2 company share 1 network

Unanswered Question
Sep 3rd, 2010
User Badges:

Hi,


My company A has a big network with 109 nos (site office) of 3750e and every switches has a 6 vlan. Recently our sister company B submit a proposal & intent to share the network. My question is how to make this happen as we are very concern about the security. I've plan to create a new vlan for company B in every switches but how to restrict the access? Note : both company has own internet access. company A ip is 10.74.x.x and co B 10.1.x.x


tq

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 09/03/2010 - 02:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

farozezan73 wrote:


Hi,


My company A has a big network with 109 nos (site office) of 3750e and every switches has a 6 vlan. Recently our sister company B submit a proposal & intent to share the network. My question is how to make this happen as we are very concern about the security. I've plan to create a new vlan for company B in every switches but how to restrict the access? Note : both company has own internet access. company A ip is 10.74.x.x and co B 10.1.x.x


tq


Have a read of this recent thread and them come back if you have further questions -


https://supportforums.cisco.com/thread/2039816?tstart=30


I would not recommend having vlans for each company on all your switches. The other company can simply route to your vlans and vice-versa but you do need to think about firewalls.


Jon

Nagaraja Thanthry Fri, 09/03/2010 - 06:10
User Badges:
  • Cisco Employee,

Hello,


If you do not want Company B to access company A and vice versa, put

access-lists on the core router (router that handles routing between vlans).

The access-list should look like:


access-list 101 deny ip 10.74.0.0 0.0.255.255 10.1.0.0 0.0.255.255

access-list 101 deny ip 10.1.0.0 0.0.255.255 10.74.0.0 0.0.255.255


interface vlan "vlan id"

ip access-group 101 in

exit


This will prevent all communication between Company A vlans and Company B

vlan. If you want specific traffic to flow between them, then you need to

insert those rules before the deny rules.


access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq https

access-list 101 permit tcp any eq www any

access-list 101 permit tcp any eq https any

access-list 101 deny ip 10.74.0.0 0.0.255.255 10.1.0.0 0.0.255.255

access-list 101 deny ip 10.1.0.0 0.0.255.255 10.74.0.0 0.0.255.255


Above configuration allows HTTP and HTTPS traffic between two networks.


Hope this helps.


Regards,


NT

farozezan73 Sun, 09/26/2010 - 01:37
User Badges:

Hi,


Tq for your reply. One more thing, the existing network use eigrp protocol. Should I use static route for the new network or eigrp? For info the new network use only 15 routers. tq

Actions

This Discussion