Security on Router to share Internet Bandwidth?

Discussion in 'Cisco' started by Ned, May 7, 2010.

  1. Ned

    Ned Guest

    I have 10mb bandwidth I want to share between various customers. I
    have been able to "traffic shape" my switch ports to ensure the
    connected customer only receives their allocated bandwidth. I have
    also split up my public IP range on my router with static routes
    pointing to the customer routers/firewalls. However, the problem is
    that my router "inside" connection is in the same subnet as all the
    customer devices and they all connect into my VLAN 1 on my switch. I
    have tried using a "trunk" from switch to router with sub Interfaces
    but the router sub interfaces would all be in the same subnet, so this
    is not allowed. is there any way to keep the customers from being able
    to PING or attack other IP addresses on the same subnet as my VLAN 1 ?
    Public address allocation: 43.43.1.0 / 26 giving me: 43.43.1.1 to
    43.43.1.62. I have configured the router as 43.43.1.1 / 28 and used
    static routes to point to the customer routers as:
    ip route 43.43.1.16 255.255.255.248 43.43.1.2 (customer A)
    ip route 43.43.1.24 255.255.255.248 43.43.1.3 (customer B)
    Now customer A & B and my Router interface are all in the same subnet
    - how can I prevent them PINGing or attacking each other?
    TIA, Ned
     
    Ned, May 7, 2010
    #1
    1. Advertising

  2. Ned

    Rob Guest

    Why don't you put each customer in a separate subnet?
    Because that wastes so many addresses, maybe?
     
    Rob, May 7, 2010
    #2
    1. Advertising

  3. Ned

    Ned Guest

    On 7 May, 17:12, Rob <> wrote:
    > Why don't you put each customer in a separate subnet?
    > Because that wastes so many addresses, maybe?


    Thanks Rob, Do you mean putting sub interfaces on my router, and each
    sub interface has an address on the customer assigned subnet
    e.g. for customer A my subinterface would be 43.43.1.17 and their
    router/firewall would be 43.43.1.18.
    Is that what you mean? Would that work? It would use up one address
    per customer but I could live with that...
     
    Ned, May 7, 2010
    #3
  4. Ned

    Rob Guest

    Ned <> wrote:
    > On 7 May, 17:12, Rob <> wrote:
    >> Why don't you put each customer in a separate subnet?
    >> Because that wastes so many addresses, maybe?

    >
    > Thanks Rob, Do you mean putting sub interfaces on my router, and each
    > sub interface has an address on the customer assigned subnet
    > e.g. for customer A my subinterface would be 43.43.1.17 and their
    > router/firewall would be 43.43.1.18.
    > Is that what you mean? Would that work? It would use up one address
    > per customer but I could live with that...


    Yes that is what I mean. But you would use 4 addresses per customer
    at minimum because the subnet you use for the above two addresses
    would extend from 43.43.1.16 to 43.43.1.19.
    (and the addresses 43.43.1.16 and 43.43.1.19 are unusable)

    So your 64-address internet range could be split for 16 customers.

    Each of them gets a separate VLAN and a separate subinterface, and you
    can configure all of them with separate traffic shaping, and access
    lists so that they can't communicate with eachother.
    (although the usefulness of that is a bit beyond me)
     
    Rob, May 7, 2010
    #4
  5. Ned

    Ned Guest

    On 7 May, 18:35, Rob <> wrote:
    > Ned <> wrote:
    > > On 7 May, 17:12, Rob <> wrote:
    > >> Why don't you put each customer in a separate subnet?
    > >> Because that wastes so many addresses, maybe?

    >
    > > Thanks Rob, Do you mean putting sub interfaces on my router, and each
    > > sub interface has an address on the customer assigned subnet
    > > e.g. for customer A my subinterface would be 43.43.1.17 and their
    > > router/firewall would be 43.43.1.18.
    > > Is that what you mean? Would that work? It would use up one address
    > > per customer but I could live with that...

    >
    > Yes that is what I mean.  But you would use 4 addresses per customer
    > at minimum because the subnet you use for the above two addresses
    > would extend from 43.43.1.16 to 43.43.1.19.
    > (and the addresses 43.43.1.16 and 43.43.1.19 are unusable)
    >
    > So your 64-address internet range could be split for 16 customers.
    >
    > Each of them gets a separate VLAN and a separate subinterface, and you
    > can configure all of them with separate traffic shaping, and access
    > lists so that they can't communicate with eachother.
    > (although the usefulness of that is a bit beyond me)


    My router is 43.43.1.1, I had originally configured my router with
    static routes to each customer subnet -
    ip route 43.43.1.16 255.255.255.248 43.43.1.2 (customer A)
    ip route 43.43.1.24 255.255.255.248 43.43.1.3 (customer B)
    - so my router, router customer A (43.43.1.2) & router customer B
    (43.43.1.3) are all on the same VLAN - I was advised that this design
    isn't standard and asked to look at putting customer connections into
    separate VLANs.
     
    Ned, May 7, 2010
    #5
  6. Ned

    Morph Guest

    In the message
    <> Ned
    wrote:

    | I have 10mb bandwidth I want to share between various customers. I
    | have been able to "traffic shape" my switch ports to ensure the
    | connected customer only receives their allocated bandwidth. I have
    | also split up my public IP range on my router with static routes
    | pointing to the customer routers/firewalls. However, the problem is
    | that my router "inside" connection is in the same subnet as all the
    | customer devices and they all connect into my VLAN 1 on my switch. I
    | have tried using a "trunk" from switch to router with sub Interfaces
    | but the router sub interfaces would all be in the same subnet, so this
    | is not allowed. is there any way to keep the customers from being able
    | to PING or attack other IP addresses on the same subnet as my VLAN 1 ?
    | Public address allocation: 43.43.1.0 / 26 giving me: 43.43.1.1 to
    | 43.43.1.62. I have configured the router as 43.43.1.1 / 28 and used
    | static routes to point to the customer routers as:
    | ip route 43.43.1.16 255.255.255.248 43.43.1.2 (customer A)
    | ip route 43.43.1.24 255.255.255.248 43.43.1.3 (customer B)
    | Now customer A & B and my Router interface are all in the same subnet
    | - how can I prevent them PINGing or attacking each other?
    | TIA, Ned

    What kind of switch do you have?
    How about using Private VLAN to isolate the traffic, allowing each
    customer to only be able to send data to one uplink port but not between
    each other.
    http://blog.ine.com/2008/01/31/understanding-private-vlans/
    http://www.cisco.com/en/US/docs/swi.../12.2_25_see/configuration/guide/swpvlan.html
     
    Morph, May 7, 2010
    #6
  7. Ned

    Ned Guest

    On 7 May, 22:09, Morph <> wrote:
    > In the message
    > <> Ned
    > wrote:
    >
    > | I have 10mb bandwidth I want to share between various customers. I
    > | have been able to "traffic shape" my switch ports to ensure the
    > | connected customer only receives their allocated bandwidth. I have
    > | also split up my public IP range on my router with static routes
    > | pointing to the customer routers/firewalls. However, the problem is
    > | that my router "inside" connection is in the same subnet as all the
    > | customer devices and they all connect into my VLAN 1 on my switch. I
    > | have tried using a "trunk" from switch to router with sub Interfaces
    > | but the router sub interfaces would all be in the same subnet, so this
    > | is not allowed. is there any way to keep the customers from being able
    > | to PING or attack other IP addresses on the same subnet as my VLAN 1 ?
    > | Public address allocation: 43.43.1.0 / 26 giving me: 43.43.1.1  to
    > | 43.43.1.62. I have configured the router as 43.43.1.1 / 28 and used
    > | static routes to point to the customer routers as:
    > | ip route 43.43.1.16 255.255.255.248  43.43.1.2 (customer A)
    > | ip route 43.43.1.24 255.255.255.248  43.43.1.3 (customer B)
    > | Now customer A & B and my Router interface are all in the same subnet
    > | - how can I prevent them PINGing or attacking each other?
    > | TIA, Ned
    >
    > What kind of switch do you have?
    > How about using Private VLAN to isolate the traffic, allowing each
    > customer to only be able to send data to one uplink port but not between
    > each other.http://blog.ine.com/2008/01/31/unde...US/docs/switches/lan/catalyst3750/software/re...


    I have a 3560 - thanks, "private VLANs" looks like the way to go -
    that they address exactly the separation I need.
    Ned
     
    Ned, May 10, 2010
    #7
  8. Ned

    Fingerlicked

    Joined:
    Apr 4, 2010
    Messages:
    3
    What if....

    What if one customer wants to access the other customer? You are acting like an ISP and it's not your job to protect your customer from attacks. That is the responsibly of their own firewall/router. If comcast prevented me from accessing one of their other customer I wouldn't be happy.

    For example, if customer A hosts their own website and because they are I'm guessing in the same geographic area because you are serving both of them. Customer A sees Customer B in the parking lot and says check out my website. What are you going to do?
     
    Fingerlicked, May 10, 2010
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?U3RlZWx3aW5kMTAx?=

    Seeing files but wont share internet thru router

    =?Utf-8?B?U3RlZWx3aW5kMTAx?=, Dec 15, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    695
    vballjim
    Dec 29, 2004
  2. Wayne
    Replies:
    2
    Views:
    772
  3. core
    Replies:
    2
    Views:
    685
    one_red_eye
    Apr 11, 2004
  4. Jim Watt
    Replies:
    0
    Views:
    605
    Jim Watt
    Apr 27, 2008
  5. Skybuck Flying
    Replies:
    0
    Views:
    915
    Skybuck Flying
    Apr 30, 2011
Loading...

Share This Page