Greetings, i have recently rolled out a scenario such as the one described above to a managed service office, all went smoothly but we have recently been approached by several companies wishing to do the same in light of the recent financial crisis more and more people are moving into rented office space instead of purchasing there own premises or taking out extended leases.
As such im trying to put together a template defining how such an office can be deployed in an efficient manner whilst providing concurrent voice and data services to tenants. Cisco CME w/ CUE or CCM /w Unity will be used for telephony services for all the office and of course isolation of data networks between offices is crucial.
My current design encompasses the following:
10Mb/s Ethernet bearer /w between 4 and 10Mb enabled on the circuit.
Said connection terminates on a Cisco 1841 ISR Router which is in turn connected to the outside interface of either an ASA 5505 or 5510 dependant on the number of users within the centre.
The internal network consists of between 2-9, 48 Port PoE Cat3750 series switches depending on the number of users.
Anything upto 100 offices with between 2-10 people in each office each user is provisioned with a Cisco 7941G IP Phone that will also be used to handle wired desktop and laptop Ethernet connections.
Each office will be assigned a voice vlan and access vlan relating to the office number:
Eg: Office 21 will use Access Vlan 221 and Voice Vlan 321
Each will also be assigned it's own network for voice and data
Eg: Office 21 will use Data Network 172.31.21.0 and Voice Network 172.30.21.0
Now this is the part i am rattling my brains about in regards to how best achieve the end goal.
I want to allow complete separation of the data networks but allow each voice network to be able to talk to the other unhindered so that voice calls can be placed between offices.
For this i have two initial ideas, firstly create an inbound ACL on the switch and apply it to each Data Vlan preventing access from 172.31.21.0 /24 network then creating a less restrictive inbound ACL permitting SCCP, SIP, RTP etc then applying it to the Voice Vlans.
Internet access would be achieved by using a default route on the switch stack pointing to the inside interface of the ASA for example 172.16.1.1
Each office would also use the switch as there default gateway.
Apply the same ACL's as above and create a trunk between the switch stack and the ASA only permitting the DATA vlans on the trunk, then configure each office to use the ASA as the default gateway for internet access. This would give me more flexibility should an office not require internet access or for applying rate limiting etc.
So yes that's where my train of thought is at the moment, any suggestions would be most welcome, I know what id like to achieve but am trying to do my best to keep it simple, stupid!