Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
9
Helpful
6
Replies

Network Design For MultiTenancy Offices

exonetinf1nity
Level 1
Level 1

‎01-15-2009 06:28 PM - last edited on ‎03-25-2019 04:04 PM by Community Manager

Greetings, im trying to put together a scope for managed office scenarios, we have a number of potential clients who let out there premises for use by different clients as well as one existing customer who is currently expanding there building to 200 offices.

The current basic design i have in place is based on a layer 3 access layer and core using 3750 series switches a single ASA firewall and a 2811 ISR terminating a leased line presented on ethernet, we are also running Call Manager in combination with Unity Express to provide voicemail service to existing and future clients renting office space.

My initial thoughts were to allocate each office it's own data vlan and voice vlan aswell as a separate subnet

Eg: Office 1 -

Data Vlan 101

Voice Vlan 201

Data Network: 172.18.1.0 /24

Voice Network 172.17.1.0 /24

Office 2 -

Data Vlan 102

Voice Vlan 202

Data Network: 172.18.2.0 /24

Voice Network 172.17.2.0 /24

Call Manager/Unity Vlan: 1000

Call Manager/Unity Network: 172.16.1.0 /24

The question im really toiling with though is how best to route traffic between the office vlans and the call manager network but also keep traffic between office's isolated at the same time giving each each individual network internet access via the ASA, i had thought of using the switch as the gateway for the voice networks and then trunking to the ASA and using the ASA as the gateway for the data networks.

Has anyone done anything like this before, if so id really appreciate any recommendations you may have.

Regards

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎01-22-2009 02:39 PM

Maybe you could use Private VLANs for security?

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Hope that helps.

exonetinf1nity
Level 1
Level 1
In response to Collin Clark

‎01-22-2009 02:50 PM

It does indeed, it had crossed my mind, i forgot id posted this thread and started a new one in which someone suggested using vrf-lite to do the same thing but ideally like to achieve it without having to use ip services images on the switches.

Do you think it would be wise to use a single isolated vlan considering i could potentially be looking at approx 100 hosts within said vlan although each office would be on a different network?

Regards

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to exonetinf1nity

‎01-22-2009 03:01 PM

Mark

" i forgot id posted this thread and started a new one in which someone suggested using vrf-lite to do the same thing"

I did wonder about that :-)

I would strongly recommend the solution Giuseppe proposed as MPLS VPN's/VRF-lite is ideally designed for segregating customer traffic. I appreciate there is a cost involved and in these economic times not always easy to justify the expense but vrf-lite does map to your design needs. Have a look at this design guide from Cisco which covers the exact issues you are looking into -

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html

However you can use acl's to achieve the same thing but it does have scalability issues. Like i say the above guide covers a lot of these issues.

Jon

exonetinf1nity
Level 1
Level 1
In response to Jon Marshall

‎01-22-2009 03:07 PM

Excellent guide cheers, yes cost is not usually a concern for larger clients as they can appreciate the benefit and i agree it's the right way forward, we are suffering in the UK at present due to the dolar rate, quotes are increasing by as much as £200 - £1000 a day making it hard to stay within margin specially when the time between quoting and ordering can be upto a month we dont know what price the kit will be!

Thank the stars i dont have to get too heavily involved in the financial aspects of it all!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to exonetinf1nity

‎01-22-2009 03:14 PM

"we are suffering in the UK at present due to the dolar rate"

I know, i was just pricing up the CCIE R&S lab workbooks and wishing i had bought them a couple of months back :-)

Jon

0 Helpful

Yudong Wu
Level 7
Level 7

‎01-22-2009 02:59 PM

If each office is in a different subnet, you have to use ACL or VACL to isolate the traffic between them.

For example, all offices and voice vlan have their default gateway on 3750, in other word, 3750 have a layer 3 vlan interface for each vlans in your network. Then you can configure an incoming ACL under each vlan interface which will deny any packet with destination to the other vlans and permit packet to voice vlan and the rest (internet). HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card