What switch you are using as

comechivos · ‎02-18-2015

Hello to All,

This is my first post on this forum. I hope you guy can help me on this one.

The enviroment is the following:

Its a 7 stories building wich I provide internet access for each apartment.

On the Basement, we have one main router (mikrotik) and one main Switch, 1gbps Fiber cisco Catalyst Switch.

On each floor I have 2 Catalyst 2900 switches. (East wing, West Wing) All of them, connected to the main catalyst switch on the basement.

All the apartments are in the same network right now, the mikrotik router serves as DHCP server for all apartments computers and they can ping each other ips.. as a regular network. I need (if possible) like, privacy between Ips. Every computer needs to be invisible to the other computers. i was thinking about a solution, but I have no idea how to do it, maybe something with Vlans? I need help here, does anyone have an idea of how can I do this?

I really appreciate your help, Thank you very much guys.

Reza Sharifi · ‎02-18-2015

Hi and welcome to the forum.

I am not familiar with mikrotik, so if I say something wrong about it, you are welcome to ignore it.

As for the change, you have a consider a few things before going forward.

For example, you said that the DHCP is configured on the mikrotik router. So if you change your design and for example put each floor in a different subnet/vlan, you would need to create 7 DHCP scopes on the router. So, is the router capable of handling multiple DHCP scopes?

You also need to know if you are using NAT on the router. If you do, you are most likely NATing one subnet. If you change you design and create 7 different sunbets/vlans you most likely need to change you NAT statement to reflect that.

You also need to come up with an IP address/vlan segmentation design. For example:

Floor-1 ip segment 10.10.10.0/24 vlan 10

Floor-2 ip segment 10.10.20.0/24 vlan 20

and so on....

Changing IP address/vlan form one segment to another will cause outage for your tenants.

You would need to coordinate with each floor to make the changes during an outage window.

Overall, what you are trying to do is very much possible, but you need to do some research and planning ahead of time, so you don't cause extended outage for your tenants.

HTH

Ashwani Mantoo · ‎02-18-2015

What switch you are using as the core ?

You can achieve the same either by configuring Private Vlans or on an easy way, you can consider applying the command: "switchport protected" on the interfaces.

No layer two traffic can be sent between any two protected switchports, only between a protected switchport and a non-protected switchport.

Hope it helps.

BR,

Ashwani

Andre Neethling · ‎02-18-2015

Your best bet is to use Private VLANs. Set the port connected to the Microtik as promiscuous? And all the client ports to isolated. This means they will communicate with the Gateway only, but any connection between the individual hosts on isolated ports will not be alowed. No DHCP configuration changes needed. You need to create a secondary VLAN to add the isolated pports to. Cisco has private vlan config guides available.

Privacy for individual IPs