Sharing a T1...???

rshullaw · ‎01-03-2003

Scenario:

T1 coming into an office complex terminating at a Cisco 1751 running IOS Firewall software. Office complex has multiple separate companies with varied and separate internal network segments. Need to share T1 between these disparate network segments.

Can this be done using only the existing router, terminating the T1 and performing NAT, and a Layer 3 switch with separate VLAN's for each corporate network? How might that be implemented? Assuming that it were possible to completely assign the IP numbering scheme for each of the companies, how might this be distributed?

Any advice on designing an appropriate solution would be greatly appreciated.

Thanks.

p-hogan · ‎01-04-2003

Hi

Really it depends on the numbers on users.

If there are only a few users, could do it on the cheap with a layer 2 cat 2950 (or similar) and create separate vlans on this switch for each company. Then between the switch and router (1751) you could trunk all vlans. On the single router ethernet port you would in effect create the gateway for each network and then default route out the T1. Access lists applied to the ehternet sub-interfaces could then restrict inter-network access.

If there are more users, you probably want to put in a separate layer 3 switch, maybe a 3550 or 4000/4500. This would provide extra bandwidth and scalability. This switch could have users directly plugged in or privide links to floor access switches. Access lists apply again.

The 1751should be performing nat and usuall firewall duties.

Initial questions are:

How many companies?

How many users?

Physical layout number of floors,etc?

Will you provide all the networking equipment?

rshullaw · ‎01-04-2003

Thanks for the reply. That's basically what I was envisioning, but I was concerned I was missing something. The access lists are something I hadn't considered in my initial thoughts, but are obviously critical in this multiple organization environment.

There are approximately 10-15 companies represented with most having 2 or 3 nodes at most. It's all one floor, and I will be in a position to provide or at least dictate the network equipment to be provisioned.

Would this same configuration also allow me to provide access to a single shared server resource for all networks? There is the possiblity of a shared server-based phone switch for all offices as well.

Thanks again for the help!

p-hogan · ‎01-05-2003

You could buy a 3550 24 port with routing enabled (WS-C3550-24-EMI) and connect extra 2950G's via the GBIC slots (need to populate slots with stacking or std. SX. connections) Then give 2/3 ports across the switches per customer.

Or you could buy a single 3550 and just give the customer 1 port - they then provide they own mini hubs/switches.

You could have a vlan for each customer (gateway of 3550), a vlan for the shared servers (gateway of 3550) and a vlan for the internet (gateway of 1700)

By using a layer 3 3550 you would offload the need to head to the 1700 each time you wish to access services on the shared server (on different network)

The router probably will be busy enough with internet routing and firewalling.

rshullaw · ‎01-05-2003

Excellent!

I like the idea of transfering some of the routing load to a Layer 3 switch, rather than having to go through the 1751 all the time. I'll do that.

Thanks again for the advice!