I have a client requiring a router to act as the gateway for their multitenant office building.
There will be approx 60-80 users that will share a 10mb fiber connection. Some tenant will require a static external ip while other will only require basic Internet with no port forwarding or 1to1 nat.
Any suggestions to what would be a solid router that would not limit them for features down the road.
Future considerations would be Internet speeds up to 50mb and voip out to the Internet.
Depending on the size of the building and amount of tenants, pretty much any L3 switch/router will easily handle this. You can easily start in a 3600-series and keep that for a while. There are some engineering/support-specific considerations that you need to consider.
DON'T NAT... TRUST ME....
While it conserves IP addresses, creating a LAN environment with a common gateway gets into issues with inter-office LAN-LAN communications on the private LAN (which can be fixed, but not "fixed" by default). Let's face it, end-users want to run a business and they typically dont have in-house IT people to secure their network; not to mention, if they DO have in-house IT people, they won't accept a NAT'ed internet connection (which severely limits their ability to host applications without a third-party to punch holes in the edge firewall). Also, the private LAN segment is prone to MANY issues with end-users accidentally plugging in an appliance to the LAN segment that serves DHCP, which [then] causes mega issues becuase you'll have multiple DHCP servers handing out IP address from different subnets/gateways.
VLANs are your friend
The PROPER way to set this up would mean your 10mb fiber connection would have two subnets (/30 for WAN communications) and a large subnet (probably /25) directly routed to your equipment, and YOU control the public IP assignments to your customers by subnetting the /25 into smaller /29 or /30 subnets. This (while a hog of IP space) is the correct ISP-like way to handle communications.
Say a customer doesn't pay and you need to shut them off, how are you going to control this? With NAT, you have no control of subscriber management besides physically unplugging the cable to their office, with VLANs you have a CLI you can simply issue a shutdown command to their VLAN, kicking them off - no physical access needed. Additionally, if you're really hell bend on having a NAT solution, purchase a subscriber gateway (ZyXel VSG-1200 is a very cost effective solution and has EXCELLENT subscriber/subscription management and an easy-to-use admin interface where you can kick users)
With the NAT solution, bandwidth management is basic AT BEST. With a subscriber gateway, you DO have segmented up/download speeds, with VLANs you have the greatest control and are able to easily rate-limit the up/download speeds - This is important so you can maximize your revenue by offering tiered speeds for different customer needs.
I engineered a very large MTU project that involved 15 buildings (approximately 300-350 subscribing companies) all connected back to our COLO and NOC where we managed all the routing/VLAN/subscriber management..... The key to making it work is hands-off management, flexibility and scalability...
What I used:
3x1gb Metro-E BGP'd on Cisco 3800s (This was our EDGE)
2 Catalyst 6509E with HSRP (This was our CORE)
Each building had a trunk back to our colo (either Fiber, Microwave or P2P WiFi)
Each building had a distribution switch Cisco 3600 (distributed building link to each floor)
Each floor had a distribution switch Cisco 3600 (had trunk to building distribution switch) and each port was assigned to a customer with a unique VLAN.
If you're open, I can help consult on this project and really make a rock-solid business unit for you.. msg me if interested..
As of now the site(building) has been wired and all the switches are in place. The switches have been configured for MST to logically direct vlan traffic between switches within common wiring closets and between floors. Tenants are given 5 vlans (most will only use 1, some may use a 2nd for voice) and the appropriate subnet. I do like the idea of purchasing a /27 and chopping it up for them, but cost is a factor here and If the price is too high then it will not be an option. Thus nating may be my only option at that point. I.e using NAT and policy based routing for tenants that stirctly need internet access and 1-to-1 nat for those that need port forwarding. I know the double NAT may be an issue with VOIP equipment and am not sure if certain routers have an ability to overcome those types of issues.
I'm looking at either a 1841, 2811 or 3745. As for intervlan routing (if needed at a later point) I would probably put in layer3 switch (or just use router on a stick with one of the above routers in the interm.
I am not sure why you would be giving any one client more than one VLAN? Essentially, you need to hand-off straight IP to the customer... If you want to do voice on-top of it, simply QoS that traffic, there is no reason to assign more than one LAN to any one customer.
I am not sure how much your ISP is charging your for IP space... three words... PASS THRU COST :-)
As for the equipment, none of that is needed.... I'm assuming your 10mb fiber is being handed off with Ethernet? If so, a 3600 24/48 port Layer 3 switch will do just fine... you can pick them up for around $100 used... If you want TRUE ISP functionality, you can pickup a 4500 with a few 48 port cards and a pair of redundant SUP2GE's for <$1500...
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...