Providing public ip space to tenants from a /24 subnet

I need to provide public ip addresses to tenants in a commercial building.  Our ISP has provided us with a /30 for our external interface and a /24 to breakdown for our tenants.  Is there anyway to isolate tenants from one another without subnetting the /24 into a bunch of /29 and /30 and wasting a lot of ip space on gateway and broadcast ips?

Network Design as it stands now:

Catalyst 3750
           |
           |
-----------------------
|                             |
Dell 3448           Dell 3448
|                             |
tenants              tenants

Currently the 3750 is configured with a /30 on one of the gige ports to act as the external interface.  A second and third gige port are used as trunks to each of the Dell 3448's switches.

interface GigabitEthernet1/0/17
 description "3448-1"
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 101
 switchport trunk allowed vlan 1-63,65-4094
 switchport mode trunk
 duplex full
 speed 1000
!
interface GigabitEthernet1/0/18
 description "3448-2"
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 101
 switchport trunk allowed vlan 1-63,65-4094
 switchport mode trunk
 duplex full
 speed 1000
!

The /24 is then handed down by subnetting it into /30 on different VLANS

interface Vlan108
 ip address x.x.x.25 255.255.255.252
!
interface Vlan109
 ip address x.x.x.29 255.255.255.252
!
interface Vlan110
 ip address x.x.x.33 255.255.255.252
!
interface Vlan111
 ip address x.x.x.37 255.255.255.252
!

Is there a more efficient way to use this address space while completely isolating each tenant from each other.  Last requirement if tenant Z on vlan 111 (based on example above) has their own router in place and has a server of some type behind it that their router allows public access to, Tenant Y on vlan 110 should be able to access it ideally.
LVL 6
djcaponeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

djcaponeAuthor Commented:
I would like to point out this is a design i inherited, however, I really dont know of another way.

My thinking is that one has to exist, dedicated server providers cannot possibly create a subnet for every one of their customers, can they?
0
giltjrCommented:
How much isolation do you plan on providing?  Just from broadcast/multicast traffic?

I would have to think about how to do it, but I would just leave everything as a /24, hand out the IP addresses using DHCP, but block all broadcast and multicast traffic.

The only other way would to provide PPPoE, but I have no clue how to do that.

However, dedicated service providers don't really isolate their customers.  I can't remember what all I saw, but I know that I was suprise at what traffic I saw when I ran Wireshark on my Dad's computer that was using Cable.
0
djcaponeAuthor Commented:
Well I guess the big thing would be ensuring that if a computer rather than a firewall was hooked up to the public ip by say 2 tenants, that they couldn't see each other as being on the same local network.

Secondly, I was referring to dedicated SERVER not SERVICE providers like serverbeach, theplanet, rackspace, etc.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

giltjrCommented:
With them being on the same "network" the only issue would be broadcast and multicast traffic.   One issue you may have trying to isolate the tenets is you may block them from doing things they want to do.

The Dell switch seems to mimic features that Cisco has, so one thing you could do is block all multicast traffic.  I think there is a way that you can block broadcast traffic also.  

It just seems to be a waste of IP addresses to take a /24 down into /30's.  On top of all the VLAN's you need to create a manage.

I have seen both where the server service provider will break down into multiple subnets and where you are on a /24, or larger.

The ones breaking down the subnets are getting fewer and fewer and the one leaving on /24 or larger are getting more prevalent.  However the ones leaving on the "shared" subnet are blocking multicast and broadcast traffic.
0
djcaponeAuthor Commented:
Thanks, keeping it open to hope for some additional opinions.

What things on an individual user level could blocking broadcast/multicast traffic prevent?

I also agree that the subnetting as it is now is quote wasteful of ip space.

Lastly, could anything possibly be done using subinterfaces and with unnumbered ip routing?  I'm really not too familiar with unnumbered ip routing and know that there are some limitations etc involved, so i'm looking for input on that front.
0
giltjrCommented:
There should be nothing that blocking broadcast/multicast would prevent that would be allowed on a "normal" home connection.

"Normal" home connection meaning Cable, ADSL, dial-up, or Satellite.  On a normal home connection you are one a "one" IP address network so you can't broadcast to anything and all ISP's block multi-cast.

I have never need to use unnumber IP routing, so I am not 100% sure how it works.  I will need do to a little reading, but I was under the impression that unnumber IP routing was used between routers so that you did not waste IP addressses.  If I understand it correctly in the following setup:

"NETWORK1"  <--> ROUTER1 <-- WAN/LAN connection directly to --> ROUTER2 <--> NETWORK2

normally the interfaces that directly connect ROUTER1 and ROUTER2 would have IP addresses on a /30 network.  With unnumbered IP routing, they have no IP addresses on the serial interface themselfs, the "share" the same IP address as the LAN interfaces on the "outside" of the routers.

Here is Cisco's take:

http://www.cisco.com/warp/public/701/20.html
.
0
djcaponeAuthor Commented:
Hoping your still subscribed/monitoring this...

In Cisco speak, what I think your recommending as the best solution is essentially creating a single vlan with the /24 on the 3750 "core" switch.

Then on the Dell switches, finding a way of applying in cisco talk:

switchport protected
switchport block multicast

on each physical interface of the Dell switches?
0
giltjrCommented:
As long as one tenant does not need to talk to another tenant that will work.
0
djcaponeAuthor Commented:
When you say one tenant needing to talk to another tenant, do you mean that access would be totally denied or simply standard "local network" access would be denied?

IE, if tenant A is running a web server and Tenant B wants to visit their web site for whatever reason, will they be able to access it via a web browser?
0
giltjrCommented:
When using "switchport protected" ALL access to between any ports that have "switchport protected" set will be denied.  This is blocking traffic at  layer 2, which knows nothing about "standard local network" vs. "web".

If you want to block "standard local network" type traffic (I am assuming you mean Windows file sharing) you would need a L3 switch than can do access lists at the IP port level and control traffic within the same VLAN.  Some switches can do access lists at the port level, but they only block traffic that flows between VLAN's not within a VLAN.

If you want to allow any type of communications between tenats, you would not be able to use "switchport protected", but you could (and should) use "switchport block multicast", as multicast is not sent over the Internet, they should not need it for "normal Internet type traffic".
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.