Multitenant router

keithatwood · ‎01-09-2012

I have a client requiring a router to act as the gateway for their multitenant office building.

There will be approx 60-80 users that will share a 10mb fiber connection. Some tenant will require a static external ip while other will only require basic Internet with no port forwarding or 1to1 nat.

Any suggestions to what would be a solid router that would not limit them for features down the road.

Future considerations would be Internet speeds up to 50mb and voip out to the Internet.

Thanks for any input.

Marwan ALshawi · ‎01-10-2012

This can be done using VRF lite and also use vrf aware nating

And leave the external interface in the global routing table to be shared among the vrfs

Sent from Cisco Technical Support iPhone App

sleepyshark · ‎01-10-2012

Depending on the size of the building and amount of tenants, pretty much any L3 switch/router will easily handle this. You can easily start in a 3600-series and keep that for a while. There are some engineering/support-specific considerations that you need to consider.

DON'T NAT... TRUST ME....

While it conserves IP addresses, creating a LAN environment with a common gateway gets into issues with inter-office LAN-LAN communications on the private LAN (which can be fixed, but not "fixed" by default). Let's face it, end-users want to run a business and they typically dont have in-house IT people to secure their network; not to mention, if they DO have in-house IT people, they won't accept a NAT'ed internet connection (which severely limits their ability to host applications without a third-party to punch holes in the edge firewall). Also, the private LAN segment is prone to MANY issues with end-users accidentally plugging in an appliance to the LAN segment that serves DHCP, which [then] causes mega issues becuase you'll have multiple DHCP servers handing out IP address from different subnets/gateways.

VLANs are your friend

The PROPER way to set this up would mean your 10mb fiber connection would have two subnets (/30 for WAN communications) and a large subnet (probably /25) directly routed to your equipment, and YOU control the public IP assignments to your customers by subnetting the /25 into smaller /29 or /30 subnets. This (while a hog of IP space) is the correct ISP-like way to handle communications.

Subscriber Management

Say a customer doesn't pay and you need to shut them off, how are you going to control this? With NAT, you have no control of subscriber management besides physically unplugging the cable to their office, with VLANs you have a CLI you can simply issue a shutdown command to their VLAN, kicking them off - no physical access needed. Additionally, if you're really hell bend on having a NAT solution, purchase a subscriber gateway (ZyXel VSG-1200 is a very cost effective solution and has EXCELLENT subscriber/subscription management and an easy-to-use admin interface where you can kick users)

Flexibility

With the NAT solution, bandwidth management is basic AT BEST. With a subscriber gateway, you DO have segmented up/download speeds, with VLANs you have the greatest control and are able to easily rate-limit the up/download speeds - This is important so you can maximize your revenue by offering tiered speeds for different customer needs.

My background

I engineered a very large MTU project that involved 15 buildings (approximately 300-350 subscribing companies) all connected back to our COLO and NOC where we managed all the routing/VLAN/subscriber management..... The key to making it work is hands-off management, flexibility and scalability...

What I used:

3x1gb Metro-E BGP'd on Cisco 3800s (This was our EDGE)

2 Catalyst 6509E with HSRP (This was our CORE)

Each building had a trunk back to our colo (either Fiber, Microwave or P2P WiFi)

Each building had a distribution switch Cisco 3600 (distributed building link to each floor)

Each floor had a distribution switch Cisco 3600 (had trunk to building distribution switch) and each port was assigned to a customer with a unique VLAN.

If you're open, I can help consult on this project and really make a rock-solid business unit for you.. msg me if interested..

Thanks,

Sean Brown

http://www.sleepyshark.com

keithatwood · ‎01-10-2012

Thanks Sean. Great Info.

As of now the site(building) has been wired and all the switches are in place. The switches have been configured for MST to logically direct vlan traffic between switches within common wiring closets and between floors. Tenants are given 5 vlans (most will only use 1, some may use a 2nd for voice) and the appropriate subnet. I do like the idea of purchasing a /27 and chopping it up for them, but cost is a factor here and If the price is too high then it will not be an option. Thus nating may be my only option at that point. I.e using NAT and policy based routing for tenants that stirctly need internet access and 1-to-1 nat for those that need port forwarding. I know the double NAT may be an issue with VOIP equipment and am not sure if certain routers have an ability to overcome those types of issues.

I'm looking at either a 1841, 2811 or 3745. As for intervlan routing (if needed at a later point) I would probably put in layer3 switch (or just use router on a stick with one of the above routers in the interm.

Any opinions on the above router choices?

sleepyshark · ‎01-10-2012

I am not sure why you would be giving any one client more than one VLAN? Essentially, you need to hand-off straight IP to the customer... If you want to do voice on-top of it, simply QoS that traffic, there is no reason to assign more than one LAN to any one customer.

I am not sure how much your ISP is charging your for IP space... three words... PASS THRU COST :-)

As for the equipment, none of that is needed.... I'm assuming your 10mb fiber is being handed off with Ethernet? If so, a 3600 24/48 port Layer 3 switch will do just fine... you can pick them up for around $100 used... If you want TRUE ISP functionality, you can pickup a 4500 with a few 48 port cards and a pair of redundant SUP2GE's for <$1500...

Marwan ALshawi · ‎01-10-2012

if you need a complete isolation VRF lite as suggest above is the way you go

even with VRF lite you can do import and export of certain routes between different VRFs selectively which will give you more control which VRF can communicate with which VRF if required

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

Network Virtualization--Path Isolation Design Guide

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html

Hope this help

pls rate the helpful posts

keithatwood · ‎01-14-2012

So, the decision was made to go with a 2821.

My next question seems very trivial, but is something new to me.

The ISP normally gives out /29 subnets, but we are asking for something larger like a /27.

I've only dealt with NAT'd networks to this point and am wondering how to subnet/assign the /27 network to the internal tenants. We would like the tenants to use their own personal routers

For example...

ISP (66.67.68.1/27) ------ (66.67.68.2/27) CISCO2821 (66.67.68.5/30)---- (66.67.68.6/30) Tenant 1 (10.1.2.0/24)

(66.67.68.9/30)---- (66.67.68.10/30) Tenant2 (192.168.1.0/24)

The above does not seem logical to me?

Coule someone shed some light on the proper assignment of IP's & appropriate subnets?

Thanks!