Security on Router to share Internet Bandwidth?

Why don't you put each customer in a separate subnet? Because that wastes so many addresses, maybe?

Thanks Rob, Do you mean putting sub interfaces on my router, and each sub interface has an address on the customer assigned subnet e.g. for customer A my subinterface would be 43.43.1.17 and their router/firewall would be 43.43.1.18. Is that what you mean? Would that work? It would use up one address per customer but I could live with that...

Yes that is what I mean. But you would use 4 addresses per customer at minimum because the subnet you use for the above two addresses would extend from 43.43.1.16 to 43.43.1.19. (and the addresses 43.43.1.16 and 43.43.1.19 are unusable)

So your 64-address internet range could be split for 16 customers.

Each of them gets a separate VLAN and a separate subinterface, and you can configure all of them with separate traffic shaping, and access lists so that they can't communicate with eachother. (although the usefulness of that is a bit beyond me)

My router is 43.43.1.1, I had originally configured my router with static routes to each customer subnet - ip route 43.43.1.16 255.255.255.248 43.43.1.2 (customer A) ip route 43.43.1.24 255.255.255.248 43.43.1.3 (customer B)

- so my router, router customer A (43.43.1.2) & router customer B (43.43.1.3) are all on the same VLAN - I was advised that this design isn't standard and asked to look at putting customer connections into separate VLANs.

| I have 10mb bandwidth I want to share between various customers. I | have been able to "traffic shape" my switch ports to ensure the | connected customer only receives their allocated bandwidth. I have | also split up my public IP range on my router with static routes | pointing to the customer routers/firewalls. However, the problem is | that my router "inside" connection is in the same subnet as all the | customer devices and they all connect into my VLAN 1 on my switch. I | have tried using a "trunk" from switch to router with sub Interfaces | but the router sub interfaces would all be in the same subnet, so this | is not allowed. is there any way to keep the customers from being able | to PING or attack other IP addresses on the same subnet as my VLAN 1 ? | Public address allocation: 43.43.1.0 / 26 giving me: 43.43.1.1 to | 43.43.1.62. I have configured the router as 43.43.1.1 / 28 and used | static routes to point to the customer routers as: | ip route 43.43.1.16 255.255.255.248 43.43.1.2 (customer A) | ip route 43.43.1.24 255.255.255.248 43.43.1.3 (customer B) | Now customer A & B and my Router interface are all in the same subnet | - how can I prevent them PINGing or attacking each other? | TIA, Ned

What kind of switch do you have? How about using Private VLAN to isolate the traffic, allowing each customer to only be able to send data to one uplink port but not between each other.

I have a 3560 - thanks, "private VLANs" looks like the way to go - that they address exactly the separation I need. Ned