09-02-2020 05:50 PM
Hello,
Actually few company (around 10) are in the same building. Each company (some have 2/3 computers and some have 20 computers) has its own ADSL connection. Fiber internet connection will be installed soon and i need to share it between all company, separate each company network and apply a bandwith limitation.
I thought that i can use VLAn to achieve this goal with connection like that :
[ISP Router ] ----- [ Switch with VLAN (Sw1) ] ----- [Company 1 switch (Sw2) ]
|_______[Company 2 switch (Sw3) ]
ISP router LAN interface is 192.168.0.1 connected to port 1 of Sw1 and port 1 configured as trunk.
Port 2 of Sw1 configured on VLAN 10
Port 3 of Sw1 configured on VLAN 20...
Company 1 switch sw2 (manageable or not) plugged to port 2 of sw1
Company 2 switch sw3 (manageable or not) plugged to port 3 of sw1...
If all company use the same subnet (192.168.0.0/24), does all company can access to internet (using 192.168.0.1 as gateway) and all company VLAN are correctly separated (i mean a computer of company 2 cannot access on server of company 1) ?
Is it a clean way to achieve this goal ?
Can i also apply a QoS to limit bandwith on each Sw1 port ?
Do you know a model of switch that will do the job ?
I hope i was clear.
Thanks in advance.
Solved! Go to Solution.
09-02-2020 11:37 PM
Hello,
unless you know how to configure subinterfaces on the ISP router, it is a better idea to use the switch for all the Vlan and QoS. In the sample config below, you would use e.g. a Catalyst 9300 and connect a layer 3 port to the ISP router. Your customers would use different Vlans, these Vlans cannot talk to each other by means of applying access lists. Each customer would get 100MB of bandwidth (of the 300MB available), which can be used by other customers if it is unused.
IP addresses and QoS values are arbitrary, obviously.
interface GigabitEthernet0/0
descriptionLink to ISP Router
no switchport
ip address 192.168.0.2 255.255.255.0
service-policy output PARENT_SHAPER
!
interface GigabitEhernet0/1
description Access Port for Company 1
switchport mode access
switchport access vlan 10
spanning-tree portfast edge
!
interface GigabitEhernet0/2
description Access Port for Company 2
switchport mode access
switchport access vlan 20
spanning-tree portfast edge
!
interface GigabitEhernet0/3
description Access Port for Company 3
switchport mode access
switchport access vlan 30
spanning-tree portfast edge
!
interface Vlan 10
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
!
interface Vlan 20
ip address 192.168.20.1 255.255.255.0
ip access-group 102 in
!
interface Vlan 30
ip address 192.168.30.1 255.255.255.0
ip access-group 103 in
!
policy-map CHILD_SHAPER
class CLASS_CUSTOMER_1
priority 102400
class CLASS_CUSTOMER_2
priority 102400
class CLASS_CUSTOMER_3
priority 102400
class class-default
fair-queue
!
policy-map PARENT_SHAPER
class class-default
shape average 307200000
service-policy CHILD_SHAPER
!
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 permit ip any any
!
access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 102 permit ip any any
!
access-list 103 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 103 permit ip any any
09-02-2020 11:37 PM
Hello,
unless you know how to configure subinterfaces on the ISP router, it is a better idea to use the switch for all the Vlan and QoS. In the sample config below, you would use e.g. a Catalyst 9300 and connect a layer 3 port to the ISP router. Your customers would use different Vlans, these Vlans cannot talk to each other by means of applying access lists. Each customer would get 100MB of bandwidth (of the 300MB available), which can be used by other customers if it is unused.
IP addresses and QoS values are arbitrary, obviously.
interface GigabitEthernet0/0
descriptionLink to ISP Router
no switchport
ip address 192.168.0.2 255.255.255.0
service-policy output PARENT_SHAPER
!
interface GigabitEhernet0/1
description Access Port for Company 1
switchport mode access
switchport access vlan 10
spanning-tree portfast edge
!
interface GigabitEhernet0/2
description Access Port for Company 2
switchport mode access
switchport access vlan 20
spanning-tree portfast edge
!
interface GigabitEhernet0/3
description Access Port for Company 3
switchport mode access
switchport access vlan 30
spanning-tree portfast edge
!
interface Vlan 10
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
!
interface Vlan 20
ip address 192.168.20.1 255.255.255.0
ip access-group 102 in
!
interface Vlan 30
ip address 192.168.30.1 255.255.255.0
ip access-group 103 in
!
policy-map CHILD_SHAPER
class CLASS_CUSTOMER_1
priority 102400
class CLASS_CUSTOMER_2
priority 102400
class CLASS_CUSTOMER_3
priority 102400
class class-default
fair-queue
!
policy-map PARENT_SHAPER
class class-default
shape average 307200000
service-policy CHILD_SHAPER
!
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 permit ip any any
!
access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 102 permit ip any any
!
access-list 103 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 103 permit ip any any
09-03-2020 12:45 AM - edited 09-03-2020 12:48 AM
Hello @Gregory.B ,
you can use different Vlans only if you use different IP subnets.
Vlans are a barrier for broadcast frames so ARP will not work over multiple Vlans.
for your setup to work you will need a router that you configure to perform NAT in order to present all the "internal" subnets as the single subnet expected by the ISP router.
Unfortunately most of multilayer switches are not able to perform NAT but they can perform inter VLAN routing.
I assume that you are not allowed to access and modify the configuration of the ISP router if provided by them.
There is an option that allow to avoid to use a router that is to use PRIVATE vlans:
the Vlan with the ISP router will be the primary Vlan and that port the promiscuos port.
Each customer will get a secondary VLAN of type community and a subset of IP addresses from subnet 192.168.0.0./24
In this way you can achieve segregation of each customer and at the same time allow each of them to access the internet via the ISP router.
Hope to help
Giuseppe
09-04-2020 12:18 AM - edited 09-04-2020 01:11 AM
Thank you for your answers.
I think ISP router cannot have subinterface but NAT should be available. I will have access to router configuration but it's an homemade ISP router, not a Cisco.
Maybe another solution: configure DMZ on ISP router to transfer all traffic to a 2nd Cisco router. Configure 2nd router with subinterface for vlan and NAT. Switch can be a L2 switch for vlan only. QoS should be configured on Cisco router in this case ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide