SD-WAN

  • 1.  Is it possible to assign directly-connected devices to tenants based on IP range?

    Posted 10-02-2018 00:00
    I'm trying to separate devices in a subnet based on their IP address. For example: ¾ Subnet: 192.168.0.1/24 Tenants: - general.lan - 192.168.0.1/25 - iot.lan - 192.168.0.128/26 - google.iot.lan - 192.168.0.192/26 ¾ It looks like neighbors with subtenants has the functionality that I want, but it seems that it is intended for assigning subtenants from adjacent routers. ¾ If that isn't possible, is there a way that I can make these devices use services based on their source IP range? For example, ensuring that 192.168.0.1/25 devices access internet, 192.168.0.128/26 devices access internet-iot, and 192.168.0.192/26 devices access internet-iot-google.


  • 2.  RE: Is it possible to assign directly-connected devices to tenants based on IP range?

    Posted 10-02-2018 00:00

    Patrick A Timmons or Peter Commerford - do either of you have some good pointers?



  • 3.  RE: Is it possible to assign directly-connected devices to tenants based on IP range?

     
    Posted 10-02-2018 00:00

    You've got it... this is precisely what I do on my own LAN at home. I have all of my IoT devices set up as subtenants. On my LAN interface, I have a neighborhood named (creatively) ""newton-lan"". Then I've created a series of tenants/subtenants for the various categories of devices on my LAN: trusted, guest, and iot are my top level categories right now. Underneath iot, for example, are subtenants for the different vendor IoT devices (e.g., nest.iot, wemo.iot).

     

    This way you can set up services for ""internet"" and have an access policy to allow ""iot"" and all of the subtenants get it automatically. (Personally, I have my IoT devices loop through a Squid proxy en route to their destinations on the internet... just for kicks.)

     

    I've been writing up some of my own experience with my LAN conversion to 128T on my personal blog, and covered this topic specifically:

    https://blog.pepperland.cloud/2018/09/ipam-evolution-step-1.html



  • 4.  RE: Is it possible to assign directly-connected devices to tenants based on IP range?

    Posted 10-02-2018 00:00

    Thanks a lot for the direction; I was able to achieve exactly what I wanted. The ISC DHCP from your blog post was very interesting; I'd love to eventually get to a solution like that. For now I'm manually creating static DHCP reservations for IoT devices.

    My config ended up looking like this (with non-relevant parts removed):

    config authority router kconverse node primary device-interface eth1 network-interface lan0 neighborhood lan name lan exit ¾ inter-router-security internal exit exit exit ¾ service-route internet_route ... exit ¾ service-route internet-iot_route ... exit exit ¾ tenant lan name lan exit ¾ tenant iot.lan name iot.lan ¾ member lan neighborhood lan address 1.2.8.128/25 exit exit ¾ tenant trusted.lan name trusted.lan ¾ member lan neighborhood lan address 1.2.8.1/25 exit exit service internet name internet address 0.0.0.0/0 ¾ access-policy trusted.lan source trusted.lan permission allow exit exit ¾ service internet-iot name internet-iot address 0.0.0.0/0 ¾ access-policy iot.lan source iot.lan exit exit exit exit ¾

     

     



  • 5.  RE: Is it possible to assign directly-connected devices to tenants based on IP range?

    Posted 11-06-2020 06:17
    It's an old thread but it may help some folks:
    In order to use IP-ranges in Child-Tenants, I used multiple Subnets definitions within the "Tenant-member" object:
    10.20.3.100/30
10.20.3.104/29
10.20.3.112/28
10.20.3.128/26
10.20.3.192/29
    (= 10.20.3.100 - 10.20.3.199)
    You can just use a subnet calculator like this one :
    https://www.ipaddressguide.com/cidr


    ------------------------------
    Mirco El-Nomany
    Head of IT
    M&L AG
    ------------------------------

    Original Message