Advice on Lan design for multi tenancy office

exonetinf1nity · ‎01-21-2009

Greetings, i have recently rolled out a scenario such as the one described above to a managed service office, all went smoothly but we have recently been approached by several companies wishing to do the same in light of the recent financial crisis more and more people are moving into rented office space instead of purchasing there own premises or taking out extended leases.

As such im trying to put together a template defining how such an office can be deployed in an efficient manner whilst providing concurrent voice and data services to tenants. Cisco CME w/ CUE or CCM /w Unity will be used for telephony services for all the office and of course isolation of data networks between offices is crucial.

My current design encompasses the following:

10Mb/s Ethernet bearer /w between 4 and 10Mb enabled on the circuit.

Said connection terminates on a Cisco 1841 ISR Router which is in turn connected to the outside interface of either an ASA 5505 or 5510 dependant on the number of users within the centre.

The internal network consists of between 2-9, 48 Port PoE Cat3750 series switches depending on the number of users.

Anything upto 100 offices with between 2-10 people in each office each user is provisioned with a Cisco 7941G IP Phone that will also be used to handle wired desktop and laptop Ethernet connections.

Each office will be assigned a voice vlan and access vlan relating to the office number:

Eg: Office 21 will use Access Vlan 221 and Voice Vlan 321

Each will also be assigned it's own network for voice and data

Eg: Office 21 will use Data Network 172.31.21.0 and Voice Network 172.30.21.0

Now this is the part i am rattling my brains about in regards to how best achieve the end goal.

I want to allow complete separation of the data networks but allow each voice network to be able to talk to the other unhindered so that voice calls can be placed between offices.

For this i have two initial ideas, firstly create an inbound ACL on the switch and apply it to each Data Vlan preventing access from 172.31.21.0 /24 network then creating a less restrictive inbound ACL permitting SCCP, SIP, RTP etc then applying it to the Voice Vlans.

Internet access would be achieved by using a default route on the switch stack pointing to the inside interface of the ASA for example 172.16.1.1

Each office would also use the switch as there default gateway.

or

Apply the same ACL's as above and create a trunk between the switch stack and the ASA only permitting the DATA vlans on the trunk, then configure each office to use the ASA as the default gateway for internet access. This would give me more flexibility should an office not require internet access or for applying rate limiting etc.

So yes that's where my train of thought is at the moment, any suggestions would be most welcome, I know what id like to achieve but am trying to do my best to keep it simple, stupid!

Regards

Giuseppe Larosa · ‎01-22-2009

Hello Mark,

if using separate Vlans and IP subnets for voice and data you can segregate each Data network efficiently using the VRF lite concept.

In this way you don't need to waste time configuring ACLs and you have built in separation of the offices.

for an introduction to MPLS VRF Lite see:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/vrf.html

then you need to provide internet access to each VRF:

On the ASA you can have one Vlan subif for each office VRF as the inside at the same level of security so that they are separated.

This should be the best way to achieve scalability and keeping it simple.

the voice vlans can be placed in the global routing table or in a dedicate VRF for voice so that it is possible to perform calls between offices.

Using billing systems you can then charge each office for their outbound calls to PSTN.

Hope to help

Giuseppe

exonetinf1nity · ‎01-22-2009

Thats a very good idea, thank you, do you know if it's supported on the standard 3560 and 3750 images?

Regards

Giuseppe Larosa · ‎01-22-2009

Hello Mark,

I see it on the universal

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 54 WS-C3560E-48PD 12.2(35)SE5 C3560E-UNIVERSAL-M

Configuration register is 0xF

SW-RM-NOV-C-1-2#

SW-RM-NOV-C-1-2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW-RM-NOV-C-1-2(config)#ip vrf ?

WORD VPN Routing/Forwarding instance name

SW-RM-NOV-C-1-2(config)#ip vrf

However, you need IP services image and not base

see

>>>To use multi-VRF CE, you must have the IP services image installed on your switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swiprout.html#wp1320198

Hope to help

Giuseppe

exonetinf1nity · ‎01-22-2009

Thank you again just found the same in the config guide, could you recommend another method using just the standard image?

Regards

Giuseppe Larosa · ‎01-22-2009

Hello Mark,

you can think to use the VRF lite on the 1841 but then you can face throughput problems.

I think it is wise to pay for the upgrade to ip services because VRF lite is the right tool for your scenario

Hope to help

Giuseppe

exonetinf1nity · ‎01-22-2009

Much appreciated i would like to get more into VRF for other things im wokring on, looks like a good place to start.

Thank you for your time.

Regards