Solved

Distribute Internet to Multiple Tenants

Posted on 2012-04-13
16
36 Views
Last Modified: 2016-01-15
I need to provide internet connectivity for multiple tenants (about 70) of a building that will be sharing one large internet connection.  Every tenant needs to have their own public IP address, which we will assign from the block given by the ISP.  The ISP is providing a copper layer 2 handoff.

Due to wiring constraints (distance, cost), we have to use coax cable to each unit.  The coax goes to an endpoint device in each unit, which then converts back to CAT5 ethernet.  The coax cables get aggregated back to master units, which would then go to an ethernet switch (haven't purchased one yet).

I am trying to figure out how to isolate the tenants from each other.  I don't see what prevents a tenant from misconfiguring their router, possibly using the IP address given to a different tenant.  Even worse, I don't see what stops someone from connecting a laptop and ARP spoofing the gateway and sniffing everyone's traffic.  In reality, this probably won't happen, but the fact that it could gives me pause.

What can I do to prevent this possibility?  I was thinking of a layer 3 switch and VLANS, but I'm not entirely sure how I would apply it.  The coax endpoint units (in the tenants offices) can supposedly handle VLANS.

Any suggestions regarding either design or equipment? Thanks.
0
Comment
Question by:ds1010
  • 6
  • 3
  • 3
  • +2
16 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 37844814
If the tenants all have public IP addresses as you say then they would generally not be separable.  After all, that's the purpose of a public address.  Anyone can reach/see them.  If not then it's a waste of public addresses and probably money.
That means they can reach each other just as well as Yahoo!

Is there something I don't understand about this?
0
 
LVL 39

Expert Comment

by:Kyle Abrahams
ID: 37844820
0
 

Author Comment

by:ds1010
ID: 37844858
What I mean is that all of the tenants would be sharing the same layer 2 broacast domain in the switch.

For instance, if the public IP block given by the ISP was 10.10.10.0/25, I would have 126 usable IP addresses, minus one for the gateway.  If the gateway was 10.10.10.1 and I started giving out the addresses as follows:

Tenant 1: 10.10.10.10
Tenant 2: 10.10.10.11
Tenant 3: 10.10.10.12
Tenant 4: 10.10.10.13
etc....

The potential problem that I see is that I cannot prevent one Tenant 1 from configuring their router with Tenant 4's IP address.  This could cause problems.  While it isn't guaranteed to happen, it could.

The other problem is that Tenant 4 could connect a laptop and would then be directly connected to the broadcast domain.  He could then ARP spoof the gateway, redirecting everyone's traffic through him.  Again, while this probably won't happen, it could.

How can I limit certain endpoints to only be able use public IPs assigned to them? Also, how can I eliminate the possibility of ARP spoofing and/or other shenanigans?

I'm curious how other people would handle this type of deployment.  Am I just being paranoid?
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 37844948
Those addresses are private addresses.  So there is no public address waste and likely no cost involved beyond the pipe.  
It's a little odd but not unheard of for the ISP to provide you with a private subnet.
It's more common for the ISP's *modem* or *router* on your site to do that.

Since they are all private addresses you may be able to deal with the situation like shown in the paper.  That will require 70 routers plus one.

So, you have 10.10.10.0/25
I will assume you have a router with address 10.10.0.1
So, at each tenant site set up a router with NAT using:
10.0.0.0/24 on the LAN side.
So there's no confusion and so that you can implement communication between tenants when needed, use different subnets on the LANs:
10.0.1.0/24
10.0.2.0/24
.....
10.0.69.0/24
Multiple-Subnets.pdf
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 37844959
And, of course, you'll need 80 switch ports or so at the central connection point to distribute to the tenants.  
You could put the 70 routers right there also.
That will depend on who will be responsible for them.
If it's you then I'd put them in one room.
If it's them then I'd have them provide or maintain and certainly house them.
0
 

Author Comment

by:ds1010
ID: 37845071
Fmarshall,

The 10.10.10.0 network I used in my earlier comment was just for illustration purposes as an example.  Assume that it is a public IP range.

Sorry for the confusion.
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 250 total points
ID: 37845233
Well, either way.
You might do this then:

Bring in the internet connection according to the ISP requirements.  Either a router or a switch.  If a router, follow it with a switch.  Still 80 ports.
No need that I can see for separation with them being public.
But each tenant will want to have their own firewall.  That could be a router, which is very typical on a public address to NAT and provide private addresses.
So it really isn't much different except their publicly-addressed devices will be accessible as they no doubt want.  But routers need not be all that accessible except as a port into the rest of the network .. as in an internet gateway.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 11

Assisted Solution

by:Khandakar Ashfaqur Rahman
Khandakar Ashfaqur Rahman earned 250 total points
ID: 37845347
You could go for VLAN.
You need Layer3 switch but what are you thinking? For each user separate VLAN?
Which router are you using?

Well ARP spoofing is really annoying and could mess up the network.My easiest suggestion would be to block ICMP only into gateway address.
Another way is making each clients ARP satic into your router.But it's not applicable if client has multiple computers and they connect directly to the cable.
0
 
LVL 20

Expert Comment

by:agonza07
ID: 37846691
Yup, looks like you'll need firewalls/router for each tenant.

Private VLANs is what you are looking for. I think this is similar to what ISPs use.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
0
 

Author Comment

by:ds1010
ID: 37852578
@fmarshall: Every tenant would have their own router, that's a given.  The issue I am trying to resolve is how to make sure that a tenant is only able to use the public IP address that is given to them.  Otherwise someone could accidentally misconfigure their router and end up using another tenant's IP address. This would create connection issues for both tenants.

@rigan123: We haven't purchased any equipment yet, this is still in the planning phase.  I am thinking about a separate vlan for each user.  If I do that, does that mean that I have to chop up the the address space into /30 subnets?  If so, that seems like it would be a huge waste of IPs.

@agonza07: Thanks for the link. I'm going to read through that now.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37853769
Ds1010,

That's why I asked you the question.

The way I mentioned(blocking ICMP into gateway) could protect you from ARP Spoofing.
Might be there are some managable switches (Like:Cisco,HP Procurve,3Com etc)has Port Isolation option which could isolate users within same address range.That also could help you to resolve the issue.Just find out the suitable one.

For buying a router I could suggest you to buy Mikrotik (RouterBoard OS).It's cheap and have a wonderful performance too.
http://routerboard.com/
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 37854001
Maybe the routers should be centrally located and managed then..... ??

Or maybe the routers should be set up for DHCP and fed by MAC address reserved IP addresses.  That will take care of any "mistakes".  You just need to have a master router that will do DHCP with public addresses.  Some commodity routers won't.  And you will want to make sure that the reserved pool can be large enough to meet your needs.  Likely that won't be an issue but I can imagine such pools being of size "32" or "64" just because.
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37854053
Fmarshall,

Author wants security of his clients.Might be the most important thing is: each client should be separated than others so that none can ping each other.Otherwise, anyone could attempt to access others computer or spoofing.For that case, it needs Switchport Isolation or VLAN.But VLAN needs more IP and it'd take time time completely configure for all clients.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 37854182
If a device is accessible on the internet then it's accessible.  I don't see the difference between having a public address on the same switch as having a public address in Bangla Desh.  They are all interconnected by design.

Security of the clients depends on the individual firewalls and that's all there is to it.  So, reserved public IP addresses by DHCP seems a good way to go.  How do you prevent someone in Bangla Desh from using one of your public IP addresses?  Usually by virtue of ISP subnets but that's all isn't it?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Transparency shows that a company is the kind of business that it wants people to think it is.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now