So we're getting ready to purchase our own IP space and since I'm going to have to change all of my static customers I'd like some advice on the best way to do this. Our network consists of mikrotik routers for our backbone but we use Motorola Canopy for our AP's and SM's. (I know I know dont yell at me I didn't create the network I just inherited it!)

Anyways, so with Canopy when a customer needs a static IP for a vpn or whatever we put the SM in bridge mode which gives the client unrestricted access to the network, but lets their router handle their needs. So I thought about maybe creating a vlan for all static customers, which would be seperate from the dhcp customers and seperate from our management vlan, currently they are all the same. Or maybe a vlan for each static customer to keep them all seperate from each other.

How do others deal with this scenario? Canopy can block dhcp servers with a filter so they don't plague our network with backward routers, but customers can still create broadcast storms when their IT guys start messing around with their switches.

Most ISPs I've worked with reserves the address in the DHCP server so the client device always gets the same one.

In RouterOS there is a "Make Static" button in the DHCP server leases tab.

As for VLANS I believe strongly in the KISS principle of networking, don't make things more complicated than they have to be. A management VLAN is a good idea, though don't rely on VLANs alone for security. It's really easy to hop VLANs if you know how. If you restrict management access to that VLAN it does raise the bar a little as security goes.

I haven't played with VLANs much on RouterOS but Cisco wise I always restrict VLANs to specific ports. I know it seems like common sense, but I've learned over time as a security guy that common sense isn't so common. I've lost count of how many times I've found switches that happily autoconfigure VLAN trunking and hand me a full list and access to all VLANs from VTP.

I highly suggest using a VLAN per customer on the AP. The SM will tag the traffic and you can tell the SM to only accept untagged packets for security purposes. We use a router per tower or ring and when a customer purchases a static IP, we subnet out a /30, /29, /28, etc. and put the gateway on the VLAN interface on the tower router. Then the customer just attaches their router with proper IP and default gateway. The VLAN's actually keep the network more simple than not having them, so I'm of the opposite opinion as MCT.

Another method is to attempt to allocate a larger subnet to a tower, e.g. use a /24, and then drop every static IP customer into the "public IP" VLAN kind of like you are doing now. This has the advantage of not wasting three IP's when a customer only purchases one and it reduces the number of subnets OSPF has to deal with (assuming you are using OSPF). The disadvantage is that you waste non-sold addresses, you need to re-IP everyone when you run out or otherwise want to move the larger subnet, customers can adversely affect your other customers by incorrectly configuring their equipment, etc. Once you start trying to mitigate these disadvantages, you have violated the KISS principal.

Yet another method is to use MPLS or layer-2 connectivity to bring everything back to a main router and then only allocate public IP's off of that router. I don't have nearly as much experience with this setup yet, so I can only surmise where you get bit on this.

what is SM?

do you use VPN? you can assign public addresses to VPN directly

for direct access, we use NAT, so user has internal private IP, but all Internet requests are src-natted to his public address, and all connections to his public IP are dst-natted to his private IP

what is SM?

Subscriber module.

Customers on our legacy gear receive a single IP from a shared /24 on a 'static IP VLAN'. All of our fixed WiMAX customers receive a /29 or greater on their own dedicated VLAN.