I've got a project coming up that requires me to protect hosts from each other within a network. Specifically, we've a class C subnet, and some addresses are assigned to customers (only a handful) we resell bandwidth to. At present they are just plugged into our frontend network - not as bad as it sounds as we manage the customer routers involved. However, I want to improve that, so that "misconfiguration" of any customer device cannot take out our network - not that I'd ever fail to notice an old router where the gateway address box is first in list (ie gateway is where device IP normally is, and vice-versa) and so configure it with a duplicate IP address for our gateway (oops).
So my plan is to knock up a small box, with a VLAN capable switch, so that each customer has their own network segment. What's the best way to configure this ? As I see it, there are two approaches : 1) Bridge. Configure all the customer VLANs and our frontend network on a bridge, and filter the traffic to only allow the specific IP (or IPs) to owrk in each VLAN. 2) Proxy ARP http://shorewall.net/ProxyARP.htm which seems like it'll do the job. Just for good measure, ideally I'd like to get DHCP working so each customer can "just plug in" and we don't need to manually configure their router for them. I'm well flummoxed on how to make that work ! but that's a different mailing list. Might need a DHCP instance per port. So expanding on the example in the Proxy ARP page, I want it so that the device at130.252.100.18 can only use that address. If it gets configured with130.252.100.19 or worse,130.252.100.17, it won't "take out" the network but will just "not work". Does the proxy ARP setup provide that level of protection ? I don't need any other filtering - they are outside of our main firewall etc (so the policy will be allow any->any). ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
