cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1071
Views
10
Helpful
4
Replies
Highlighted
Beginner

Splitting Public Subnet to Stop IP Address Stealing (vLAN's / Subnets)

Hi All,

I hope this finds you well post the Christmas break, if only it had of been a little longer!

A quick message to ask your advice on our current network setup. In short we provided dedicated hosting services to clients, each who have their own server and a number of public IP Addresses and we are looking to limit the ability for clients to configure other clients/unassigned IP Addresses onto their machines.

To confirm, say a client has IP Addresses 1.2.3.4 - 1.2.3.9 and we want to stop him from being able to use the next IP Address as it has been assigned to the next client 1.2.3.10 - is this possible?

I am aware we could split the subnet, and create smaller Subnets and vLAN's for each client, but this would mean loosing a good number of Public IP Addresses in the creation of these subnets.

Your ideas / thoughts are much appreciated.

All the best,

Matthew

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Splitting Public Subnet to Stop IP Address Stealing (vLAN's / Su

As per above, it really depends on the layout of the network. Based on the information given:

You can configure IP source guard on the access switch and then configure static IP source bindings on each interface that connects to the customer servers (if your switch supports it) - which will limit the IP addresses sourced from the server. If packets sourced from the server do not match the configured IP address on the switch, they are dropped.


The Syntax of the command is:

ip source binding MAC vlan vlan  IP interface X

This will at the very least lock down the customer facing switchports to specific IP address/MAC correlations. This will result in more administrative overheard on your end, especially if the customer wants to move or change IP addresses.

View solution in original post

4 REPLIES 4
Highlighted

Splitting Public Subnet to Stop IP Address Stealing (vLAN's / Su

I cannot think of anyway this can be done besides subneting to as small a subnet as possible and then applying access-list to block any use of IP's on traffic that does not belong to that subnet.

Highlighted
Frequent Contributor

Splitting Public Subnet to Stop IP Address Stealing (vLAN's / Su

Can you draw up a network diagram how your clients are connected to you?  Sounds like all your clients are connected to the same network so they pretty much can access each other as well?

Highlighted
Beginner

Splitting Public Subnet to Stop IP Address Stealing (vLAN's / Su

As per above, it really depends on the layout of the network. Based on the information given:

You can configure IP source guard on the access switch and then configure static IP source bindings on each interface that connects to the customer servers (if your switch supports it) - which will limit the IP addresses sourced from the server. If packets sourced from the server do not match the configured IP address on the switch, they are dropped.


The Syntax of the command is:

ip source binding MAC vlan vlan  IP interface X

This will at the very least lock down the customer facing switchports to specific IP address/MAC correlations. This will result in more administrative overheard on your end, especially if the customer wants to move or change IP addresses.

View solution in original post

Highlighted
Beginner

Splitting Public Subnet to Stop IP Address Stealing (vLAN's / Su

Hi there,

Firstly my apologies in following this up -  Kyle, what you have suggested works perfectly. Thank you very much for your assistance!

All the best,

Matthew

CreatePlease to create content
Content for Community-Ad
This widget could not be displayed.