Provide internet from core infrastructure

Unanswered Question
Apr 18th, 2009
User Badges:

We are preparing to lease office space and would like to provide internet access via our production infrastructure and would like some recommendations as how to proceed.

Our current infrastructure is as follows:

Cisco 6509 Layer 3 switch with a route to an ASA 5520 as its default gateway. .

When we lease teneant space, we'd like to provide internet access but with abosultely no way of getting to our internal network.

What is the best way to segregate their traffic not only from us but other tennants?

I do understand VLAN's will provide the segregation but won't the router just route and allow access to the other VLAN's?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lamav Sat, 04/18/2009 - 08:57
User Badges:
  • Blue, 1500 points or more


You can create a new vlans(s) to support the new tenants and even create a routed interface for them on your 6500. You are right that the L3 switch will see those vlans as directly conencted routes and route between them, but you can create extended access lists segregate that vlan's traffic.


Assume the new subnet you create is

And assume also that subnets and are part of your existing production environment.

You can do the following:

ip access-list extended SEGREGATE_VLAN

deny ip

deny ip

permit ip any

interface vlan

ip address

ip access-group SEGREGATE_VLAN out


An access-list applied outbound to a vlan interface is traffic going TO machines on that vlan.

An access-list applied inbound to a vlan is traffic coming FROM machines on that vlan.

robert.parsons Sat, 04/18/2009 - 09:02
User Badges:

Sweet. I figured an access list would work but was not sure how to make it happen. Thanks a lot!

lamav Sat, 04/18/2009 - 09:16
User Badges:
  • Blue, 1500 points or more


Glad I could help. :-)

Please rate all helpful posts.



Giuseppe Larosa Sun, 04/19/2009 - 04:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Robert,

I would consider VRF lite that provides built-in segregation.

You need an additional interface on the ASA but this is more secure and doesn't need to be updated if you change addressing in internal network.

The idea is to put the tenants' ip subnets SVI Vlans in the VRF and also the additional link towards the ASA.

in this way they are separated end-to-end from the internal network that is the global routing table.


Hope to help



This Discussion