• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

Separating traffic in Office

Hi, we have a Comcast SMC router which is connected to our ASA firewall and behind that is a Cisco 3550 48 Port Switch. Now in our office, we have some additional tenants who lease space and our plugged into our 3550. I want to keep them off of our LAN. How can i separate their traffic efficiently? Can i plug in another router behind the Comcast router (it has multiple interfaces and we have a block of public ips) and then assign them to different vlan?
0
Cobra25
Asked:
Cobra25
  • 4
  • 2
  • 2
  • +3
1 Solution
 
koudryCommented:
One approach would be to have users grouped under VLANs and you can assign the ports accordingly. If you want different security rules depending on the user groups, you can also use the zone element of the ASA to isolate the various group. You can then redirect users to certain interfaces on the ASA device and define rules for the give zones. Just a thought.
0
 
Cobra25Author Commented:
Yes i was thinking about the design with the separate VLANs, now if i assign their port to a certain VLAN, would i then need a cisco router (as their gateway) plugged into the Cisco 3550 switch?
0
 
Fred MarshallPrincipalCommented:
Yes, you can do it with a simple router as you suggested originally.
Multiple-Subnets-with-Central-Sw.pdf
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
lrmooreCommented:
What version ASA? If it is 5510, then you have ability to setup VLAN's on the 3550 switch and trunk to the ASA, then create sub-interfaces on the ASA to make virtual networks for each of the internal "customers"
If it is ASA 5505, you may need a license upgrade to trunk, or use physical interfaces for "dmz" network. Basically you want this additional network to be a DMZ with no access to your internal network, nor do you want your internal network to access theirs.
Long winded, I know, but yes, you can attach a separate router/firewall to the SMC and the switch with 2 different vlan's on the switch.
0
 
ArneLoviusCommented:
Although you could do it with a router and have ACLs on the router, I would suggest having VLANS terminate on the ASA as this would usually be a simpler configuration.

0
 
Cobra25Author Commented:
Unfortunately I have the ASA5505 with base license.

Would a linksys wireless router be able to be the gateway for the new vlan?
0
 
Fred MarshallPrincipalCommented:
Sure.  That was the point of the paper I sent you.  But I don't think I'd necessarily call it a VLAN unless that's what it is.  I'd call it a subnet for sure and then maybe a VLAN if you set it up that way in the ASA.  But the latter isn't necessary.
0
 
ArneLoviusCommented:
if your 3550 has L3 capabilities, then you could segment your network using VLANS on the 3550 and use access control lists on the VLANS to restrict traffic.

If you could post a copy of the config of the 3550 it would be useful
0
 
Cobra25Author Commented:
Fmarshall, thanks for that pdf. So i plan on putting the other tenants on ports 35-45 on the 3550 which the ports designated for vlan 121. On port 46 i will connect the Linksys router assigned to vlan 121. For the router, the WAN gateway would my Cisco Asa inside address right?
0
 
TheBadKarmaCommented:
Why not plug in a switch or hub directly into the Comcast modem and connect the other office's network? This would solve the problem AND you wouldn't need to change any configurations on your ASA or add VLAN tags on all the ports. I would keep it simple and would want to keep them as far off my network as and with as little work on my part as possible. Your network would also be protected behind the ASA AND with none of their traffic passing through your internal network.

If they have a virus infection, are you responsible for the cleaning of the infection, not to mention the added risk and resulting work of your computers being infected.  
0
 
Cobra25Author Commented:
I would love to do that, but based on the location of the patch panel they do not want to do this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now