Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1552
Views
15
Helpful
4
Replies

Splitting Public Subnet to Stop IP Address Stealing (vLAN's / Subnets)

Go to solution
matthewbutt
Level 1
Level 1

‎01-08-2013 09:39 AM - edited ‎03-07-2019 10:58 AM

Hi All,

I hope this finds you well post the Christmas break, if only it had of been a little longer!

A quick message to ask your advice on our current network setup. In short we provided dedicated hosting services to clients, each who have their own server and a number of public IP Addresses and we are looking to limit the ability for clients to configure other clients/unassigned IP Addresses onto their machines.

To confirm, say a client has IP Addresses 1.2.3.4 - 1.2.3.9 and we want to stop him from being able to use the next IP Address as it has been assigned to the next client 1.2.3.10 - is this possible?

I am aware we could split the subnet, and create smaller Subnets and vLAN's for each client, but this would mean loosing a good number of Public IP Addresses in the creation of these subnets.

Your ideas / thoughts are much appreciated.

All the best,

Matthew

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kyle McKay
Level 1
Level 1
In response to ALIAOF_

‎01-08-2013 01:47 PM

As per above, it really depends on the layout of the network. Based on the information given:

You can configure IP source guard on the access switch and then configure static IP source bindings on each interface that connects to the customer servers (if your switch supports it) - which will limit the IP addresses sourced from the server. If packets sourced from the server do not match the configured IP address on the switch, they are dropped.


The Syntax of the command is:

ip source binding MAC vlan vlan  IP interface X

This will at the very least lock down the customer facing switchports to specific IP address/MAC correlations. This will result in more administrative overheard on your end, especially if the customer wants to move or change IP addresses.

View solution in original post

4 Replies 4

Go to solution
Mandlenkosi Nkiwane
Level 3
Level 3

‎01-08-2013 10:48 AM

I cannot think of anyway this can be done besides subneting to as small a subnet as possible and then applying access-list to block any use of IP's on traffic that does not belong to that subnet.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6

‎01-08-2013 10:57 AM

Can you draw up a network diagram how your clients are connected to you?  Sounds like all your clients are connected to the same network so they pretty much can access each other as well?

Go to solution
Kyle McKay
Level 1
Level 1
In response to ALIAOF_

‎01-08-2013 01:47 PM

As per above, it really depends on the layout of the network. Based on the information given:

You can configure IP source guard on the access switch and then configure static IP source bindings on each interface that connects to the customer servers (if your switch supports it) - which will limit the IP addresses sourced from the server. If packets sourced from the server do not match the configured IP address on the switch, they are dropped.


The Syntax of the command is:

ip source binding MAC vlan vlan  IP interface X

This will at the very least lock down the customer facing switchports to specific IP address/MAC correlations. This will result in more administrative overheard on your end, especially if the customer wants to move or change IP addresses.

Go to solution
matthewbutt
Level 1
Level 1
In response to Kyle McKay

‎02-04-2013 11:57 AM

Hi there,

Firstly my apologies in following this up -  Kyle, what you have suggested works perfectly. Thank you very much for your assistance!

All the best,

Matthew

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card