Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
4
Replies

Provide internet from core infrastructure

robert.parsons
Level 1
Level 1

‎04-18-2009 08:42 AM - edited ‎03-04-2019 04:25 AM

We are preparing to lease office space and would like to provide internet access via our production infrastructure and would like some recommendations as how to proceed.

Our current infrastructure is as follows:

Cisco 6509 Layer 3 switch with a route to an ASA 5520 as its default gateway. .

When we lease teneant space, we'd like to provide internet access but with abosultely no way of getting to our internal network.

What is the best way to segregate their traffic not only from us but other tennants?

I do understand VLAN's will provide the segregation but won't the router just route and allow access to the other VLAN's?

Labels:
0 Helpful
4 Replies 4

lamav
Level 8
Level 8

‎04-18-2009 08:57 AM

Hi:

You can create a new vlans(s) to support the new tenants and even create a routed interface for them on your 6500. You are right that the L3 switch will see those vlans as directly conencted routes and route between them, but you can create extended access lists segregate that vlan's traffic.

Example:

Assume the new subnet you create is 10.10.1.0/24

And assume also that subnets 10.10.2.0/24 and 10.10.3.0/24 are part of your existing production environment.

You can do the following:

ip access-list extended SEGREGATE_VLAN

deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

deny ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255

permit ip 10.10.1.0 0.0.0.255 any

interface vlan

ip address 10.10.1.0 255.255.255.0

ip access-group SEGREGATE_VLAN out

Note:

An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.

An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.

0 Helpful

robert.parsons
Level 1
Level 1
In response to lamav

‎04-18-2009 09:02 AM

Sweet. I figured an access list would work but was not sure how to make it happen. Thanks a lot!

0 Helpful

lamav
Level 8
Level 8
In response to robert.parsons

‎04-18-2009 09:16 AM

Hi:

Glad I could help. :-)

Please rate all helpful posts.

Thanks

Victor

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-19-2009 04:15 AM

Hello Robert,

I would consider VRF lite that provides built-in segregation.

You need an additional interface on the ASA but this is more secure and doesn't need to be updated if you change addressing in internal network.

The idea is to put the tenants' ip subnets SVI Vlans in the VRF and also the additional link towards the ASA.

in this way they are separated end-to-end from the internal network that is the global routing table.

see

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_bulletin09186a00800921d7.html#wp30356

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card