Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

DHCP Isolation

 

 

Cisco nsp RSS feed   Index | Next | Previous | View Threaded


rtrinkle at heartofiowa

Feb 16, 2012, 1:27 PM

Post #1 of 6 (1299 views)
Permalink
DHCP Isolation

I have a DHCP pool setup on a 7206 and then trunk that vlan to a 3750 that feeds out to multiple sites/pc's. For those pc's that are not sitting behind a router at the remote location, they are able to do a network scan and pick up all other devices that are on this same subnet (DHCP pool) that are also directly plugged in with no router. My question is this.

How do I create isolation in that DHCP subnet/vlan so no one device and see another device within the same pool? Thank you in advance.

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


brez at brezworks

Feb 16, 2012, 3:52 PM

Post #2 of 6 (1246 views)
Permalink
Re: DHCP Isolation [In reply to]

On 2/16/2012 3:27 PM, Rich Trinkle wrote:
> I have a DHCP pool setup on a 7206 and then trunk that vlan to a 3750 that feeds out to multiple sites/pc's. For those pc's that are not sitting behind a router at the remote location, they are able to do a network scan and pick up all other devices that are on this same subnet (DHCP pool) that are also directly plugged in with no router. My question is this.
>
> How do I create isolation in that DHCP subnet/vlan so no one device and see another device within the same pool? Thank you in advance.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swpvlan.html

Private VLANs should allow you to do exactly this. Each downstream port
would go in an isolated VLAN, the port facing the 7206 would be your
promiscuous port.

Jeremy "TheBrez" Bresley
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


tianys at gmail

Feb 16, 2012, 4:54 PM

Post #3 of 6 (1247 views)
Permalink
Re: DHCP Isolation [In reply to]

Because the port faceing 7206 is a trunk port, so the mode it use should be promiscuous trunk.
"switchport mode private-vlan trunk promiscuous"


------------------
tianys [at] gmail






------------------ Original ------------------
From: "Jeremy Bresley"<brez [at] brezworks>;
Date: Fri, Feb 17, 2012 07:52 AM
To: "cisco-nsp"<cisco-nsp [at] puck>;

Subject: Re: [c-nsp] DHCP Isolation


On 2/16/2012 3:27 PM, Rich Trinkle wrote:
> I have a DHCP pool setup on a 7206 and then trunk that vlan to a 3750 that feeds out to multiple sites/pc's. For those pc's that are not sitting behind a router at the remote location, they are able to do a network scan and pick up all other devices that are on this same subnet (DHCP pool) that are also directly plugged in with no router. My question is this.
>
> How do I create isolation in that DHCP subnet/vlan so no one device and see another device within the same pool? Thank you in advance.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swpvlan.html

Private VLANs should allow you to do exactly this. Each downstream port
would go in an isolated VLAN, the port facing the 7206 would be your
promiscuous port.

Jeremy "TheBrez" Bresley
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


apiasecki at midatlanticbb

Feb 17, 2012, 8:08 AM

Post #4 of 6 (1231 views)
Permalink
Re: DHCP Isolation [In reply to]

On 2/16/2012 6:52 PM, Jeremy Bresley wrote:
> On 2/16/2012 3:27 PM, Rich Trinkle wrote:
>> I have a DHCP pool setup on a 7206 and then trunk that vlan to a 3750
>> that feeds out to multiple sites/pc's. For those pc's that are not
>> sitting behind a router at the remote location, they are able to do a
>> network scan and pick up all other devices that are on this same
>> subnet (DHCP pool) that are also directly plugged in with no router.
>> My question is this.
>>
>> How do I create isolation in that DHCP subnet/vlan so no one device
>> and see another device within the same pool? Thank you in advance.
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swpvlan.html
>
>
> Private VLANs should allow you to do exactly this. Each downstream
> port would go in an isolated VLAN, the port facing the 7206 would be
> your promiscuous port.
>
> Jeremy "TheBrez" Bresley
> _______________________________________________
Private Vlans, Switchport Protected(poor mans private vlans) and Access
Lists. I've also seen each device assigned it's own vlan, but that
doesn't scale very well.

Adam

--
Adam M Piasecki
MidAtlanticBroadband
Office: 410-727-8250 x 123
Cell: 940-224-4837
Fax: 410-727-8245

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


avayner at cisco

Feb 20, 2012, 4:47 AM

Post #5 of 6 (1211 views)
Permalink
Re: DHCP Isolation [In reply to]

I would suggest you look at Private VLANs (PVLANs).
Arie
-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Rich Trinkle
Sent: Thursday, February 16, 2012 23:28
To: cisco-nsp [at] puck
Subject: [c-nsp] DHCP Isolation


I have a DHCP pool setup on a 7206 and then trunk that vlan to a 3750
that feeds out to multiple sites/pc's. For those pc's that are not
sitting behind a router at the remote location, they are able to do a
network scan and pick up all other devices that are on this same subnet
(DHCP pool) that are also directly plugged in with no router. My
question is this.

How do I create isolation in that DHCP subnet/vlan so no one device and
see another device within the same pool? Thank you in advance.

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


tkapela at gmail

Feb 22, 2012, 6:41 AM

Post #6 of 6 (1184 views)
Permalink
Re: DHCP Isolation [In reply to]

On Thu, Feb 16, 2012 at 3:27 PM, Rich Trinkle <rtrinkle [at] heartofiowa> wrote:

> How do I create isolation in that DHCP subnet/vlan so no one device and see another device within the same pool? Thank you in advance.

I know some c-nsp folks love easy hacks like pvlan-edge, but if I may,
please direct your attention to this feature: VLANs over IP Unnumbered
Subinterfaces

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtunvlan.html

then follow up with these threads for some platform-specific discussion/depth:

http://puck.nether.net/pipermail/cisco-nsp/2009-August/062876.html
https://puck.nether.net/pipermail/cisco-nsp/2011-April/078179.html

Additionally, the NANOG conference wireless network (which maps
several vlans --> wireless SSID's), makes extensive use of this very
handy feature. So, we can see fairly empirically that it scales at
least to ~1k devices, with plenty of host dhcp churn, while doing
ip-helper forwarding/relaying, etc. NANOG also assigns a dedicated
ipv6 /64 along with each v4 unnumbered subint, and this seems to work
just fine alongside v4 unnumbered; so, get your dual-stack on.

-Tk
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.