Network design with isolation of in-house customer networks

alexmclv
alexmclv used Ask the Experts™
on
Fellow experts:

I would appreciate your opinions and suggestions on how to approach the following situation:

We currently host equipment (workstations, servers, etc.) from several clients in our facility. For the sake of security and confidentiality, each client and its associated equipment (which from now on I will refer to as simply “client”) should be isolated into its own network. In addition, we have vendor-specific backend systems that are not related to the clients but still need to be accessed by them. Each backend system is a collection of a few servers. Due to limited building space we usually have 2-3 clients in a single room and/or one client in separate rooms but there’s only 1 (maybe 2) Ethernet ports per room that lead to our network closet. Also, client equipment gets moved to different rooms occasionally (due to the same lack of space.)

Here’s what I need to achieve:
- A client should not see other clients on the network.
- Client personnel should be able to access their equipment from the outside world through VPN.
- Every client should be able to access the Internet.
- Each client should be able to access only the vendor-specific backend systems that are assigned to it.

I have too many ideas on how to achieve this but I can’t seem to come up with a final and cost-effective solution. One of them was to install at least one managed switch per room and then enable MAC-based authentication for dynamic VLAN assignment using a RADIUS server and perform some routing, etc.

Our budget is limited so unfortunately purchasing top of the line network equipment is out of the question.

Thanks in advance for your help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
do you have cisco switches? sounds like you could use cisco private vlans. (if you have not, go on reading)

separating each client with it's own vlan (and subnet) is a good idea, but you will need a router/firewall to prohibit routed access between clients.
I would suggest using Mikrotik software routers for this purpose if budget is a issue.
radius and 802.1x can help you to protect from unauthorized access to unused rj45 outlets in rooms.

Author

Commented:
I don't have any Cisco routers and PVLANs are not suitable for my environment.

Budget is still an issue, so my idea is to go with Gigabit Layer 2 switches with support for 802.1x, etc.

Commented:
ok you can go with my second solution.
please note, that with 802.1x only you will be unable to do the job.
so please consider firewall (I have mentioned mikrotik as a decent peace of software http://www.mikrotik.com/) to filter between subnets.

you can consider Dlink switches also - they are affordable and reliable.
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

What is keeping you from using VLANs to isolate the users to their own subnet and ACL/filters to control access to the servers and outside?

Author

Commented:
Rick_O_Shay:

VLANs are definitely part of the equation and I'm planning on dynamic assignment using MAC-based authentication through a RADIUS server; that's my idea as far as isolating the clients regardless of their location within the building. I was looking at ACLs, too; however, I'm assuming I have to configure the ACLs on every managed switch (at least one per lab) I have in the network, am I correct? I'm just trying to centralize as many of the administration tasks as possible.

from_exp:

I'll do some research on Mikrotik. Do you recommend D-Link switches based on your personal experience? I'm just wondering because I haven't heard great things about them; and personally I haven't had much luck with their home products.
Commented:
if you want to centralize ACLs - then you have to go for a router/firewall (so called "router on a stick" solution), where you will do all the filtering.
you have to bear in mind, that ordinal switch ACLs are not that easy to configure, they are limitations, how many of them you can apply etc (because ACLs in switches are implemented on a physical level, hence you can't do more, than hardware allows)

dlinks for enterprise are much better then for home users. I have exp with different d-link switches for several years now and newer models are working like a charm. In my opinion much better then netgears.

sure thing you can take HP, but the price will be higher. I have heard, that huawei's are not bad either.

and what is your opinion? do you have any models in mind (possible with a good price, or good support options?)
Your ACL's would be at whatever point the routing is being done so if you have a core L3 switch that is the point where the inter VLAN decision is made or as from_exp mentioned on the firewall/router with an interface in each VLAN.

Author

Commented:
I do have an HP ProCurve 2650 switch and it is a pretty solid product that I was able to get working successfully with a RADIUS (IAS) server to perform MAC-based dynamic VLAN assignment in my test environment. Unfortunately, this switch is of no use to me anymore since FastEN only and I want all my switches to operate at Gigabit speeds on all ports.

I definitely want to buy new managed Gigabit Layer 2 switches (Layer 3 are too expensive), 24 ports with support for VLANs, 802.1x, port mirroring, etc. and hopefully under $800.

Since you mention D-Link switches, will Asymmetric VLANs play any role in my configuration?

So, from a budget point of view the "router on a stick" would be my most affordable solution but a core Layer 3 switch would give me the best performance, right?

Your last statement re: price and preformance is correct.

Commented:
as rick_o_shay said, L3 will perform better (but with not that convenient ACLs(comparing to firewall)), but software router will be cheaper. And again, modern server hardware is rather fast, and you can plug multiple nics in it also.

dlinks have asymmetric vlans, but I have no exp with them.
take look at DGS-3100 models (there are poe variants and with 48 ports)

in any case, with any vendor, don't forget about redundant PSUs

Author

Commented:
Guys, I really appreciate your responses.

Here's what I might end up going for:

- At least one edge switch, HP ProCurve 1510G, per lab due to the lack of ports in the wall - I don't think there's another way around this, is it? All non-trunking ports will be set to MAC-based authentication.

- One Layer 3 core switch, HP ProCurve 6600-24G, to handle all the ACLs and maybe have it distribute the different VLANs to the rest of the switches using GVRP.

- One RADIUS server, Network Policy Server (NPS) on Windows Server 2008 Standard, to take care of all the MAC-based authentication, as well as VPN access.

What do you guys think? Do you see any issues with using GVRP in this scenario?
I don't use GVRP but just tag the uplinks with whatever VLANs are going over them.
As far as I know it works as advertised for propagating VLANs.

Author

Commented:
I'm going to close the question and assign points. I have a lot more research to do since it could be more convenient to handle the ACLs through the RADIUS server instead. BTW, I meant one "HP ProCurve 2510G-24" switch per lab, not 1510G.

Thanks again!

Author

Commented:
Thanks again for all the comments!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial