Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 464
  • Last Modified:

Subnetting multiplr Class-C Netwroks for Security

We currently sell bandwidth/ IP ranges to clients in our collocation. This network was setup before I was with the company, and currently we are not using any kind of sub-netting. We have 3 class C IP ranges that are publicly routable, and IP addresses are just being handed out as needed. The problem has started to arise that people are "borrowing" IP addresses that they did not pay for, and belong to other clients. Since all blocks of IP's go out the default gateway of x.x.x.1 and have the default /24 mask  there is not really any way of stopping this.

We have 3 switches that the clients connect to and then the main switch (3Com 4500) is connected to the uplink from our provider. I was going to create VLANs and VLAN-interfaces for each client, but the main switch only supports 10 VLAN-interfaces and we have 20 clients and growing. I am currently planning to stick a 3Com 5012 router in between our switch and the service providers, and then create sub-interfaces for each subnets gateway.

I was wondering how creating the subnets is handled in a situation like this? We are currently dealing with about 20 clients (all needing their own subnets) and 750 IP addresses.
Also, will it work to create the sub-interfaces on the router for each client or do I need to setup any type of specific routing protocol?
I will be extremely grateful for any help on this!  Thank you!
0
Teleswitch
Asked:
Teleswitch
  • 4
  • 2
1 Solution
 
donmanrobbCommented:
If your going to go the router route, I would recommend you make subinterfaces for each client and apply an access-list that permits only the clients IP range on each subinterface.

 On the switch side if the 3com supports it you could use vlan/mac access-lists to help control IP assignments but if the switch only supports 10 vlan interfaces then it wouldn't be the best option.
0
 
amaderogCommented:
3Com 4500 switches only support 4 vlan interfaces.
I would use a 5500 or 4800 switch which have 64 or 128 vlan interfaces. This would make your core switch. You can setup ACLs on the core switch to block segments from seeing each other. You can also setup dhcp server in it to assign addresses to each vlan. The rest of the switches on the network can be layer 2 switches where you only need to create vlans and assign them to ports.

We have a customer with a setup like this but with many more clients below him. Basically the same configuration but with bigger switches that have more vlan interfaces.
0
 
TeleswitchAuthor Commented:
I have beeen looking into using the ACLs to only allow a certain Subnet accross a port, but I can not find out how to assign an ACL to a specfic port. I found that it is possible to assign the ACL to a QoS policy and then assign the QoS policy to the port. Only part is the ACL is a two part rule. Allow the subnet & deny all else. When you create the Qos policy you have to define  a trrafic behavior for packets that match the ACL rules. This behavior is either permit or deny, and over rides any permit or deny staments in the ACL itself.

In the 5500 or 4800 is it possible to asign the ACL directly to the port?

Thanks for your help so far
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
donmanrobbCommented:
Don't remember 3com features off the top of my head but can't you define a QoS policy that allows the proper network and drops all other packets?
0
 
TeleswitchAuthor Commented:
Nope, that is the problem. you can only have one "traffic behavior" filter. Very bad logic if you ask me.
0
 
TeleswitchAuthor Commented:
Basicly if a packet matches any part of the ACL  you have to choose wether to deny or permit the packets; regardless if you specify to to deny or permit it in the ACL.
0
 
TeleswitchAuthor Commented:
Problem has been resolved.
The 4500G switch I was using did only support 10 (not 4) VLAN interfaces, but with the newest version of the firmware it now supports 64. No need to go and buy a new switch yet.

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now