Public IPs for tenants
I have been put into a mess of a situation that I don't think should be so complicated. An ISP has given a building a /28 (13 Useable) public IP's with an ethernet hand off from their equipment. The plan is then to send 1 public IP to each apartment for the tenant to connect their own firewall/ wireless box. In the mechanical room they have 2 cisco routers and 2 cisco 2900 switches that they have been monkeying around with. From what I can see is that all that is needed is 1 2900 switch. Port 1 goes to the ISP equipment and the rest of the ports go to each tenants location. We could notify each tenant of what their IP should be. Is there anyway to restrict the proper IP to the proper port of the 2900 by means of a VLAN or ACL? Can you think of any reason that I need more than just a switch here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
bswinnerton
And if you do decide to go that way, my preference is usually on HP switches.
Sorry, I posted the wrong link.
http://www.cdw.com/shop/search/results.aspx?wclss=N11&enkwrd=switch&pCurrent=1
http://www.cdw.com/shop/search/results.aspx?wclss=N11&enkwrd=switch&pCurrent=1
ASKER
Depending on the exact model of 2900, it may be layer 3. If it is, or I get a layer 3, does each port cosume and IP for the VLAN? Such as port 2 VLAN would be 200.200.200.12, would that IP belong to the physical port itself or the equipment plugged into it?
Well, for example you would have multiple ports with multiple VLANS. So let's say port 5 will be vlan1, port 6 vlan2 etc etc. You could specify that you want a specific IP assigned to port 5, and a different to port 6.
From there, anything below that point should pick up an IP from the switch (much like DHCP). And if your users were to use routers, they would just need to know the IP information to configure further below their routers.
Hopefully that answers your question. So no, the actual port does not consume the ip address, but anything plugged into that port does.
From there, anything below that point should pick up an IP from the switch (much like DHCP). And if your users were to use routers, they would just need to know the IP information to configure further below their routers.
Hopefully that answers your question. So no, the actual port does not consume the ip address, but anything plugged into that port does.
ASKER
Great, thank you for clarification.
It sounds like a layer 3 switch will do the trick.
It sounds like a layer 3 switch will do the trick.
No problem :)
I hate to rain on the parade here, but there is absolutely no reason you need a layer 3 switch.
If you cut the /28 block up into /30 sections and you route through the switch, you can only service 3 apartments. This is a massive waste of the /28 block!
See this guide on applying ACLs on the inbound interface of a layer 2 switch:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1043840
What I would do is configure the switch with one of the IPs for management purposes then apply ACLs on the inbound interface of the switchports that are bound for the end customers Eg:
ip access-list 10 permit ip host x.x.x.93 any
ip access-list 11 permit ip host x.x.x.94 any
etc etc Obviously with the IP address being the IP allowed b that apartment.
There is absolutely no benefit in a layer 3 switch for this application.
If you cut the /28 block up into /30 sections and you route through the switch, you can only service 3 apartments. This is a massive waste of the /28 block!
See this guide on applying ACLs on the inbound interface of a layer 2 switch:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html#wp1043840
What I would do is configure the switch with one of the IPs for management purposes then apply ACLs on the inbound interface of the switchports that are bound for the end customers Eg:
ip access-list 10 permit ip host x.x.x.93 any
ip access-list 11 permit ip host x.x.x.94 any
etc etc Obviously with the IP address being the IP allowed b that apartment.
There is absolutely no benefit in a layer 3 switch for this application.
ASKER
Used a Cisco 2950 XL switch, but had to go to IOS 12 to get VLAN support.