Shared office Vlan setup on ESW switches

Unanswered Question
Jan 25th, 2010

Hi,

I wonder if you can give me a bit of a sanity check on the following design for a shared office. We are somewhat restricted by the buildings cabling, the actual design is a bit larger.

What we require is all IP phones (not Cisco) to be able to talk to each other and Company A's server, Company A's server and PCs to be able to communicate together and Company B's Router and the network behind it to be able to access a shared printer and the internet. Anything without a Cisco part no next to it isn't cisco and must be assumed to be dumb.

I'm not after a detailed howto - I just want to check that in theory this is possible, I'll work bench the equipment if it will work.

Thanks,

Adam

AM network.jpg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alissitz Mon, 01/25/2010 - 11:14

Hello and good afternoon,

You have the phones in the same VLAN, vlan 3. This is good.

You have company B's router, the printer and server in the same vlan, vlan 5.

You have company A's PCs, the server, and the 'router' to the Internet in the same vlan, vlan 1. The server appears in multiple vlans ... will it have multiple interface cards or dot.1q trunking?


Do I have this right?

I think this is fine overall, and do please let me ask a few questions to make sure I understand your approach and design.

Company B's router will perform security to restrict company A's PCs from access it.  This router can actually run a firewall and then protect this second company.  Shared resources like the server and printer's specific IP addresses will be allowed into company B's network; you will need to make sure you allow bi-directional access.  

Company A's PCs can access the printer in vlan 5 by being routed there by the Internet router; inter-vlan routing.  Security on this router will keep company B's network from accessing company A's PCs / network. 

I suppose you will employ some security on the router for the printer and server so that only Company A and B can access the these shared devices.  Unless you plan on open access to these shared resources and then just simple inter-vlan routing is needed.

All in all I do not see any problems with this, the switches can perform vlans and trunking just fine.

Having an internal firewall and or a second router for a second company is not that rare (it's a good idea) and it does well to 'hide' or protect the second company.

You will likely need to spend a little extra time in the lab to make sure you have all the configs right ... and I can imagine this getting confusing when you are configuring the Internet router.

Do please respond with any follow up questions and or comments.  Many thanks 

Andrew Lissitz

apedder123 Mon, 01/25/2010 - 15:10

Thanks for the reply, very useful.

I notice I got a couple of Vlan numbers wrong on my diagram, wasn't thinking straight.

Am I right in saying I don't need anything special with regards to Intra-Vlan routing as I don't intend different Vlans to be on different Subnet ranges?

Do the ESW support taggng multiple Vlans? I don't know the server network card that is going to be used so I'm trying to ensure the least chance of failure with the equipment I can specify!

Thanks,

Adam

alissitz Mon, 01/25/2010 - 16:07

Hello Adam, good evening.

Inter-vlan routing is supported via two methods:

1) Single interface w/ subinterfaces, each on it's own vlan

2) Multiple router interfaces

Each VLAN will be it's own network and only routable via a L3 device; vlans are 'virtual lans' aka ... separate networks.  So yes, each VLAN is it's own subnet.

It is pretty common to have phones on a separate vlan from the PCs.  So in this case you would have two vlans.

Yes, the ESWs can and will tag frames appropriately for trunk links.  If you are using a single interface on the router, then this would be a trunk link from the switch's perspective. Also switch to switch links would be trunk links and the vlan tags would have to be maintained.

Do you know if your router can handle this config?  Or ... does it have multiple interfaces?  If not, let me know and perhaps I can suggest one.

You will also need to learn more about the server.  perhaps it has a single interface, or dual interfaces, teaming / redundancy etc ... this will affect how you configure the switch ports.

Much of your design choice is going to be based on the amount of flexibility your equipment allows for.

In short, you should always have security and QoS in every design; these two go hand in hand.  The ESW switches have smart ports, so this will provide you some basic level of security and it will provide QoS.

It appears you are also addressing the security by keeping these devices on separate company networks ... good idea.

If you like, feel free to investigate the server and router and then let me know if I can be of more assistance.  Me = standing by.

Have a great night,

Andrew

apedder123 Tue, 01/26/2010 - 12:42

Thanks for the advice and I'll happily take a recommendation on Router.

This isn't a large install, Company A has about 15 devices in total, and there are actually 2 company 2s, both only a handful of devices, so we don't need anything too meaty.

I think that would be the most sensible way to go as it should give the most flexability and least reliance on the rest of the equipment that we have no control over.

Thanks,

Adam

alissitz Tue, 01/26/2010 - 20:36

You know Cisco ... the answer is usually that it 'depends'.  ;-)

With that said, the router that popped into my mind was our 800 series ISR.  For what you are trying to do, I might suggest to look at the 880 series.

Here is a link to the model comparisons:

http://www.cisco.com/en/US/products/hw/routers/ps380/prod_models_comparison.html

The 881 or even the 871 sounds like a fit. The 880 series datasheets:

http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78_459542.html

This would give you inter-vlan routing, firewall, remote management, Gui based configs with CNP, vpn, advanced routing, granular control / config options, etc ...

I am not sure if you all have planned on putting together a cookie cutter type offering, but the ISR series is good for this.

The small business series might be an option for you as well, particularly the RVL200 or RVS4000.  A model comparison page can be found here:

http://www.cisco.com/en/US/products/ps9923/prod_models_comparison.html

I am not sure if I agree with the small biz series for this install, since you have a need for good security and QoS, and the flexibility for multiple companies and VoIP.  This is a pretty decent job you got here.  I think the Cisco ISR would be a better choice.

BTW - not sure if you have seen this yet, but here is the design portal with some cookie cutter designs, configs, and product choices.  You can drill down into the small branch offerings as well as small business offerings.

HTH,

Andrew Lissitz

apedder123 Thu, 01/28/2010 - 09:04

I'm looking at the 800 series, I don't suppose there is one with a dual ethernet WAN? Would be quite handy.

Thanks,

Adam

alissitz Thu, 01/28/2010 - 09:19

Hello,

Not on the 800 series ...

If you want multiple FE WAN ports, then you need to move up to the 1800 series, here is the comparison link:

http://www.cisco.com/en/US/products/ps5853/prod_models_comparison.html

The 1805 did not make it into this comparison ... but this is a nice router as well.

The SA520 and SA540 have dual WAN ethernet ports and support VLANs on the LAN side.  Have you gotten a chance to look these over?

alissitz Fri, 01/29/2010 - 08:34

Sounds good.  If you find the time, please update us for how you make out.

apedder123 Sat, 02/13/2010 - 04:20

I went for a ESW-520-24P and an SA-520W.

All is going well, but for one problem. I've sete up all the VLans and the from the switch to the router. I've also set up multiple APs on the 520W for each of the companies which is a nice touch.

My problem now is to limit routing between the VLans. I was assuming that I'd be able to activate inter Vlan routing, and then use the firewall to limit access by port or IP. That was I could open up a printer on one of the Vlans to all the others.

However the firewall on the 520W seems a little too basic. It will do Lan to Wan filtering, but won't do Lan to Lan.

As the Inter Vlan routing is also basic I can't just put the shared devices on a guest vlan and then route between them, inter vlan routing seems to be all or nothing.

My only thoughts at the moment might be to use the DMZ port to connect the shared devices, but this seems a little unsophisticated and ties up the DMZ port for future use.

Any thoughts greatly appreciated.

Thanks,

Adam

alissitz Tue, 02/16/2010 - 10:22

Yes, by default the device thinks you want to route between all networks on the inside.

Putting shared resources in the DMZ is not such a bad thing, especially if you need external access.  You can also do some security on your switch, see the admin guide, starting around page 160:


http://www.cisco.com/en/US/docs/switches/lan/csbms/esw500/administration/guide/ESW_500_Administration_Guide.pdf

HTH,

Andrew Lissitz

Actions

This Discussion