Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Network Design For MultiTenancy Offices

Greetings, im trying to put together a scope for managed office scenarios, we have a number of potential clients who let out there premises for use by different clients as well as one existing customer who is currently expanding there building to 200 offices.

The current basic design i have in place is based on a layer 3 access layer and core using 3750 series switches a single ASA firewall and a 2811 ISR terminating a leased line presented on ethernet, we are also running Call Manager in combination with Unity Express to provide voicemail service to existing and future clients renting office space.

My initial thoughts were to allocate each office it's own data vlan and voice vlan aswell as a separate subnet

Eg: Office 1 -

Data Vlan 101

Voice Vlan 201

Data Network: 172.18.1.0 /24

Voice Network 172.17.1.0 /24

Office 2 -

Data Vlan 102

Voice Vlan 202

Data Network: 172.18.2.0 /24

Voice Network 172.17.2.0 /24

Call Manager/Unity Vlan: 1000

Call Manager/Unity Network: 172.16.1.0 /24

The question im really toiling with though is how best to route traffic between the office vlans and the call manager network but also keep traffic between office's isolated at the same time giving each each individual network internet access via the ASA, i had thought of using the switch as the gateway for the voice networks and then trunking to the ASA and using the ASA as the gateway for the data networks.

Has anyone done anything like this before, if so id really appreciate any recommendations you may have.

Regards

6 REPLIES

Re: Network Design For MultiTenancy Offices

New Member

Re: Network Design For MultiTenancy Offices

It does indeed, it had crossed my mind, i forgot id posted this thread and started a new one in which someone suggested using vrf-lite to do the same thing but ideally like to achieve it without having to use ip services images on the switches.

Do you think it would be wise to use a single isolated vlan considering i could potentially be looking at approx 100 hosts within said vlan although each office would be on a different network?

Regards

Hall of Fame Super Blue

Re: Network Design For MultiTenancy Offices

Mark

" i forgot id posted this thread and started a new one in which someone suggested using vrf-lite to do the same thing"

I did wonder about that :-)

I would strongly recommend the solution Giuseppe proposed as MPLS VPN's/VRF-lite is ideally designed for segregating customer traffic. I appreciate there is a cost involved and in these economic times not always easy to justify the expense but vrf-lite does map to your design needs. Have a look at this design guide from Cisco which covers the exact issues you are looking into -

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html

However you can use acl's to achieve the same thing but it does have scalability issues. Like i say the above guide covers a lot of these issues.

Jon

New Member

Re: Network Design For MultiTenancy Offices

Excellent guide cheers, yes cost is not usually a concern for larger clients as they can appreciate the benefit and i agree it's the right way forward, we are suffering in the UK at present due to the dolar rate, quotes are increasing by as much as £200 - £1000 a day making it hard to stay within margin specially when the time between quoting and ordering can be upto a month we dont know what price the kit will be!

Thank the stars i dont have to get too heavily involved in the financial aspects of it all!

Hall of Fame Super Blue

Re: Network Design For MultiTenancy Offices

"we are suffering in the UK at present due to the dolar rate"

I know, i was just pricing up the CCIE R&S lab workbooks and wishing i had bought them a couple of months back :-)

Jon

Re: Network Design For MultiTenancy Offices

If each office is in a different subnet, you have to use ACL or VACL to isolate the traffic between them.

For example, all offices and voice vlan have their default gateway on 3750, in other word, 3750 have a layer 3 vlan interface for each vlans in your network. Then you can configure an incoming ACL under each vlan interface which will deny any packet with destination to the other vlans and permit packet to voice vlan and the rest (internet). HTH

251
Views
9
Helpful
6
Replies
CreatePlease to create content