How to network a large multi-tenant office with one subnet per tenant
This is rather long, please bear with me.
I am setting up a large multi-tenant office building. There are approx. 20 tenants occupying approx. 30 individual offices, all on the same floor of this building. Most tenants rent a single office, a few rent two or maybe three offices -- all on a yearly lease basis. There is a shared group of community devices (printers, scanners, fax, etc.) that each tenant may use, or they may use their own. There is a single 15mbit connection to the internet.
Tenants are allowed to bring in their own small SOHO hub/switch so they may connect several devices to the one network jack in their individual office.
I want each tenant to have their own private class C address. DHCP will provide addresses for each device regardless of subnet. Some devices, such as community printers, etc. may be static.
I want each tenant to see only his own private subnet and the Community Devices Subnet. I don't want any tenant to see any other tenant-subnet.
e.g.
Community Devices Subnet: 192.168.11.x (Visible to all subnets)
Tenant #1: 192.168.51.x (Visible only to Community Devices Subnet)
Tenant #2: 192.168.52.x (Visible only to Community Devices Subnet)
"
"
Tenant 20: 192.168.70.x (Visible only to Community Devices Subnet)
Each tenant may access the internet. Probably everything will be Windows-based.
Secondarily, I want QoS capability so that I may grant each tenant a certain maximum speed to the internet (1.5, 5, 10, etc.) , max transfer bytes to the internet (to discourage numerous large file transfers), and blocking certain protocols (some streaming, etc.).
I've setup plenty of networks before, but they have all been single subnet SOHO style networks. I've not done anything approaching what I've described above.
What sort of networking gear do I need? And what capabilities/features do they require?
thanks.....
I am setting up a large multi-tenant office building. There are approx. 20 tenants occupying approx. 30 individual offices, all on the same floor of this building. Most tenants rent a single office, a few rent two or maybe three offices -- all on a yearly lease basis. There is a shared group of community devices (printers, scanners, fax, etc.) that each tenant may use, or they may use their own. There is a single 15mbit connection to the internet.
Tenants are allowed to bring in their own small SOHO hub/switch so they may connect several devices to the one network jack in their individual office.
I want each tenant to have their own private class C address. DHCP will provide addresses for each device regardless of subnet. Some devices, such as community printers, etc. may be static.
I want each tenant to see only his own private subnet and the Community Devices Subnet. I don't want any tenant to see any other tenant-subnet.
e.g.
Community Devices Subnet: 192.168.11.x (Visible to all subnets)
Tenant #1: 192.168.51.x (Visible only to Community Devices Subnet)
Tenant #2: 192.168.52.x (Visible only to Community Devices Subnet)
"
"
Tenant 20: 192.168.70.x (Visible only to Community Devices Subnet)
Each tenant may access the internet. Probably everything will be Windows-based.
Secondarily, I want QoS capability so that I may grant each tenant a certain maximum speed to the internet (1.5, 5, 10, etc.) , max transfer bytes to the internet (to discourage numerous large file transfers), and blocking certain protocols (some streaming, etc.).
I've setup plenty of networks before, but they have all been single subnet SOHO style networks. I've not done anything approaching what I've described above.
What sort of networking gear do I need? And what capabilities/features do they require?
thanks.....
ASKER
Thanks. This is sort of what I pictured. I don't believe a simple SOHO gateway/router ala the Linksys WRT54G will do since they only handle one subnet. I probably need a router that can handle many subnets. If I use a layer 2/3 switch, instead of a simple layer 2 switch, then I can omit the separate router, right?
Do you have a suggestion for a specific ayer 2/3 switch that will do what I want?
Can I even do this with just a layer 2/3 switch?
ISP - - - Firewall - - - Layer 2/3 Switch - - - VLANs?
I have a Netgear FSM726S switch, but I can't see how to move traffic from one VLAN to another. I believe this is a layer 2 only switch. Plus, I don't see how to assign a subnet to any particular VLAN. Again, probably because it's a layer 2 switch?
thanks
Do you have a suggestion for a specific ayer 2/3 switch that will do what I want?
Can I even do this with just a layer 2/3 switch?
ISP - - - Firewall - - - Layer 2/3 Switch - - - VLANs?
I have a Netgear FSM726S switch, but I can't see how to move traffic from one VLAN to another. I believe this is a layer 2 only switch. Plus, I don't see how to assign a subnet to any particular VLAN. Again, probably because it's a layer 2 switch?
thanks
Well...
*To replace the router and switch with one Layer 2/3 Switch - i would suggest somthing like a Cisco 3750.
*You could also do your inter -vlan routing on a good firewall such as the Cisco ASA 5510. (this would replace the router and then you would only need a VLAN compatible Layer 2 switch.
But if your going for cost and simplicity:
1 x Good firewall (not necassarily a cisco one)
1 x cisco 2600 router
1 x cisco 2960G switch (or keep your current switch if it handles VLAN and Dot1Q trunking)
-Craig
*To replace the router and switch with one Layer 2/3 Switch - i would suggest somthing like a Cisco 3750.
*You could also do your inter -vlan routing on a good firewall such as the Cisco ASA 5510. (this would replace the router and then you would only need a VLAN compatible Layer 2 switch.
But if your going for cost and simplicity:
1 x Good firewall (not necassarily a cisco one)
1 x cisco 2600 router
1 x cisco 2960G switch (or keep your current switch if it handles VLAN and Dot1Q trunking)
-Craig
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay in replying. The overview you provided was definitely helpful!
*Are you going to be providing the Private Network Security with a firewall?
If you are, then i would set something simple up like the following:
ISP - - - - -Firewall - - - - -Router - - - - Switch - - - - -VLAN's (tennants)
|
|
DHCP Server on
seperate VLAN
I would use VLAN's to handle all the seperate Networks.
Because there will be minimal traffic (printer usage mainly) between VLAN's, then i would use the simple "router on a stick" approach to provide the inter-VLAN routing (required for your community printers etc...)
ACL's (access control lists) for the VLAN's (keeping each tennants network seperate whilst still alowing access to the community network) would be placed on the inside port of the router.
ACL's for blocking certain protocols (streaming etc...) i would place on the inside interface on the firewall.
A single DHCP Server for handing out IP's and DNS settings to the tennants devices could handle all the VLAN's at once (for redundancy i would also set up a DHCP on the router - incase the server fails)
For the "Bandwidth shaping" - you could set up a simple QoS on the router to prioritise http over anything else. for more indepth shaping like you require (limiting each VLAN/tennants network to a set bandwidth) someone else will need to help you with that one.
NOTE: The network diagram i created above is a simple proposed solution - you could of course replace the switch and router with a Layer 2/3 switch.
hope this was of some help... if you need any more detail just ask.
-Craig