cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3571
Views
0
Helpful
28
Replies

Network design for a shared Business Center

Athena1390
Level 1
Level 1

Hello,

I have been asked to design the network of a new shared Business Center, but I need some help.

The scope is the following :

- a building, with 1 Internet access

- 15 private offices

- each office can have up to 4 LAN connections

- each office can have its own VLAN (with Internet access) => max of 15 VLAN

- some offices can be merged together (1 VLAN for many offices)

- VLAN have access to the Internet only, but must be strictly isolated from the others

- DCHP must be available for each VLAN

- WiFi must be available everywhere, but each user can connect only to its own VLAN (ID and PW provided)

- management of the VLAN and connectivity must be as simple as possible (GUI)

What do I need to implement this configuration ?

Thanks in advance for your help.

28 Replies 28

1) Yes those part numbers are fine. With a little extra investment, you could get the ASA5505-SEC-BUN-K9 bundle. This includes the 'Security Plus' license. It's slightly more expensive, because it includes 'unlimited' users instead of 50 users.

2)  I have no experience with this product line, so would rather not comment further.

3.) It's best you read the data sheet yourself to ensure it's fit for purpose as you understand all your requirements. You can check your country is supported by the 'E' region here:

http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/product_data_sheet0900aecd80537b6a_ps12534_Products_Data_Sheet.html

As mentioned previously, it requires a controller (i.e. it's the 'lightweight' version). If you want a controller-less option (i.e. 'autonomous' version), then the part code for the same region is AIR-SAP2602I-E-K9.

4.) A controller will provide various benefits including centralised management. You do not have to purchase one provided you use autonomous APs instead of lightweight APs. Without it you must configure and manage each autonomous AP individually.

Importantly, a controller provides security benefits such as detection of rogue APs. It will also prevent your clients associating with one. It can also plot any rogue APs on a floor plan.

Have a read through the relavent data sheets for management information.

Thanks for your answer, I see now clearly what I need for ASA and WiFi.

To finalize, I just need now :

1) Confirmation for the use of 300-series.

2) Confirmation about the use of W2K8 server as DCHP for 15 VLAN (how can the server know which VLAN is asking for an IP ?).

For the 300 series Small Business switches, Looks like they will do just fine, Quite a feature Rich switch, with .1Q support for trunking and VLAN tagging etc..

You can use a windows server as a DHCP server per the ip help-address command. Plenty on Cisco's documentation on this. Or for an ASA it's the DHCP relay command

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/dhcp.html#wp1170898

Regards

Stephen

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Thanks a lot, I have now all informations I need about the HW !!

You might want to check the 300 series switch can police tenant traffic. Otherwise, one tenant might regularly comsume most of the bandwidth, resulting in a poor service for the remaining tenants.

If so, check if the policing will be granular enough to meet your requirements. If your entire ISP link is only 10Mbps, then it's no good a switch offering steps of 10Mbps . Also, bear in mind that you might wish to place your inbound or outbound policing on a Switch Virtual Interface instead of a physical interface. If so, then check that's possible too, or maybe requires a feature set upgrade.

as I mentioned above this solution will work but in the future if you want to add new office/network or perform any change will be not any easy job as it is not a very scalable solution
However if you find implementing VRFs is not an easy job then just go with firewall approach

HTH

Sent from Cisco Technical Support iPhone App

I will check the bandwith requirements for each type of VLAN and by type of traffic.

VRF seems difficult to implement (for me), and there is no extension of the offices planned in the mid-term.

But I have now another question.

Is it possible to implement load-balancing over 2 ISP, using 2 ASA ?

Remarks :

- the routers are provided by the ISP (we therefore don't have any management access on them)

- VPN is not needed

- which model (and options) of ASA are required ?

Thanks for your help.

Yes, you can load balance across two ISPs. The method I've used requires Provider Independent IPs and you might struggle to obtain these now, due to the IPv4 shortage.

Despite not using a VPN, I would perform load balancing ahead of the ASAs and setup the firewalls in active/standby operation.

I always stick to HSRP and static routing on the ASAs. This will require a pair of your own routers or layer-3 switches between ASAs and ISP routers. If opting for routers, then I would add a switchport EHWIC to each router in order to maintain the broadcast domain for HSRP operation, rather than bridge across two LAN interfaces.

You can perform outbound load balancing using per-destination IP CEF with static default routing tied to IP SLA echo. I would expect this to suit a multi-tenant environment with straight forward Internet access. I don't think you have any other option for inbound load balancing other than natural BGP operation which is not very granular, but always worth checking with the ISP. You could also look at PfR, but I've not tried it myself.

Here in the UK, the cost of Internet bandwidth has dropped to a point where it's sometimes cheaper, and less complex, to just pay for additional bandwidth and leave the second circuit as a standby only (or perhaps just for ISP Bs customers) - i.e. don't rely on the combined bandwidth of the two circuits. This also means tenants won't experience a reduced service during a link failure.

ASA 5505 series firewalls can perform active/standby operation, but will not failover state information reference any existing connections. You need 5510 for stateful failover. If you want this feature, then you're better off going for the latest generation ASA, called the 5500-X series appliance.

I know you like your part numbers, so you'd be looking at 'ASA5515-K9'. The slightly cheaper ASA 5512-X needs the 'Security Plus' license for HA functionality, so works out the same list price as 5515-X which doesn't require any license upgrade. The ASA 5510 'Security Plus' bundle is slightly cheaper than the 5515-X, but it's not worth the saving in my opinion. The 5512-X is a lot more powerful than the 5510 and incorporates six 10/100/1000 interfaces. Plus, I wouldn't be surprised if Cisco end-of-life the 5500 series next year.

Marwan ALshawi
VIP Alumni
VIP Alumni

If you trying to load balance using static route and per destination load balance as suggested above ASA firewall can do it only if the both next hope IPs are reachable via same firewall interface and with a shared subnet
Hsrp in the routers side with ip sla object reacting is a good option for active/standby solution

Sent from Cisco Technical Support iPhone App

I'm going to refine my question :

- the ISPs will provide a local (10.x.x.x) for the frist ISP and a official (unknown at this time) for the second ISP at the end of their router.

- I want to load-balance all the outgoing traffic (if possible), whatever the destination is

- I also need to know how the ingoing access (for remote management) will be done (which official IP should I use - or both ?)

- How will the vrtual IP be defined (internal and external) ?

- What is the overall schema ?    WAN -> ISP router -> ASA -> Switch ?  With cross-links betwwen ASA and switches ?

Sorry for all these questions, but I'm a noob in this domain...

Why is your ISP handing off a private IP to you? Have you purchased a managed service where they firewall the traffic for you or is it just NAT?

Will your two WAN circuits be similar bandwidth?

Yes, VDSL lines with fixed IP are provided with managed service (Belgacom)...  However, it is possible to ask them to disable the firewall.

No, the 2 lines will probably have different bandwith (we don't have chosen the second ISP yet).

Too many unknowns at the moment.

If I were you, I'd first check if Provider Independent IPv4 addressing can be obtained from RIPE along with a public ASN: -

  • If 'yes', then look to moving the primary circuit to an unmanaged service utilising your own BGP router - i.e. get away from their router/firewall/NAT/RFC 1918 addressing scheme. Same for the new secondary circuit. If the two circuits are similar bandwidth, then investigate load balancing, but otherwise just use active/standby operation.
  • If 'no', then speak to Belgacom and ask what circuit redundancy they can offer within your existing service.

see the answers below:

- I want to load-balance all the outgoing traffic (if possible), whatever the destination is

if you are using one edge router then using a routing protocol such as BGP can help in achieving a relative load balancing per flow, but if you have two routers configured as the Internet edge devices and the firewalls are behind them in the LAN working in failover mode then you may need to consider using HSRP in the routers using two groups and each router can be set as the active for one of those groups ( the groups/VIPs need to be in the same subnet to let the firewall load share the flows of traffic per destination to one of the VIPs using two static routes same cost each to one of the HSRP-VIPs

- I also need to know how the ingoing access (for remote management) will be done (which official IP should I use - or both ?)

each ISP will give you differnt public IP ranges, however you may discuss with them to advertise your own range over both and by using some BGP attribute you can control which path is prefered for inbound traffic

- How will the vrtual IP be defined (internal and external) ?

external no need you need to use routing with each ISP, internal you can define HSRP group or groups as desired between the routers and firewalls using a shared L2 vlan/switch

- What is the overall schema ?    WAN -> ISP router -> ASA -> Switch ?  With cross-links betwwen ASA and switches ?

you may go with Internet---Router---ASA---LAN

hope this help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: