to your L2 Switch, this is a good and easy way if your Tenants are not asking for a Static Public IP which they ask for when they need whitelisting at different locations etc.
2> Since you are distributing Connectivity , it make you an ISP , and you should have Subneted your range 2.2.2.0/27 in smaller chunks like /30's or /31's and provided those to your Tenants using multiple vlans and router on Stick kinda secure environment.
3> If option 1 & 2 both are not something that you can use , then you can try making static ARP entries on the 2821 and then have Port security with one MAC address permitted per Port on the 2970. But this is really Lame workaround as your Tenant have to tell you their MACs and you will have to do a lot of non-smart Hardware which is always Lame. ;-)
Thanks
Manish
04-03-2012 11:21 AM
Thanks for the feedback!
I did consider the DHCP option, however, we have told tenants they would get their own permanent static IP. To do this by DHCp I would have to create reservations, which puts me back at requesting their MAC addresses.
I did also consider the /30 subnetting, but with only a /27 I'm gonna reduce my useable IP's from 30 to 8.
04-03-2012 04:06 PM
Hi Keith,
You can also try making use of Private / Secondary VLANs with VACLs, I have not personally used these myself but I am aware that some ISPs make use of these.
Here's the link that you can use to understand VACLs on Secondary VLANs :-
Please test it in a Lab before making changes to the Production.
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide