Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Kindly I need advice regarding this design


This is my first post and I am a person with very limited knowledge of networking. My boss asked me to design a simple network -in spite of my lack of knowledge- for his new building, this is my so-called design

The following are the circumstances I find myself in, my ideas and my questions:

1) It's a new building of 15 offices, offices are small so let's say there will be a max of 3 devices/PCs in there , plus 3 mobile phones (one for each PC user)

2) the offices are for different tenants this means they have nothing to do with each other and I have nothing to do with they way the design the network inside their offices, I assumed they'll be so stingy that they'll use HUBs (I have to be prepared for all types of people)

3) It's my job to provide them with a wired single stable and decent Internet connection to each office

based on no. I would say that we need a core switch and a good Internet connection, because of the design on the building my hands might be tight when it comes to the router so I am afraid it'll be a simple small sized one like the ones you get free from the ISP when you set up a concoction at your home

I have a budget of few thousands pounds regarding the switch

based on No. 2 I'll set up each office in it's on VLAN

my questions are:

is this design acceptable?

Which Cisco switch do you recommend for this scenario?

would setting up VLANs exhaust the switch and the router? I mean the switch will be using a single a single connection to the router after all and it'll do lots of multiplexing

Can the router still be a DHCP server for all VLANs?

Do I need a good router or the switch will be handling all the heavy loads

Can I control the bandwidth each office will be getting using the switch?

Thanks for your answers

Rising star

Hi Mark

Using hubs would be a mistake as they run half duplex, you can pickup unmanaged switches which do full duplex for fairly cheap these days if cost is an issue.

The design will work in principle but you have no redundancy (although I suspect you know this) so if the Router or Switch fails then you lose everything.

You have two options here really.

1. You can get a switch which has basic Layer 3 routing features which will allow you to create several Vlans and route between then. You would then setup a link to the router and have a default route on the switch for all internet traffic.

2. You can get a router which can support subinterfaces and then use this as a 'Router on a stick' type design, which means you only need a switch which does Layer 2 and will be cheaper.

To be honest, I would likely be going with option 1 above and get something like a 24 Port 3850 switch with IP BAse image as this is PoE on all ports, does basic layer 3 routing and also has the ability to be a Wireless LAN controller if needed in future. You should always look to futureproof

Even home ISP type routers these days can be fairly advanced, although you could consider something like a Draytek router which can be had for less than £200 and will be a step up from a home type router you get from the ISP, especially if you want to start doing anything more advanced in future like VPN termination or NAT etc.

I 'think' all modern Cisco switches can be DHCP servers, I doubt any basic ISP router could do multiple subnet DHCP as it would need to be Vlan ID aware.


Thank you very much for your answer, I never knew that the router has to support VLANs nor the switch can act as a DHCP server

I am not going to use HUBs nor I expect the tenants to do so but I have to consider very possibilty, either ways it's none of my business what they use in their offices, my job is deliver a stable Internet connection to the office

Thanks for pointing out the fact that I have no back up plan, we'll be working on that

I failed to understand the difference between option 1 and 2 as I dont need the VLANs to talk to each other also it woud be great if you explain to me if it is ever possible to control the bandwidth for each office


Since you want to keep all these offices separate, you need to look at private Vlans,, and port-based dhcp assignment

Since you also want to limit the bandwidth for each office, you need to consider some investment in a decent sized router. The exact model will largely depend on the bandwidth of the ISP connection. I would suspect that you're also going to need to provide some packet marking and prioritization, not just simple bandwidth limitations. My guess is that the router will take on more importance than you imply in your original post.

Sent from Cisco Technical Support iPad App

Thanks for your most-welcomed reply

I  did some  digging and you are right it seems controlling the bandwidth  using  switches is not the best way to do it, we'll go for better router.  Is  it possible to control the bandwidth using the router in my design? I   mean it is called router on the stick isn't that what it is called? how   can the router control the bandwidth when the switch is in between?

Since  we are going for a better router would it be able for the router to be  the DHCP server for all VLANs? just because configuring the switch to do  so looks complicated, keep in mind that I still need the VLANs not to  be able to communicate

If I'm not mistaken, only switches that can run at layer 3 will be able to run a dhcp server service. Therefore, whether or not you configure the switch or the router as the DHCP server is largely a matter of which switch you purchase. As for configuration, it's really no different between the two device types.

ROAST refers to a single router physical interface configured with multiple sub-interfaces to communicate with a switch port configured as a trunk. ROAST only requires ONE physical cable to communicate across all the VLANs/subnets configured on the sub-interfaces. Using private vlans on the switch will ensure no layer 2 connectivity between the ports. Using ACLs on the router will ensure no layer 3 communication between the subnets.

Sent from Cisco Technical Support iPad App

Very informative, thanks again

Last question: is it possible to limit the bandwidth for each office with a ROAST design? using the router

Can you recommend a layer 2 switch and a router for my design? I mean the model of both



What are you trying to limit ie. bandwidth from the switch to the router or bandwidth use on the internet ?   


Thanks Jon

The Internet bandwidth for each office


Then a router would do that for you. You could either mark the packets on the switch or the subinterfces on the router. Then using those markings you can have an outbound QOS policy on the WAN interface of the router. Note this will limit bandwidth out but you may also limit inbound usage(downloads are often bigger) which can be more challenging.

If you are sure you don't need or will not need inter vlan routing a L3 switch is overkill. Get a L2 switch and a router that can handle the internet bandwidth usage. Do a search on this site for "router performance" and you will find posts with a link to a pdf for router performance.

As for the switch it just needs to support vlans/trunking which virtually all do (see note below though about other considerations). Cisco do Enterprise switches (which generally have more features) which is what this forum deals with but they also do Small Business switches which may do the job for you. They have their own forums here so you can post there if you need advice on those.

I'm assuming you are using private addressing for the customers ? If you were using public addressing then private vlans would be a good idea and you would need to make sure the switch supported those. Note, as you can see from my other post, there may be another good reason to use private vlans, i'm just not seeing it.

It is worth factoring in what you might need in the future so that the kit you purchase doesn't become redundant although i appreciate this may not be easy. For example if you purchased a router with just enough capacity for the current internet bandwidth and then you had to upgrade the bandwidth you would need a new router to take advantage of this. Same considerations for the switch in that you need to work out all the requirements you have and that those are supported before you make the purchase.

Finally security. ACLs on the router subinterfaces will keep the vlan traffic separate although you may want to use a firewall on the router which is supported on most routers but you need to make sure you order the right feature set when you buy the router. If it is separate customers a firewall may be a good idea but it will complicate your configuration considerably and it could increase the cost. Also there is an overhead to running the firewall so again you need a bit of breathing space in terms of the router you buy. In terms of the switch the Enterprise switches generally support more security features as well.

So it's a lot to take in. The key thing is to price up the router and then see how much you have left for the switch (that hurts even saying that as i am primarily a switch person ). The amount left will probably determine what model of switch you get.



Just for my clarification. If you are routing between vlans on the router why do you need private vlans ? ie. each customer will have their own vlan and the communication can be blocked on the router.

The only use i could see for private vlans here would be if all the customers used public IP addressing and then you would use one vlan and use private vlans within that.

Not saying i'm right because i could be missing something, it happens quite often



If you truly need to keep traffic separate on a switch between vlans, then you use private vlans. Yes, ACLs on a router will keep routed IP traffic separate, but not necessarily layer 2 traffic. In a tenant arrangement like is being suggested here, layer 2 separation is also important.

As for the router, the "it all depends" answer is useless but nonetheless about the only thing that can be given here unless there is some idea of bandwidth needs. This link, will give you an idea on router performance if, as Leo will attest, you cut the Mbps figures in half.

Sent from Cisco Technical Support iPad App


If you truly need to keep traffic separate on a switch between vlans, then you use private vlans. Yes, ACLs on a router will keep routed IP traffic separate, but not necessarily layer 2 traffic. In a tenant arrangement like is being suggested here, layer 2 separation is also important.

Sorry to belabour the point but it is for my understanding. Each customer is in it's own vlan. There will be 3 devices in each vlan all belonging to the same customer (per vlan). So the only thing i can see that private vlans would do here is isolate one PC from another within the same vlan. But as the PCs in that vlan belong to the same customer what benefit is there ?

If all the customers were in the same vlan then i can understand the use of private vlans but you already have complete L2 separation because each customer has it's own vlan.

What am i missing here ?

Edit - i am assuming here that each vlan is using a different IP subnet with private addressing.



Go back and re-read line item #2 from the original post. Mark is providing a SINGLE port to each tenant. They will in turn be providing their own networking equipment for their own internal machine count.

Sent from Cisco Technical Support iPad App


So the single port will be allocated into it's specific vlan on a per customer basis ie. from Mark original post -

based on No. 2 I'll set up each office in it's on VLAN

So how could one customer talk to another customer's vlan without going via the router subinterface ? I agree if there are multiple customers then L2 separation is needed but i think that is already there without private vlans.

I'm not trying to prove you wrong because i suspect it may be something i haven't realised about private vlans. My understanding was that using private vlans was quite common in a site with multiple customers where you needed to use the same IP subnet for all customers eg. public IPs so you did not want to lose addresses by having to subnet down.

Perhaps you could provide an example of how the above simply allocating each port into it's own vlan does not provide the L2 separation needed ?