?
Solved

Distribute Internet to Multiple Tenants

Posted on 2012-04-13
16
Medium Priority
?
63 Views
Last Modified: 2016-01-15
I need to provide internet connectivity for multiple tenants (about 70) of a building that will be sharing one large internet connection.  Every tenant needs to have their own public IP address, which we will assign from the block given by the ISP.  The ISP is providing a copper layer 2 handoff.

Due to wiring constraints (distance, cost), we have to use coax cable to each unit.  The coax goes to an endpoint device in each unit, which then converts back to CAT5 ethernet.  The coax cables get aggregated back to master units, which would then go to an ethernet switch (haven't purchased one yet).

I am trying to figure out how to isolate the tenants from each other.  I don't see what prevents a tenant from misconfiguring their router, possibly using the IP address given to a different tenant.  Even worse, I don't see what stops someone from connecting a laptop and ARP spoofing the gateway and sniffing everyone's traffic.  In reality, this probably won't happen, but the fact that it could gives me pause.

What can I do to prevent this possibility?  I was thinking of a layer 3 switch and VLANS, but I'm not entirely sure how I would apply it.  The coax endpoint units (in the tenants offices) can supposedly handle VLANS.

Any suggestions regarding either design or equipment? Thanks.
0
Comment
Question by:ds1010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +2
16 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 37844814
If the tenants all have public IP addresses as you say then they would generally not be separable.  After all, that's the purpose of a public address.  Anyone can reach/see them.  If not then it's a waste of public addresses and probably money.
That means they can reach each other just as well as Yahoo!

Is there something I don't understand about this?
0
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 37844820
0
 

Author Comment

by:ds1010
ID: 37844858
What I mean is that all of the tenants would be sharing the same layer 2 broacast domain in the switch.

For instance, if the public IP block given by the ISP was 10.10.10.0/25, I would have 126 usable IP addresses, minus one for the gateway.  If the gateway was 10.10.10.1 and I started giving out the addresses as follows:

Tenant 1: 10.10.10.10
Tenant 2: 10.10.10.11
Tenant 3: 10.10.10.12
Tenant 4: 10.10.10.13
etc....

The potential problem that I see is that I cannot prevent one Tenant 1 from configuring their router with Tenant 4's IP address.  This could cause problems.  While it isn't guaranteed to happen, it could.

The other problem is that Tenant 4 could connect a laptop and would then be directly connected to the broadcast domain.  He could then ARP spoof the gateway, redirecting everyone's traffic through him.  Again, while this probably won't happen, it could.

How can I limit certain endpoints to only be able use public IPs assigned to them? Also, how can I eliminate the possibility of ARP spoofing and/or other shenanigans?

I'm curious how other people would handle this type of deployment.  Am I just being paranoid?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 26

Expert Comment

by:Fred Marshall
ID: 37844948
Those addresses are private addresses.  So there is no public address waste and likely no cost involved beyond the pipe.  
It's a little odd but not unheard of for the ISP to provide you with a private subnet.
It's more common for the ISP's *modem* or *router* on your site to do that.

Since they are all private addresses you may be able to deal with the situation like shown in the paper.  That will require 70 routers plus one.

So, you have 10.10.10.0/25
I will assume you have a router with address 10.10.0.1
So, at each tenant site set up a router with NAT using:
10.0.0.0/24 on the LAN side.
So there's no confusion and so that you can implement communication between tenants when needed, use different subnets on the LANs:
10.0.1.0/24
10.0.2.0/24
.....
10.0.69.0/24
Multiple-Subnets.pdf
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 37844959
And, of course, you'll need 80 switch ports or so at the central connection point to distribute to the tenants.  
You could put the 70 routers right there also.
That will depend on who will be responsible for them.
If it's you then I'd put them in one room.
If it's them then I'd have them provide or maintain and certainly house them.
0
 

Author Comment

by:ds1010
ID: 37845071
Fmarshall,

The 10.10.10.0 network I used in my earlier comment was just for illustration purposes as an example.  Assume that it is a public IP range.

Sorry for the confusion.
0
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 1000 total points
ID: 37845233
Well, either way.
You might do this then:

Bring in the internet connection according to the ISP requirements.  Either a router or a switch.  If a router, follow it with a switch.  Still 80 ports.
No need that I can see for separation with them being public.
But each tenant will want to have their own firewall.  That could be a router, which is very typical on a public address to NAT and provide private addresses.
So it really isn't much different except their publicly-addressed devices will be accessible as they no doubt want.  But routers need not be all that accessible except as a port into the rest of the network .. as in an internet gateway.
0
 
LVL 11

Assisted Solution

by:Khandakar Ashfaqur Rahman
Khandakar Ashfaqur Rahman earned 1000 total points
ID: 37845347
You could go for VLAN.
You need Layer3 switch but what are you thinking? For each user separate VLAN?
Which router are you using?

Well ARP spoofing is really annoying and could mess up the network.My easiest suggestion would be to block ICMP only into gateway address.
Another way is making each clients ARP satic into your router.But it's not applicable if client has multiple computers and they connect directly to the cable.
0
 
LVL 20

Expert Comment

by:agonza07
ID: 37846691
Yup, looks like you'll need firewalls/router for each tenant.

Private VLANs is what you are looking for. I think this is similar to what ISPs use.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
0
 

Author Comment

by:ds1010
ID: 37852578
@fmarshall: Every tenant would have their own router, that's a given.  The issue I am trying to resolve is how to make sure that a tenant is only able to use the public IP address that is given to them.  Otherwise someone could accidentally misconfigure their router and end up using another tenant's IP address. This would create connection issues for both tenants.

@rigan123: We haven't purchased any equipment yet, this is still in the planning phase.  I am thinking about a separate vlan for each user.  If I do that, does that mean that I have to chop up the the address space into /30 subnets?  If so, that seems like it would be a huge waste of IPs.

@agonza07: Thanks for the link. I'm going to read through that now.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37853769
Ds1010,

That's why I asked you the question.

The way I mentioned(blocking ICMP into gateway) could protect you from ARP Spoofing.
Might be there are some managable switches (Like:Cisco,HP Procurve,3Com etc)has Port Isolation option which could isolate users within same address range.That also could help you to resolve the issue.Just find out the suitable one.

For buying a router I could suggest you to buy Mikrotik (RouterBoard OS).It's cheap and have a wonderful performance too.
http://routerboard.com/
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 37854001
Maybe the routers should be centrally located and managed then..... ??

Or maybe the routers should be set up for DHCP and fed by MAC address reserved IP addresses.  That will take care of any "mistakes".  You just need to have a master router that will do DHCP with public addresses.  Some commodity routers won't.  And you will want to make sure that the reserved pool can be large enough to meet your needs.  Likely that won't be an issue but I can imagine such pools being of size "32" or "64" just because.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37854053
Fmarshall,

Author wants security of his clients.Might be the most important thing is: each client should be separated than others so that none can ping each other.Otherwise, anyone could attempt to access others computer or spoofing.For that case, it needs Switchport Isolation or VLAN.But VLAN needs more IP and it'd take time time completely configure for all clients.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 37854182
If a device is accessible on the internet then it's accessible.  I don't see the difference between having a public address on the same switch as having a public address in Bangla Desh.  They are all interconnected by design.

Security of the clients depends on the individual firewalls and that's all there is to it.  So, reserved public IP addresses by DHCP seems a good way to go.  How do you prevent someone in Bangla Desh from using one of your public IP addresses?  Usually by virtue of ISP subnets but that's all isn't it?
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month12 days, 9 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question