Tenant Public IP address and VlAn Throtting

Hi All

I have a building and I have a new tenant who requires a public IP address specifically for their Office.  

Firstly, what I would like to do is create a VLAN specifically for my tenant and then throttle the bandwidth so that they only got  100Mb.  I run 1GB connectivity to all network ports to each of my edge switches, and then 10GB on my core switches, which then goes out via an ASA5525-X to my Internet breakout point.  My switches include EDGE (Dell Powerconnect 5448) > Core (Dell S4810) > Cisco 3750 > Cisco ASA5525-x > Internet

I can create the VLAN, but I am unsure where the throttling would be best placed, or whether it needs to go on all devices.

I also need, within this office to provide one of my Public IP addresses, direct into the room, hopefully through the VLAN I create above.  Is this possible using the devices above?  I presume I have to NAT it, but can I nat to a VLAN as opposed to a specific object.

Any help would be much appreciated.

Fing wongAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:

I would split the inside interface of the ASA, into sub-interfaces, then you can have your new VLAN on its own sub interface, then simply PAT the new VLAN to a spare public IP address.

Then you can police/throttle the traffic from that VLAN subnet.
Pete LongTechnical ConsultantCommented:
Quick and dirty...........
Change ip ranges as applicable

interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/1.1
 description Connected to Existing Inside Network
 vlan 10
 nameif Inside-10
 security-level 100
 ip address
interface GigabitEthernet0/1.2
 description Connected to new rate limited network
 vlan 11
 nameif inside-11
 security-level 90
 ip address
object network New-rate-limited-vlan
nat (inside-11,outside) static
access-list ACL-THROTTLE extended permit ip any
access-list ACL-THROTTLE extended permit ip any
class-map CM-THROTTLE
 match access-list ACL-THROTTLE
policy-map PM-THROTTLE
  police output 100000000 200000
  police input 100000000 200000
service-policy PM-THROTTLE interface inside-11

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613Network Development EngineerCommented:
Why Cant you police the traffic at your access-layer itself ? What is the device you are using there ? I am super sure that he would have any other departments which are you in apartment that needs to have access via INTRA lan ?

Fing wongAuthor Commented:
Exactly what I was after.

Pete LongTechnical ConsultantCommented:
Cheers Nick, glad I could help :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.