Subnetting multiplr Class-C Netwroks for Security
We currently sell bandwidth/ IP ranges to clients in our collocation. This network was setup before I was with the company, and currently we are not using any kind of sub-netting. We have 3 class C IP ranges that are publicly routable, and IP addresses are just being handed out as needed. The problem has started to arise that people are "borrowing" IP addresses that they did not pay for, and belong to other clients. Since all blocks of IP's go out the default gateway of x.x.x.1 and have the default /24 mask there is not really any way of stopping this.
We have 3 switches that the clients connect to and then the main switch (3Com 4500) is connected to the uplink from our provider. I was going to create VLANs and VLAN-interfaces for each client, but the main switch only supports 10 VLAN-interfaces and we have 20 clients and growing. I am currently planning to stick a 3Com 5012 router in between our switch and the service providers, and then create sub-interfaces for each subnets gateway.
I was wondering how creating the subnets is handled in a situation like this? We are currently dealing with about 20 clients (all needing their own subnets) and 750 IP addresses.
Also, will it work to create the sub-interfaces on the router for each client or do I need to setup any type of specific routing protocol?
I will be extremely grateful for any help on this! Thank you!
We have 3 switches that the clients connect to and then the main switch (3Com 4500) is connected to the uplink from our provider. I was going to create VLANs and VLAN-interfaces for each client, but the main switch only supports 10 VLAN-interfaces and we have 20 clients and growing. I am currently planning to stick a 3Com 5012 router in between our switch and the service providers, and then create sub-interfaces for each subnets gateway.
I was wondering how creating the subnets is handled in a situation like this? We are currently dealing with about 20 clients (all needing their own subnets) and 750 IP addresses.
Also, will it work to create the sub-interfaces on the router for each client or do I need to setup any type of specific routing protocol?
I will be extremely grateful for any help on this! Thank you!
3Com 4500 switches only support 4 vlan interfaces.
I would use a 5500 or 4800 switch which have 64 or 128 vlan interfaces. This would make your core switch. You can setup ACLs on the core switch to block segments from seeing each other. You can also setup dhcp server in it to assign addresses to each vlan. The rest of the switches on the network can be layer 2 switches where you only need to create vlans and assign them to ports.
We have a customer with a setup like this but with many more clients below him. Basically the same configuration but with bigger switches that have more vlan interfaces.
I would use a 5500 or 4800 switch which have 64 or 128 vlan interfaces. This would make your core switch. You can setup ACLs on the core switch to block segments from seeing each other. You can also setup dhcp server in it to assign addresses to each vlan. The rest of the switches on the network can be layer 2 switches where you only need to create vlans and assign them to ports.
We have a customer with a setup like this but with many more clients below him. Basically the same configuration but with bigger switches that have more vlan interfaces.
ASKER
I have beeen looking into using the ACLs to only allow a certain Subnet accross a port, but I can not find out how to assign an ACL to a specfic port. I found that it is possible to assign the ACL to a QoS policy and then assign the QoS policy to the port. Only part is the ACL is a two part rule. Allow the subnet & deny all else. When you create the Qos policy you have to define a trrafic behavior for packets that match the ACL rules. This behavior is either permit or deny, and over rides any permit or deny staments in the ACL itself.
In the 5500 or 4800 is it possible to asign the ACL directly to the port?
Thanks for your help so far
In the 5500 or 4800 is it possible to asign the ACL directly to the port?
Thanks for your help so far
Don't remember 3com features off the top of my head but can't you define a QoS policy that allows the proper network and drops all other packets?
ASKER
Nope, that is the problem. you can only have one "traffic behavior" filter. Very bad logic if you ask me.
ASKER
Basicly if a packet matches any part of the ACL you have to choose wether to deny or permit the packets; regardless if you specify to to deny or permit it in the ACL.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On the switch side if the 3com supports it you could use vlan/mac access-lists to help control IP assignments but if the switch only supports 10 vlan interfaces then it wouldn't be the best option.