[c-nsp] Cisco noob -- design guidance request
C. Jon Larsen
jlarsen at richweb.com
Sun Sep 2 09:20:15 EDT 2007
On Sun, 2 Sep 2007, Simon Lockhart wrote:
> On Sat Sep 01, 2007 at 10:12:07PM -0600, David L. West wrote:
>> I'm setting up a new LAN in an office building with multiple tenants who
>> will be sharing internet access, DNS/DHCP but have individual VLANS to keep
>> them seperate from the other tenants. I think that the key here is having
>> each VLAN have a "helper address" that serves as a DHCP Relay Agent , which
>> in turn is how the DHCP server "knows" which range to hand the client.
>
> Yup - this is a standard design for multi-subnet DHCP.
Where is the access list that is going to prevent cross talk between the
subnets ? Otherwise rogueware on one tenants computer will attack the
other tenants. Simply splitting each tenant onto its own vlan is ncie but
its a far cry from secure if you tie the subnets into a router that is
happy to pass traffic between the vlans !!
What I did for a similar setup not to long ago was an 1841 router with
8021q sub interfaces for each tenant. Run dhcp on the router with a subnet
config for each tenant subinterface. Setup an acl on each input
sub interface to prevent cross talk, configure nat as needed.
>
>> After a lot of googling, I came up with a configuration that I think will
>> allow all the VLANs to share a DNS/DHCP server, and am detailing it here in
>> the hopes of getting some indication of whether I'm on the right track.
>
> You're almost there...
>
>> The server has a NIC configured with multiple IPs, like so:
>>
>> 172.16.0.1 / 255.255.255.254 ; Subnet 0 -- Reserved for switches & routers
>> 172.16.2.0 / 255.255.255.254 ; Subnet 1 -- Reserved for network servers
>> 172.16.4.0 / 255.255.255.254 ; Subnet 2 -- First tenant subnet (VLAN 102)
>> 172.16.6.0 / 255.255.255.254 ; Subnet 3 -- First tenant subnet (VLAN 103)
>> ...
>> 172.16.0.255 / 255.255.255.254 Subnet 127 (VLAN 227)
>
> You don't need to do this. Assuming you're only doing this for DHCP, then the
> server does not need to be in every subnet. By configuring "ip helper address"
> the switch will do DHCP relay, and turns the DHCP request into a unicast
> request to the server, and adds something to the request to tell the DHCP
> server which subnet it should allocate the address from.
>
>> This NIC is connected to a switch port configured like so:
>>
>> interface GigabitEthernet0/12
>> switchport trunk allowed vlan 30,102-227
>> switchport mode trunk
>> spanning-tree portfast
>
> No need - just configure the server as a access port on the switch in the
> vlan for 172.16.2.0/23 and give it an IP in that subnet (e.g. 172.16.2.1)
>
>> The Vlans 102-227 are derived by adding 100 to the subnets above, so VLAN102
>> is:
>>
>> interface Vlan102
>> ip address 172.16.5.254 255.255.254.0
>> ip helper-address 172.16.4.1
>> no ip route-cache
>
> Configure "ip helper-address 172.16.2.1" rather than what you have.
>
>> DHCP is running on the server with a dhcpd.conf like so:
>
> Sorry, I can't remember the exact syntax for the dhcpd.conf for this, but
> you just need to add a subnet {} section for each of the subnets, and it'll
> work out what you mean...
>
> Hope that helps,
>
> Simon
> --
> Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
> Director | * Domain & Web Hosting * Internet Consultancy *
> Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net *
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list