Security on Router to share Internet Bandwidth?
in [Cisco]
|
From: Morph on 7 May 2010 17:09 In the message <c4d2f7dc-b0db-4fb2-90d9-61c19807e321(a)e35g2000yqm.googlegroups.com> Ned wrote: | I have 10mb bandwidth I want to share between various customers. I | have been able to "traffic shape" my switch ports to ensure the | connected customer only receives their allocated bandwidth. I have | also split up my public IP range on my router with static routes | pointing to the customer routers/firewalls. However, the problem is | that my router "inside" connection is in the same subnet as all the | customer devices and they all connect into my VLAN 1 on my switch. I | have tried using a "trunk" from switch to router with sub Interfaces | but the router sub interfaces would all be in the same subnet, so this | is not allowed. is there any way to keep the customers from being able | to PING or attack other IP addresses on the same subnet as my VLAN 1 ? | Public address allocation: 43.43.1.0 / 26 giving me: 43.43.1.1 to | 43.43.1.62. I have configured the router as 43.43.1.1 / 28 and used | static routes to point to the customer routers as: | ip route 43.43.1.16 255.255.255.248 43.43.1.2 (customer A) | ip route 43.43.1.24 255.255.255.248 43.43.1.3 (customer B) | Now customer A & B and my Router interface are all in the same subnet | - how can I prevent them PINGing or attacking each other? | TIA, Ned What kind of switch do you have? How about using Private VLAN to isolate the traffic, allowing each customer to only be able to send data to one uplink port but not between each other. http://blog.ine.com/2008/01/31/understanding-private-vlans/ http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swpvlan.html
From: Ned on 10 May 2010 04:26
On 7 May, 22:09, Morph <morph.n...(a)g.m.a.i.l> wrote: > In the message > <c4d2f7dc-b0db-4fb2-90d9-61c19807e...(a)e35g2000yqm.googlegroups.com> Ned > wrote: > > | I have 10mb bandwidth I want to share between various customers. I > | have been able to "traffic shape" my switch ports to ensure the > | connected customer only receives their allocated bandwidth. I have > | also split up my public IP range on my router with static routes > | pointing to the customer routers/firewalls. However, the problem is > | that my router "inside" connection is in the same subnet as all the > | customer devices and they all connect into my VLAN 1 on my switch. I > | have tried using a "trunk" from switch to router with sub Interfaces > | but the router sub interfaces would all be in the same subnet, so this > | is not allowed. is there any way to keep the customers from being able > | to PING or attack other IP addresses on the same subnet as my VLAN 1 ? > | Public address allocation: 43.43.1.0 / 26 giving me: 43.43.1.1 to > | 43.43.1.62. I have configured the router as 43.43.1.1 / 28 and used > | static routes to point to the customer routers as: > | ip route 43.43.1.16 255.255.255.248 43.43.1.2 (customer A) > | ip route 43.43.1.24 255.255.255.248 43.43.1.3 (customer B) > | Now customer A & B and my Router interface are all in the same subnet > | - how can I prevent them PINGing or attacking each other? > | TIA, Ned > > What kind of switch do you have? > How about using Private VLAN to isolate the traffic, allowing each > customer to only be able to send data to one uplink port but not between > each other.http://blog.ine.com/2008/01/31/understanding-private-vlans/http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/re... I have a 3560 - thanks, "private VLANs" looks like the way to go - that they address exactly the separation I need. Ned |