Tenant Public IP address and VlAn Throtting

Hi All

I have a building and I have a new tenant who requires a public IP address specifically for their Office.  

Firstly, what I would like to do is create a VLAN specifically for my tenant and then throttle the bandwidth so that they only got  100Mb.  I run 1GB connectivity to all network ports to each of my edge switches, and then 10GB on my core switches, which then goes out via an ASA5525-X to my Internet breakout point.  My switches include EDGE (Dell Powerconnect 5448) > Core (Dell S4810) > Cisco 3750 > Cisco ASA5525-x > Internet

I can create the VLAN, but I am unsure where the throttling would be best placed, or whether it needs to go on all devices.

I also need, within this office to provide one of my Public IP addresses, direct into the room, hopefully through the VLAN I create above.  Is this possible using the devices above?  I presume I have to NAT it, but can I nat to a VLAN as opposed to a specific object.

Any help would be much appreciated.

Thanks
Fing wongAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Suggestion,

I would split the inside interface of the ASA, into sub-interfaces, then you can have your new VLAN on its own sub interface, then simply PAT the new VLAN to a spare public IP address.

Then you can police/throttle the traffic from that VLAN subnet.
Pete LongTechnical ConsultantCommented:
Quick and dirty...........
Change ip ranges as applicable


interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.1
 description Connected to Existing Inside Network
 vlan 10
 nameif Inside-10
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/1.2
 description Connected to new rate limited network
 vlan 11
 nameif inside-11
 security-level 90
 ip address 192.168.11.1 255.255.255.0
!
object network New-rate-limited-vlan
 subnet 192.168.11.0 255.255.255.0
nat (inside-11,outside) static 123.123.123.123
!
access-list ACL-THROTTLE extended permit ip 192.168.11.0 any
access-list ACL-THROTTLE extended permit ip any 192.168.11.0
!
class-map CM-THROTTLE
 match access-list ACL-THROTTLE
!
policy-map PM-THROTTLE
  class CM-THROTTLE
  police output 100000000 200000
  police input 100000000 200000
!
service-policy PM-THROTTLE interface inside-11

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613Network Development EngineerCommented:
Why Cant you police the traffic at your access-layer itself ? What is the device you are using there ? I am super sure that he would have any other departments which are you in apartment that needs to have access via INTRA lan ?

Regards
Rakesh
Fing wongAuthor Commented:
Exactly what I was after.

Thanks
Pete LongTechnical ConsultantCommented:
Cheers Nick, glad I could help :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.