[f-nsp] ip follow
Frank Bulk
frnkblk at iname.com
Mon Sep 9 22:43:36 EDT 2013
So you're looking for L2 isolation and protection? Typically you need
access gear from vendors like ADTRAN, Calix, and Zyxel to do that...
Frank
-----Original Message-----
From: foundry-nsp [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of
Mark Price
Sent: Monday, September 09, 2013 8:44 PM
To: foundry-nsp at puck.nether.net
Subject: [f-nsp] ip follow
Hi all,
In the interest of conserving address space, I am interested in using
a single IPv4 subnet for multiple customers' public connectivity. The
goal is to use a single IP address per customer, rather than the
traditional model of a /30 w/ separate VLAN per customer (4 IPs),
although we still want to maintain security and layer2 isolation
between customers.
I have been reading up on the "ip follow" [1] [2] feature for this
design. It seems simple and easy to implement. I understand how to
set it up, however I'm unclear on the security aspect to limit single
IP addresses to individual customers (or VLANs).
Enabling ip proxy-arp is required for customers to communicate betwen
each other on the subnet, which I understand. The only security I
could glean from Brocade docs is doing an ip access-list on the
sub-VLANs but it doesn't seem very clean to maintain
Has anyone else used the 'ip follow' feature for spreading a subnet
across multiple VEs and also maintaining security so customers can't
do dumb things like take other IPs?
-mark
[1] http://community.brocade.com/docs/DOC-1994
[2] http://gcharriere.com/blog/?p=620
_______________________________________________
foundry-nsp mailing list
foundry-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
More information about the foundry-nsp
mailing list