[f-nsp] ip follow
Mark Price
mprice at tqhosting.com
Mon Sep 9 21:44:26 EDT 2013
Hi all,
In the interest of conserving address space, I am interested in using
a single IPv4 subnet for multiple customers' public connectivity. The
goal is to use a single IP address per customer, rather than the
traditional model of a /30 w/ separate VLAN per customer (4 IPs),
although we still want to maintain security and layer2 isolation
between customers.
I have been reading up on the "ip follow" [1] [2] feature for this
design. It seems simple and easy to implement. I understand how to
set it up, however I'm unclear on the security aspect to limit single
IP addresses to individual customers (or VLANs).
Enabling ip proxy-arp is required for customers to communicate betwen
each other on the subnet, which I understand. The only security I
could glean from Brocade docs is doing an ip access-list on the
sub-VLANs but it doesn't seem very clean to maintain
Has anyone else used the 'ip follow' feature for spreading a subnet
across multiple VEs and also maintaining security so customers can't
do dumb things like take other IPs?
-mark
[1] http://community.brocade.com/docs/DOC-1994
[2] http://gcharriere.com/blog/?p=620
More information about the foundry-nsp
mailing list