How do you prevent people from using different IPs on a machine that has a couple VPS clients on it.
If client A has xxx.xxx.xxx.100-xxx.xxx.xxx.103 and client B has xxx.xxx.xxx.104-xxx.xxx.xxx.105. How do you prevent client B from using client A's IPs? Can't he easily modify the config file for his ethernet device to use an IP that hasn't been assigned to him but is assiged to someone else on the same machine?
I am confused by these replies... they don't seem to make any sense to me at all (except for whrss) based on the original question so I'll offer some insight
Most virtualization technologies should have a way to create virtual networks and tag VLANs on the physical uplink. In VMware ESX and XenServer you can do this. This way you can assign a single subnet (such as a /29 or /30) to a VLAN and then setup the VPS to run only on that VLAN.
In the scenario where you don't control the subnets and routing it is harder to do this. You would need some sort of transparent firewall appliance or device in front of the physical server where you could prevent ARP / lockdown ARP for specific MAC addresses (assuming the VMs have unique MAC addresses on their virtual network cards). Some layer 3 switches might also let you do something like MAC to IP lockdown (static ARP?)
If this is a server provided to you by a provider and you are not managing the infrastructure though then it is hard to do this. In this case it would probably make more sense to try and get multiple smaller subnets from your provider instead of assigning customers individual IPs on the same subnet. This helps with 'user error' at least and makes it easier to implement VLANs in the future.
Thanks whrss and eger. Thats exactly what i was looking for.
I'll be running my own network with XenServer.
Are there advantages to running a client on each subnet vs MAC to IP lockdown? If so, what are they?
Subnetting and VLANs have advantages to being more easily managed (if a customer were to move servers or equipment around it is MUCH easier to move a subnet from one VLAN/port to another than if that subnet were shared). It can also help with client problems such as broadcast storms and other inter-subnet related traffic. If it were all on a shared subnet this might affect everyone. If each client was on their own subnet a broadcast storm is less likely to affect others.
It can also help user error. For example, if a customer has their own subnet and tried to use an IP out of their subnet, it would not work since the subnet mask would be incorrect and the gateway wouldn't be in the subnet. If you ever need to shut off a customer or null route their space for an abuse issue it is easier to null route a small subnet or remove the subnet from an interface that to create statements for individual IP addresses.