cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3568
Views
0
Helpful
28
Replies

Network design for a shared Business Center

Athena1390
Level 1
Level 1

Hello,

I have been asked to design the network of a new shared Business Center, but I need some help.

The scope is the following :

- a building, with 1 Internet access

- 15 private offices

- each office can have up to 4 LAN connections

- each office can have its own VLAN (with Internet access) => max of 15 VLAN

- some offices can be merged together (1 VLAN for many offices)

- VLAN have access to the Internet only, but must be strictly isolated from the others

- DCHP must be available for each VLAN

- WiFi must be available everywhere, but each user can connect only to its own VLAN (ID and PW provided)

- management of the VLAN and connectivity must be as simple as possible (GUI)

What do I need to implement this configuration ?

Thanks in advance for your help.

4 Accepted Solutions

Accepted Solutions

stephen.stack
Level 4
Level 4

Hi,

From a high level, you might want a switch support VLANs to connect and segregate all the individual offices. You could trunk this switch (3560/3750) to a Cisco ASA Firewall which in turn you could have sub-interfaces on this trunk link on the ASA side. 1 for each VLAN configured. ACLs for security could be applied to each Sub Interface as well as a DHCP server for each VLAN can be configured on the ASA also. I would actually not scope this, and leave the tenants manage their own LAN 'each office can have its own VLAN'. This would add unnecessary complexity.

Wireless, can be as sophisticated as installing a Wireless LAN controller and several APs for centralised management of the APs. You can assign VLAN IDs to different BSSIDs. Or you can use 1-2 Access Points and manage them individually. Cisco Aironet 2600 has GUI and will allow VLAN tags per SSID. A site survey for wireless range would be required.

Haven install a few of these types of networks, the above is all very high level and would depend on specific reuqirements, but should be a good starting point for you.

Regards

Stephen

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

View solution in original post

I agree with Stephen reference an ASA. A firewall is the best way to properly segregate each tenant and manage what is allowed in and out of each VLAN. And the ASDM GUI is pretty good these days.

A WLAN controller can mitigate against rogue APs. You might want wireless IPS to protect against other forms of attack, but it's not cheap. Shared Guest wireless on a dedicated DMZ would be a lot more cost effective. Might be worth creating a separate thread in the wireless section for advise on this one.

What size Internet circuit are you thinking of? Are you sure you want to rely on a single Internet feed? Lots of angry tenants if the ISP has an outage.

What about redundancy for the firewall and core/distribution layer?

Any PoE? Will there be a centralised IPT solution?

View solution in original post

1) Yes those part numbers are fine. With a little extra investment, you could get the ASA5505-SEC-BUN-K9 bundle. This includes the 'Security Plus' license. It's slightly more expensive, because it includes 'unlimited' users instead of 50 users.

2)  I have no experience with this product line, so would rather not comment further.

3.) It's best you read the data sheet yourself to ensure it's fit for purpose as you understand all your requirements. You can check your country is supported by the 'E' region here:

http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/product_data_sheet0900aecd80537b6a_ps12534_Products_Data_Sheet.html

As mentioned previously, it requires a controller (i.e. it's the 'lightweight' version). If you want a controller-less option (i.e. 'autonomous' version), then the part code for the same region is AIR-SAP2602I-E-K9.

4.) A controller will provide various benefits including centralised management. You do not have to purchase one provided you use autonomous APs instead of lightweight APs. Without it you must configure and manage each autonomous AP individually.

Importantly, a controller provides security benefits such as detection of rogue APs. It will also prevent your clients associating with one. It can also plot any rogue APs on a floor plan.

Have a read through the relavent data sheets for management information.

View solution in original post

For the 300 series Small Business switches, Looks like they will do just fine, Quite a feature Rich switch, with .1Q support for trunking and VLAN tagging etc..

You can use a windows server as a DHCP server per the ip help-address command. Plenty on Cisco's documentation on this. Or for an ASA it's the DHCP relay command

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/dhcp.html#wp1170898

Regards

Stephen

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

View solution in original post

28 Replies 28

stephen.stack
Level 4
Level 4

Hi,

From a high level, you might want a switch support VLANs to connect and segregate all the individual offices. You could trunk this switch (3560/3750) to a Cisco ASA Firewall which in turn you could have sub-interfaces on this trunk link on the ASA side. 1 for each VLAN configured. ACLs for security could be applied to each Sub Interface as well as a DHCP server for each VLAN can be configured on the ASA also. I would actually not scope this, and leave the tenants manage their own LAN 'each office can have its own VLAN'. This would add unnecessary complexity.

Wireless, can be as sophisticated as installing a Wireless LAN controller and several APs for centralised management of the APs. You can assign VLAN IDs to different BSSIDs. Or you can use 1-2 Access Points and manage them individually. Cisco Aironet 2600 has GUI and will allow VLAN tags per SSID. A site survey for wireless range would be required.

Haven install a few of these types of networks, the above is all very high level and would depend on specific reuqirements, but should be a good starting point for you.

Regards

Stephen

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

I agree with Stephen reference an ASA. A firewall is the best way to properly segregate each tenant and manage what is allowed in and out of each VLAN. And the ASDM GUI is pretty good these days.

A WLAN controller can mitigate against rogue APs. You might want wireless IPS to protect against other forms of attack, but it's not cheap. Shared Guest wireless on a dedicated DMZ would be a lot more cost effective. Might be worth creating a separate thread in the wireless section for advise on this one.

What size Internet circuit are you thinking of? Are you sure you want to rely on a single Internet feed? Lots of angry tenants if the ISP has an outage.

What about redundancy for the firewall and core/distribution layer?

Any PoE? Will there be a centralised IPT solution?

Marwan ALshawi
VIP Alumni
VIP Alumni

Just to add to the above posts
To get the above requirements working with a scalable and easy to manage solution you need to consider using VRFs per private office associated with it's respective VLANs this way you will have the traffic isolated but using one common physical network
Also for the wireless using a wireless controller and having each private office wireless vlan/ssid to be associated with the relevant VRF will make sure wireless users will isolated per office too
Internet can be considered like a shared service where all the offices/VRFs that need Internet can access it, and by using policing with a source ip ACL you can limit the amount of traffic per office
A firewall can be introduced in this network if firewalling is required anywhere in the path

The below link can help you with some ideas around shared services and vrf virtulization concept
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html
You may need to check the path isolation document too

Hope this help
If helpful rate



Sent from Cisco Technical Support iPad App

stephen.stack
Level 4
Level 4

Hi

I'm not sure I agree with deploying VRFs for this requirement. An overall design agenda needs to be keep it simple. And while adding a network feature like VRFs seems like an elegant solution to a someone experienced with them. Having design a number of these environments, VRFs are not really suitable.

Regards

Sent from Cisco Technical Support iPhone App

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Why network virtulization using vrf is not suitable ?
Using multiple virtual networks over one common physical network is a cost effective solution, simple and eliminate the complexity of managing a lot of roles and ACLs when using a firewall to be the isolation point instead of vrf
And this is where the modern networks design going and again the idea of vrf here is to simplify it and remove the complexity of this type of network also called multi tenant network/solution

Hope this help

Sent from Cisco Technical Support iPad App

Hi,

I never said VRFs were not suitable, but I happen to think it is not the easist/ most appropriate solution for this paticular set of requirements.

To your comment, 'Using multiple virtual networks over one common physical network is a cost effective solution'. I aggree completely. But, isn't that what VLANs were design for. I do not see the need to add a complexity layer such as VRFs in this design requirement. Wheres the value? above and beyond that already proposed?

Regards

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Hello,

Thanks for all these answers.

To be sure to avoid any mistake, I would like to summarize the best (and simplest) solution for this design (therefore, without VRF if it is not required).

1) Firewall ASA 5505 (are the ref. numbers correct ?) :

- ASA 5505 – 50 users : ASA5505-50-BUN-K9

- Security Plus licence : L-ASA5505-SEC-PL

2) Would a 300 Series switch be suitable for this use ?  It is less cheaper than 3560.

I think about : SRW248G4P-K9-EU

Would you please confirm ?

3) Aironet 2600 (is the ref. numbers correct ?) :

- AIR-CAP2602-E-K9

Thanks in advance for your comments.

1) What do you need the 5505 Sec Plus license for?

2) Not familiar with 300 series switches, but a quick search shows they will not act as DHCP server - if you had the switch in mind for that role. But they can run MST and some QoS features, so not too bad. If you intend to rely upon the online forums for configuration help, then I suspect a second user 3560-X will be easier to get help on.

3) The AP you specified needs a controller, but you've not specified one. I think you need to be careful that your tenants appreciate the security risks associated with wireless. Wireless is often more open than other avenues of attack. Just think - someone can sit in your car park with a high-gain antenna as if sat in your office. The hacker can then perform various attacks including sniffing the wireless traffic and tempting your clients to associate with them instead of the genuine APs. And what about security between tenants - it's even easier for them to sniff one anothers traffic and launch attacks? Again, might be one for the wireless section of the forum.

The 'IP Services' IOS feature set is over 60% more on top of the 'IP Base' IOS for a 3560-X series switch, so its cost effectiveness will vary depending if it can replace a more expensive option or not.

VRFs would be particularly useful here if two customers insist on using the same LAN IPs.

1) The Sec Plus licence is needed to have more than 5 VLAN (up to 15 needed).

2) DHCP is supposed to be provided by the ASA 5505.  Can it (or not) act as DCHP server for each VLAN ?

3) The basic ID was to have a SSID for each VLAN, with WPA2 encryption.

4) Which type of controller is required with this Aironet ?

1) Just checking and I'd forgot that one

2) Yes, ASA can run DHCP. Just setup multiple scopes. However, there are limitations which might not make it suitable:

"You can configure a DHCP server on each interface of the ASA. Each interface can have its own pool of addresses to draw from. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces."

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_dhcp.html

3) SSID offers no protection, just the logical separation of traffic which you can then feed into a dedicated VLAN. Provided that you can sniff sufficient traffic over a long enough period, then WPA2 pre-shared key can now be cracked. Obviously another tenant is ideally located to sniff wireless traffic and could potentially gather wireless traffic over a very long time period.

Alternatively, you can move from a personal mode (pre-shared key) to an enterprise mode. Enterprise mode uses 802.1X and EAP authentication, ideally PEAP or EAP-TLS. These rely on an authentication server and certicates though, so you are more likely to need help from a Cisco wireless partner. There are other types of attacks to consider as well though.

Another option is tenants connect their own wireless AP and manage it by themselves, although there is the possibility of interference between APs using the same channels, but that's down to the tenants to resolve -  perhaps with some guidance from yourselves.

If it's Guests that you really need to satisfy, then what about 'Guest' wireless on a dedicated DMZ and make the risks clear to the visitors?

4) Looks like the 2602 is supported by the 2500 series controllers, amongst others:

http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12534/data_sheet_c78-709514.html

2500 series controllers:

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html

Alternatively,

if you really want to save yourself a lot of wireless worries and management overhead, such as regular tweaks to firewall rules, then simply sell a very basic Internet feed where the tenant must connect their own firewall etc. Less ports required on your side and you simply police the traffic to the allocated bandwidth per tenant.

You'll probably need more public IPs to hand-off a public address or block to each tenant. And you'll need to harden the switch against the Internet (maybe not suited to 300 series switches) or even better utilise a single router with additional routed interfaces.

It doesn't stop you installing wall sockets, but does mean each tenent requires a small comms cabinet to terminate the structured cabling. The tenants get more flexibility to do their own thing whilst you have to spend less time looking after them.

as i mentioned above using only ASA to perform the separation will be a hard to mange and not very scalable solution but i am not saying it won't work
anyway now you have multiple options and it is your call to pick anyone of them that you feel comfortable with

and plz make sure you rate the helpful posts in this discussion


Sent from Cisco Technical Support iPad App

Ref managing firewall rules - apologies, I didn't pick up on your comments first reading.

Ref VRFs, my thinking is that the tenants still need firewall protection from the Internet, because the OP ideally wants to hand off LAN switchports to each tenant. If so, he's back to managing firewall rules for each tenant.

Thanks for all your comments, it really help for my design.

However... I still not have a clear view of the components I need.

I provide a summary below, please help me to validate (or not) and answer tyhe remaining questions.

1) Firewall ASA 5505 (are the ref. numbers correct ?) with ability to manage 15 VLAN :

- ASA 5505 – 50 users : ASA5505-50-BUN-K9

- Security Plus licence : L-ASA5505-SEC-PL

2) Would a 300 Series switch be suitable for this use (VLAN + DHCP relay) ?  It is less cheaper than 3560.

I think about : SRW248G4P-K9-EU

Would you please confirm ?

3) Aironet 2600 (is the ref. numbers correct ?), WPA2 would provide sufficient security at this time :

- AIR-CAP2602-E-K9

4) What is the need of the controller ?

- Does it provide easyer VLAN management ?

- Does it has a specific GUI that the Aironet does not have ?

- Is it needed if there is only 1 Aironet ?  And 2 ?

5) As the ASA does not provide sufficient DCHP capabilities, I will use a DCHP server.

But my question is : can a W2K8 server provide DCHP over 15 VLAN, using the configuration described above ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: