Greetings, im trying to put together a scope for managed office scenarios, we have a number of potential clients who let out there premises for use by different clients as well as one existing customer who is currently expanding there building to 200 offices.
The current basic design i have in place is based on a layer 3 access layer and core using 3750 series switches a single ASA firewall and a 2811 ISR terminating a leased line presented on ethernet, we are also running Call Manager in combination with Unity Express to provide voicemail service to existing and future clients renting office space.
My initial thoughts were to allocate each office it's own data vlan and voice vlan aswell as a separate subnet
Eg: Office 1 -
Data Vlan 101
Voice Vlan 201
Data Network: 172.18.1.0 /24
Voice Network 172.17.1.0 /24
Office 2 -
Data Vlan 102
Voice Vlan 202
Data Network: 172.18.2.0 /24
Voice Network 172.17.2.0 /24
Call Manager/Unity Vlan: 1000
Call Manager/Unity Network: 172.16.1.0 /24
The question im really toiling with though is how best to route traffic between the office vlans and the call manager network but also keep traffic between office's isolated at the same time giving each each individual network internet access via the ASA, i had thought of using the switch as the gateway for the voice networks and then trunking to the ASA and using the ASA as the gateway for the data networks.
Has anyone done anything like this before, if so id really appreciate any recommendations you may have.
It does indeed, it had crossed my mind, i forgot id posted this thread and started a new one in which someone suggested using vrf-lite to do the same thing but ideally like to achieve it without having to use ip services images on the switches.
Do you think it would be wise to use a single isolated vlan considering i could potentially be looking at approx 100 hosts within said vlan although each office would be on a different network?
" i forgot id posted this thread and started a new one in which someone suggested using vrf-lite to do the same thing"
I did wonder about that :-)
I would strongly recommend the solution Giuseppe proposed as MPLS VPN's/VRF-lite is ideally designed for segregating customer traffic. I appreciate there is a cost involved and in these economic times not always easy to justify the expense but vrf-lite does map to your design needs. Have a look at this design guide from Cisco which covers the exact issues you are looking into -
Excellent guide cheers, yes cost is not usually a concern for larger clients as they can appreciate the benefit and i agree it's the right way forward, we are suffering in the UK at present due to the dolar rate, quotes are increasing by as much as Â£200 - Â£1000 a day making it hard to stay within margin specially when the time between quoting and ordering can be upto a month we dont know what price the kit will be!
Thank the stars i dont have to get too heavily involved in the financial aspects of it all!
If each office is in a different subnet, you have to use ACL or VACL to isolate the traffic between them.
For example, all offices and voice vlan have their default gateway on 3750, in other word, 3750 have a layer 3 vlan interface for each vlans in your network. Then you can configure an incoming ACL under each vlan interface which will deny any packet with destination to the other vlans and permit packet to voice vlan and the rest (internet). HTH
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...