• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 412
  • Last Modified:

Providing public ip space to tenants from a /24 subnet

I need to provide public ip addresses to tenants in a commercial building.  Our ISP has provided us with a /30 for our external interface and a /24 to breakdown for our tenants.  Is there anyway to isolate tenants from one another without subnetting the /24 into a bunch of /29 and /30 and wasting a lot of ip space on gateway and broadcast ips?

Network Design as it stands now:

Catalyst 3750
           |
           |
-----------------------
|                             |
Dell 3448           Dell 3448
|                             |
tenants              tenants

Currently the 3750 is configured with a /30 on one of the gige ports to act as the external interface.  A second and third gige port are used as trunks to each of the Dell 3448's switches.

interface GigabitEthernet1/0/17
 description "3448-1"
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 101
 switchport trunk allowed vlan 1-63,65-4094
 switchport mode trunk
 duplex full
 speed 1000
!
interface GigabitEthernet1/0/18
 description "3448-2"
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 101
 switchport trunk allowed vlan 1-63,65-4094
 switchport mode trunk
 duplex full
 speed 1000
!

The /24 is then handed down by subnetting it into /30 on different VLANS

interface Vlan108
 ip address x.x.x.25 255.255.255.252
!
interface Vlan109
 ip address x.x.x.29 255.255.255.252
!
interface Vlan110
 ip address x.x.x.33 255.255.255.252
!
interface Vlan111
 ip address x.x.x.37 255.255.255.252
!

Is there a more efficient way to use this address space while completely isolating each tenant from each other.  Last requirement if tenant Z on vlan 111 (based on example above) has their own router in place and has a server of some type behind it that their router allows public access to, Tenant Y on vlan 110 should be able to access it ideally.
0
djcapone
Asked:
djcapone
  • 5
  • 5
1 Solution
 
djcaponeAuthor Commented:
I would like to point out this is a design i inherited, however, I really dont know of another way.

My thinking is that one has to exist, dedicated server providers cannot possibly create a subnet for every one of their customers, can they?
0
 
giltjrCommented:
How much isolation do you plan on providing?  Just from broadcast/multicast traffic?

I would have to think about how to do it, but I would just leave everything as a /24, hand out the IP addresses using DHCP, but block all broadcast and multicast traffic.

The only other way would to provide PPPoE, but I have no clue how to do that.

However, dedicated service providers don't really isolate their customers.  I can't remember what all I saw, but I know that I was suprise at what traffic I saw when I ran Wireshark on my Dad's computer that was using Cable.
0
 
djcaponeAuthor Commented:
Well I guess the big thing would be ensuring that if a computer rather than a firewall was hooked up to the public ip by say 2 tenants, that they couldn't see each other as being on the same local network.

Secondly, I was referring to dedicated SERVER not SERVICE providers like serverbeach, theplanet, rackspace, etc.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
giltjrCommented:
With them being on the same "network" the only issue would be broadcast and multicast traffic.   One issue you may have trying to isolate the tenets is you may block them from doing things they want to do.

The Dell switch seems to mimic features that Cisco has, so one thing you could do is block all multicast traffic.  I think there is a way that you can block broadcast traffic also.  

It just seems to be a waste of IP addresses to take a /24 down into /30's.  On top of all the VLAN's you need to create a manage.

I have seen both where the server service provider will break down into multiple subnets and where you are on a /24, or larger.

The ones breaking down the subnets are getting fewer and fewer and the one leaving on /24 or larger are getting more prevalent.  However the ones leaving on the "shared" subnet are blocking multicast and broadcast traffic.
0
 
djcaponeAuthor Commented:
Thanks, keeping it open to hope for some additional opinions.

What things on an individual user level could blocking broadcast/multicast traffic prevent?

I also agree that the subnetting as it is now is quote wasteful of ip space.

Lastly, could anything possibly be done using subinterfaces and with unnumbered ip routing?  I'm really not too familiar with unnumbered ip routing and know that there are some limitations etc involved, so i'm looking for input on that front.
0
 
giltjrCommented:
There should be nothing that blocking broadcast/multicast would prevent that would be allowed on a "normal" home connection.

"Normal" home connection meaning Cable, ADSL, dial-up, or Satellite.  On a normal home connection you are one a "one" IP address network so you can't broadcast to anything and all ISP's block multi-cast.

I have never need to use unnumber IP routing, so I am not 100% sure how it works.  I will need do to a little reading, but I was under the impression that unnumber IP routing was used between routers so that you did not waste IP addressses.  If I understand it correctly in the following setup:

"NETWORK1"  <--> ROUTER1 <-- WAN/LAN connection directly to --> ROUTER2 <--> NETWORK2

normally the interfaces that directly connect ROUTER1 and ROUTER2 would have IP addresses on a /30 network.  With unnumbered IP routing, they have no IP addresses on the serial interface themselfs, the "share" the same IP address as the LAN interfaces on the "outside" of the routers.

Here is Cisco's take:

http://www.cisco.com/warp/public/701/20.html
.
0
 
djcaponeAuthor Commented:
Hoping your still subscribed/monitoring this...

In Cisco speak, what I think your recommending as the best solution is essentially creating a single vlan with the /24 on the 3750 "core" switch.

Then on the Dell switches, finding a way of applying in cisco talk:

switchport protected
switchport block multicast

on each physical interface of the Dell switches?
0
 
giltjrCommented:
As long as one tenant does not need to talk to another tenant that will work.
0
 
djcaponeAuthor Commented:
When you say one tenant needing to talk to another tenant, do you mean that access would be totally denied or simply standard "local network" access would be denied?

IE, if tenant A is running a web server and Tenant B wants to visit their web site for whatever reason, will they be able to access it via a web browser?
0
 
giltjrCommented:
When using "switchport protected" ALL access to between any ports that have "switchport protected" set will be denied.  This is blocking traffic at  layer 2, which knows nothing about "standard local network" vs. "web".

If you want to block "standard local network" type traffic (I am assuming you mean Windows file sharing) you would need a L3 switch than can do access lists at the IP port level and control traffic within the same VLAN.  Some switches can do access lists at the port level, but they only block traffic that flows between VLAN's not within a VLAN.

If you want to allow any type of communications between tenats, you would not be able to use "switchport protected", but you could (and should) use "switchport block multicast", as multicast is not sent over the Internet, they should not need it for "normal Internet type traffic".
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now