01-08-2013 09:39 AM - edited 03-07-2019 10:58 AM
Hi All,
I hope this finds you well post the Christmas break, if only it had of been a little longer!
A quick message to ask your advice on our current network setup. In short we provided dedicated hosting services to clients, each who have their own server and a number of public IP Addresses and we are looking to limit the ability for clients to configure other clients/unassigned IP Addresses onto their machines.
To confirm, say a client has IP Addresses 1.2.3.4 - 1.2.3.9 and we want to stop him from being able to use the next IP Address as it has been assigned to the next client 1.2.3.10 - is this possible?
I am aware we could split the subnet, and create smaller Subnets and vLAN's for each client, but this would mean loosing a good number of Public IP Addresses in the creation of these subnets.
Your ideas / thoughts are much appreciated.
All the best,
Matthew
Solved! Go to Solution.
01-08-2013 01:47 PM
As per above, it really depends on the layout of the network. Based on the information given:
You can configure IP source guard on the access switch and then configure static IP source bindings on each interface that connects to the customer servers (if your switch supports it) - which will limit the IP addresses sourced from the server. If packets sourced from the server do not match the configured IP address on the switch, they are dropped.
The Syntax of the command is:
ip source binding MAC vlan vlan IP interface X
This will at the very least lock down the customer facing switchports to specific IP address/MAC correlations. This will result in more administrative overheard on your end, especially if the customer wants to move or change IP addresses.
01-08-2013 10:48 AM
I cannot think of anyway this can be done besides subneting to as small a subnet as possible and then applying access-list to block any use of IP's on traffic that does not belong to that subnet.
01-08-2013 10:57 AM
Can you draw up a network diagram how your clients are connected to you? Sounds like all your clients are connected to the same network so they pretty much can access each other as well?
01-08-2013 01:47 PM
As per above, it really depends on the layout of the network. Based on the information given:
You can configure IP source guard on the access switch and then configure static IP source bindings on each interface that connects to the customer servers (if your switch supports it) - which will limit the IP addresses sourced from the server. If packets sourced from the server do not match the configured IP address on the switch, they are dropped.
The Syntax of the command is:
ip source binding MAC vlan vlan IP interface X
This will at the very least lock down the customer facing switchports to specific IP address/MAC correlations. This will result in more administrative overheard on your end, especially if the customer wants to move or change IP addresses.
02-04-2013 11:57 AM
Hi there,
Firstly my apologies in following this up - Kyle, what you have suggested works perfectly. Thank you very much for your assistance!
All the best,
Matthew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide