Solved

Subnetting multiplr Class-C Netwroks for Security

Posted on 2009-04-13
7
453 Views
Last Modified: 2012-05-06
We currently sell bandwidth/ IP ranges to clients in our collocation. This network was setup before I was with the company, and currently we are not using any kind of sub-netting. We have 3 class C IP ranges that are publicly routable, and IP addresses are just being handed out as needed. The problem has started to arise that people are "borrowing" IP addresses that they did not pay for, and belong to other clients. Since all blocks of IP's go out the default gateway of x.x.x.1 and have the default /24 mask  there is not really any way of stopping this.

We have 3 switches that the clients connect to and then the main switch (3Com 4500) is connected to the uplink from our provider. I was going to create VLANs and VLAN-interfaces for each client, but the main switch only supports 10 VLAN-interfaces and we have 20 clients and growing. I am currently planning to stick a 3Com 5012 router in between our switch and the service providers, and then create sub-interfaces for each subnets gateway.

I was wondering how creating the subnets is handled in a situation like this? We are currently dealing with about 20 clients (all needing their own subnets) and 750 IP addresses.
Also, will it work to create the sub-interfaces on the router for each client or do I need to setup any type of specific routing protocol?
I will be extremely grateful for any help on this!  Thank you!
0
Comment
Question by:Teleswitch
  • 4
  • 2
7 Comments
 
LVL 11

Expert Comment

by:donmanrobb
ID: 24130647
If your going to go the router route, I would recommend you make subinterfaces for each client and apply an access-list that permits only the clients IP range on each subinterface.

 On the switch side if the 3com supports it you could use vlan/mac access-lists to help control IP assignments but if the switch only supports 10 vlan interfaces then it wouldn't be the best option.
0
 
LVL 2

Expert Comment

by:amaderog
ID: 24140749
3Com 4500 switches only support 4 vlan interfaces.
I would use a 5500 or 4800 switch which have 64 or 128 vlan interfaces. This would make your core switch. You can setup ACLs on the core switch to block segments from seeing each other. You can also setup dhcp server in it to assign addresses to each vlan. The rest of the switches on the network can be layer 2 switches where you only need to create vlans and assign them to ports.

We have a customer with a setup like this but with many more clients below him. Basically the same configuration but with bigger switches that have more vlan interfaces.
0
 

Author Comment

by:Teleswitch
ID: 24150812
I have beeen looking into using the ACLs to only allow a certain Subnet accross a port, but I can not find out how to assign an ACL to a specfic port. I found that it is possible to assign the ACL to a QoS policy and then assign the QoS policy to the port. Only part is the ACL is a two part rule. Allow the subnet & deny all else. When you create the Qos policy you have to define  a trrafic behavior for packets that match the ACL rules. This behavior is either permit or deny, and over rides any permit or deny staments in the ACL itself.

In the 5500 or 4800 is it possible to asign the ACL directly to the port?

Thanks for your help so far
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 11

Expert Comment

by:donmanrobb
ID: 24150851
Don't remember 3com features off the top of my head but can't you define a QoS policy that allows the proper network and drops all other packets?
0
 

Author Comment

by:Teleswitch
ID: 24150905
Nope, that is the problem. you can only have one "traffic behavior" filter. Very bad logic if you ask me.
0
 

Author Comment

by:Teleswitch
ID: 24150934
Basicly if a packet matches any part of the ACL  you have to choose wether to deny or permit the packets; regardless if you specify to to deny or permit it in the ACL.
0
 

Accepted Solution

by:
Teleswitch earned 0 total points
ID: 24205127
Problem has been resolved.
The 4500G switch I was using did only support 10 (not 4) VLAN interfaces, but with the newest version of the firmware it now supports 64. No need to go and buy a new switch yet.

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now