Solved

VLANs for a small office, what to use?

Posted on 2008-10-29
4
515 Views
Last Modified: 2009-01-26
Ok, I'm in a pinch here....

I have $1000 to do the following

Client is the broadband provider for 2 other tenants in his office.  They have a total of 26 ports that we need to hooked into a switch.  Here is what I need...

Client 1 (landlord), Client 2 and Client 3 all need to share the same broadband connection, but be seperated via VLAN with ACL's.  Client 1 has EXTREMELY sensitive data that needs to be segregated.  They need to be on seperate subnets (obviously), but I am not allowed to introduce a server into their environment, so a server based DHCP server with 3 seperate scopes is out of the question.  They also want a firewall product to be integrated into this mix.  

What i think i know....

A nice L2/L3 switch will allow me to VLAN everybody off, either by port or by MAC, but does not address how to dish out different dynamically assigned addresses to each VLAN, nor does it address the firewall aspect.  I think the ASA 5505 Cisco would handle the firewall issue pretty well, as well as the DHCP, but once I get that 3rd VLAN, the licensing pushes it above $1000 just by itself.  I'm kind of at a loss as how to get this ball rolling and what hardware combination would be adequate.  The netgear L2/L3 switches look very good, but I know I'm going to have to get a 48 prt switch (although I could probably talk them into a 24 port and have them switch in the offices to free up some room) with is not cheap.  I think there is a sweet spot somewere in here, but I'm just not seeing it....

please ask questions and I will answer them

Many Thanks,

Danny Wheeler, MCSE
0
Comment
Question by:danlikey2
4 Comments
 
LVL 1

Assisted Solution

by:speed16
speed16 earned 166 total points
ID: 22835014
Layer 3 switch is easily going to set you over $1,000. You could go with a Clarkconnect. http://www.clarkconnect.com/info/compare.php Its software that you would load on a system you would provide. You can install several NIC cards on the PC and those would become you VLANs. You could then use the dumbest switch(s) you can find, if high bandwidth isn't needed. http://www.clarkconnect.com/info/features.php It provides many useful features and its an enterprise solution. Good Luck
0
 
LVL 5

Accepted Solution

by:
sharedit earned 167 total points
ID: 22836404
what network equipment do you already have there?

how is the wiring done? each tenant have an idf or do all network lines run rom the same closet?

how many connections are needed per tenant?
26 total how is this broken down?
------------------------------------------------------------------------------
I dont know if im being serious or not, this is just off the top of my head.

*any brand can be used
Get a linksys router w four port switch hook that up to the internet.
Get 3 other linksys routers, set them up as routers, not gateways. Put what would be their WAN ports on the same network as the first router connected to the internet.  Set each scope up as a different range, now you have 3 seperate networks. make sure the gateway router has routes in it for each of the other ranges(WAN Port of each other router on the same network). In the three network routers include the default gateway of thier wan ports as the internet router, dns could be the same internet router or you could just use some public internet dns.

if they need more switch ports buy cheep switches for each tennant.

im sure you can figure this out.

thats a laughable network for under a laughable $1000
Or try refurbished hardware.  

0
 
LVL 17

Assisted Solution

by:mikecr
mikecr earned 167 total points
ID: 22850252
Here is what you do. Get a Cisco 2950 48 Port switch off of Ebay, a decent one with a warranty. Should run you between $250 and $350. Also, get a Cisco 1721 router as well with an extra WIC-1ENET card. Make sure it has 32Mbyte of Flash and a minimum of 64Mbyte of RAM.

What you do is configure three vlans, one for each tenant and client. Next, configure trunking on the switch port that is plugged into the router and configure vlans with 802.1q encapsulation on the fast ethernet interface of the LAN side. You can then set up a different subnet for each tenant and client. The other ethernet card will plug into the broadband connection. You can configure NAT on the router to get them out to the internet. Each vlan on the router will have an IP address assigned to it which will then also allow you to create access lists to permit and deny traffic to each subnet accordingly.

This should work out for you very well and you will be well under the $1000 mark. If you need assistance with the configuration, please let me know and I can help you.
0
 
LVL 7

Author Comment

by:danlikey2
ID: 22853555
Actually guys, I figured this one out on my own...

Firewall:

Fortinet 60b

http://www.fortinet.com/doc/FGT50_100DS.pdf

This router allows you to configure "VDOM"'s, or virtual domains, each acting like it's own seperate network WITH it's own seperate firewall with configurable settings.   Can be had for around $500.  It allows for for up to 10 VDOMs, each with it's own DHCP server built in, per interface, as well as port level ACL and seperation from other interfaces.   I won't need trunking, as I will just run a seperate cat6 into each VLAN on my switch to dish out DHCP to that particular VLAN (router comes with 8 interfaces).  I actually have used one of these in the past, and I would put the quality right up there with Cisco, without the name recognition.  The VDOM concept is new though, I did not know they could do that....

I will use the Cisco SMB SLM248G (rebranded linksys) for the switch, since I can pick it for $320 new, although I might entertain the notion of the used 2950.  We'll see, client wants new equipment.  It will allow me to configure the VLANs, and since I dont need to do tagging, just ports, it will be easy to drop a cable from the the interface on the Fortinet to the switch and have a segragated network.  Done!

This puts me at $850 (approx) for my laughable network, with only 2 pieces of equipment and a minimum amount of jumble.  It also uses some pretty good new equipment that is all fairly easy to reconfigure if the next IT guy is like me and not a Cisco guru....

Anywho, comments welcome, and I will find a way to distribute points even though I got this one on my own.  Good suggestions though.

Danno

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now