Use L3 (3750G) for edge device

themagicone · ‎08-02-2013

Hi. I am setting up a network rack that I will be sharing with 5 customers. Right now, I've been given 5 pubic IP's. Each customer has their own router/firewall/etc. What I need to do is just create a single point of connection that breaks out the public IP's. I don't need NAT or BGP. I've been given a 3750 to use and I think it will work without a router. Can anyone just point me in the right direction how to set this up? 5 Vlans? Thanks

Lei Tian · ‎08-02-2013

What will be the 5 IP use for? Are 5 customers in same network?

jawad-mukhtar · ‎08-02-2013

Yes it will work.

You can create VlanABC

Assign Public IP to it (202.175.x.x)

Add Default route to Gateway 202.175.x.x

enable ip routing.

Your can terminate your ISP into your L3 Switch. Make sure all 5 customer will be in same vlan.

IT WILL WORK

*** Do Rate Helpful Posts ***

Jawad

themagicone · ‎08-02-2013

So I don't need to create a VLAN for each static? Just one VLAN for the whole block, assign one address of the block to each customer. Would a ACL work to prevent intervlan routing? Or PVLAN?

shillings · ‎08-02-2013

If you create a dedicated VLAN for all 5 customers, then you'll need 5 subnets. Whereas you only have 5 IP addresses within the same subnet.

Presuming one of your 6 usable IPs is for the ISP to assign to their router, then the switch would simply forward traffic between ISP router and each customer firewall. This would all be done within a single VLAN.

You can use VLAN Access Control Lists (VACLs), also known as VLAN Maps, to control traffic within the same VLAN: -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swacl.html#wp1725660

Have you thought about policing bandwidth per customer, or will you leave that open?

themagicone · ‎08-03-2013

Makes since. But I can use PVLAN correct? Isolation on ports going to servers, and open on the net connection. I tested the one vlan option last night in my rack and worked great. We are not worrying about policing bandwith as of yet.

John Blakley · ‎08-03-2013

Personally, I think you should look into putting each customer into a vrf if your switch ios supports it. This would allow them l3 connection and be truly isolated. Since you stated that each customer has their own router/firewall/etc, you could safely presume that they also have different wan addresses and internal subnets. You could use one of your addresses toward the ISP for the global routing table, and then add each interface towards the customer to a vrf with support for their wan addresses. You don't need nat as long as you break out of the vrf for routing through the global routing table (unless the customer will do the natting for their own equipment.

Also, you can definitely use 5 vlans and create an svi for each vlan. The only issue with this is that there is not segmentation of traffic unless you plan on using acls on each svi. This can become a management nightmare. If you have to add another svi later to support another customer, you have to remember to go into all 6 customers svis and add the appropriate ace to the existing acl on their respective svi.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

themagicone · ‎08-05-2013

One more question... So I have .49-.54. My gateway (ISP) is .49. Would I set the VLAN to .50 and then clients would be .51 to 54? Or would I even need routing? Just plug the incoming connection in to the switch, each clients gets a address with gateway of .49?