Network Design in a Shared Office


I am currently helping implement a network design for a small office that is being refurbished with the end aim being that it will be let out to small local businesses, partly on a per-room basis.

It has four floors with the top two floors each holding three small rooms capable of holding between 1 and 6 desks each.

The bottom two floors are open plan and will both be let out to one business who have their own network equipment they're supplying themselves.  Their 1st floor contains the server room which will serve all four floors.

For the top two floors which will be rented out per room, I have designed a cabling infrastructure using CAT5e and providing every room with enough CAT5 sockets for every desk plus two spare, one for a router and one for a server/network printer/other.

Each socket has a seperate cable linked back to the switch in the cable cabinet in the server room.  The switch for these two floors will be a VLAN-capable gigbit switch such as the Netgear ProSafe GS748TS.  The idea is that each room will be isolated on a VLAN by the switch.  Should a business want more than one room, the VLANs can be modified to create one VLAN spanning two or more rooms as needed.

If the larger business occupying the bottom two floors decides to expand and take over part or all of the top two floors, I envisaged that we could simply create one VLAN for all rooms on the switch and connect their switch to it via a patch lead, thus linking the whole building.

For broadband, each room will have its own ADSL-enabled phone line run to each room with an ethernet socket adjacent.  This allows the room's tenant to supply their own router and sort out their own broadband without affecting the rest of the building or incurring additional support costs for the landlord.

My basic question is this - as I have limited experience of this, I hoped someone would be able to give me an idea of whether this is the best way to do it or whether there is a better way?  The seperate broadband is a must as the landlord does not want to get involved in shared lines etc.

Any feedback is much appreciated.


Who is Participating?
atlas_shudderedSr. Network EngineerCommented:
Off the cuff - how are you intending to support security 1.) between the individual tenants, 2.) within your actual infrastructure, 3.) between your area of responsibility and that of your tenants or the service provider?

Additionally, are you going to uplink all your switches together or are you planning on connecting the tenants to the individual routers and then out?

Can you provide a physical/logical topology map so we can get a better idea of how you intend to implement?
comphilAuthor Commented:
Hi, thanks for your help.

1) Security between the tenants would be down to the VLAN capabilities of the switch - each office should then be isolated from the others.

2) Not sure what you mean here, does the infrastructure as you mean it relate to the network cabling running throughout the building?

3) The area of responsibility ends with providing the network ports around the rooms.  The ADSL connection and anything the tenant does with it will the responsibility of the tenant.

There will only be one switch on the first floor to which all the ports will link, a series of VLANs will be created to seperate each room.

A diagram is attached, hope it's of some help. Network diagram
atlas_shudderedSr. Network EngineerCommented:
You are cross feeding all of your tenant communications across a shared hardware infrastructure with multiple paths in and out.  The major item that I see to be concerned with is the fact that you are providing the vlan architecture on your equipment.  Each of these vlan architectures is linked to their own DSL architecture which they may or may not secure themselves (yes, even the modern, sophisticated, tech-savvy humanity of today can be just this stupid).  In the event that they do not secure their Internet connection, they will be placing both your other tenants (think lawsuit here) as well as your architecture at risk (shared interior infrastructure remember?).  Furthermore, there is another risk that is being introduced in the potential for the malicious "insider" (meaning your tenants).  VLAN hopping is not that difficult of tasks, even for the grandest of idiots, assuming they have a moderate level determination or motivation.

Additionally, your own infrastructure is an open field for attack and compromise.

Things that you need to be looking at are firewalls (in play and non-optional), VLAN ACLs and a highly restricted scope of access for management activities.  Addtionally, I would look at a shared Internet venue which you control access to (back charge the customer in their rent to recoupe).
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

comphilAuthor Commented:
Fair point - so you'd suggest in the simplest scenario that every network should be physically seperate?  I was under the impression (having gained advice from a collegue who has worked with them for several years) that VLANs were almost as secure as a physical seperation.

In the event that we isolate every office with its own little network, what would be a good way to 'merge' two room's networks in the event someone wants more than one?  I couldn't think of a neat way to do this, hence the VLAN solution.

We did look at the possibility of shared internet but it introduced complexities the landlord did not want to go into and the availability of ADSL in this area is not particularly great.  However I do understand your point about security.
comphilAuthor Commented:
OK, been thinking this over and perhaps the simpler and more secure solution is for each room to have its own switch - so instead of 1x 48 port switch split with VLANs, just have 6x individual 5 or 8 port switches that can be linked with patch leads as necessary.  There should be enough room in the cable cabinet to do this neatly.

If one business takes the lot, we can get a larger switch as and when.

Although this isn't so technically sophisticated, it is simple, secure and also removes the single point of failure.  

I think you're doing fine using VLANs in order to allow flexibility -- e.g. if a tenant wants to take a couple rooms on a couple floors.  Your design is fairly sound, I'll advise you on a few security pointers.

"VLAN Hopping" is only possible if you fail to secure your equipment, and unfortunately is a vulnerability with many equipment in default configuration.  Otherwise, as you mentioned VLANs are rock solid.  Here are a few guidelines to prevent your tenants from showing up on the wrong VLAN:

1) Configure every tenant port as a static "access" port on that tenant's VLAN.  For example, many Cisco switches come out-of-the-box in a dynamic mode, allowing an 802.1q trunk to be established, thus exposing all VLANs.  So, if a tenant is assigned VLAN 12, make sure every port that you assign to them are limited to only untagged traffic on VLAN 12

2) Administratively disable (shut down) all ports that are not assigned for use.  Also, lock unused ports into an otherwise unused VLAN (e.g. VLAN 1 is a nice idea)

3) Never use VLAN 1 for any production traffic.  That's a place to put unused ports only.  Many folks think of running the infrastructure management over VLAN 1, and then other production traffic on other VLANs -- best to not use it for anything since new equipment/ports many default to that VLAN.

4) If you have management ports in the tenant's physical space where you are plugging your own equipment into your infrastructure VLAN (e.g. cameras, UPS/temperature monitoring, etc), use port security to only allow known MAC addresses.  This will keep your tenant from accidentally plugging their own device onto your management VLAN.  The key word here is "accidentally" as many operating systems allow for a MAC address change. . . if your switches support it, configure a feature to disable a port if an unauthorized MAC address is heard. . . this will alert you to the event and force a manual inspection and port re-enable by an administrator.

5) If you are going to use DHCP on your internal / infrastructure VLAN, don't use an open pool -- rather create per-MAC address reservations.  This will allow you to not have to worry about per-device configurations and potential typos/errors, while preventing unauthorized / unknown devices from being able to automatically function if connected accidentally.

6) Make sure you have monitoring and configuration backup / change recording.  There are a few commercial and open source packages available to do this.  You're going to want to alert on high interface utilization, interface flaps, environmental syslog events (e.g. power / temperature issues), etc.

Keep in mind there is no single answer, thus the concept of "defense in depth" -- put in as many barriers as you can, so that if one should fail another can continue to protect you.

- Dani
atlas_shudderedSr. Network EngineerCommented:
Overall, I agree with what Dani has to say regarding the VLAN management portion.  There are other items that you need to be considering when in addition for VLAN security but with the exception of changing the native vlan and ensuring that you are pruning unnecessary vlans across trunks, the core ones have been noted.

I am a cisco geek by default so I apologize for the overload of cisco links but these should get you started on the line of vlan security:

At this point my opinion begins to differ from Dani's in that I would still attempt to enforce security of the front end (Internet side).  It isn't so much an issue of segregating each office to their own individual switch (you could do this but your comments above indicate that you have already at least sensed that it could become an administrative nightmare).  However, if you are not going to enforce the gateway security or manage it yourself, then I would look into doing everything you can to seal of the individual vlans from each other.

Things I would consider, if your landlord doesn't want to push everyone across a single Internet connection, from the Internet in:

1.  Allow the individual tenants to purchase their own internet connection.
2.  Mandate that their network reside behind a firewall that your landlord controls - they will then need to establish what kinds of connectivity they need and these items can be recorded
3.  Have each vlan segment contained singularly to layer two, no layer three routing within the switches themselves or at any other point than the firewall interior interface
4.  Manage DHCP from the firewall - I agree with using static addressing and limiting to only the addresses necessary to host your tenants, no dynamic pools.
5.  Implement the switch security that Dani above has spelled out and the items noted in the links above.

Depending how risk averse the landlord is, you may want to consider mandating security measures at the desktop level as well.  Items that most immediately come to mind are AV and desktop firewall solutions.

One other item of note, your drawing above indicates wireless.  If you intend to provide this service to tenants as well, you need to make sure that you secure it as well.  A couple of good links to look over:

Hope it helps
Atlas makes a very good point which I failed to clarify in my post . . .

The tenant VLANs should be *Layer 2* only to keep this secure.  That is, you're just allowing them to get to their devices and their own Internet Rotuers - you're even allowing them to set and control their own IP space.

So. . . I would suggest that you do not put any IP address on any of the tenant VLANs otherwise you will be opening up internal communications.

Running your own switches is much cleaner than allowing the tenant to do their own wiring or get into your telco closet to mount their own network equipment. . .
comphilAuthor Commented:
Wow, thank you both for the detailed explanations, this is really helpful.

Time is real tight on this one, not the way I'd like to approach such a job.  I have presented both a VLAN and individual switch option to them and they're OK with whatever I recommend.

Basically, all the tenant will get is a room with x number of ethernet ports on the wall which are able to talk to one another via a switch hidden downstairs in the comms cabinet (be it an individual switch or a portion of one on a VLAN).  

In addition, they will get a standard BT phone line with no pre-existing connections which they can use to make calls/access the internet if they wish.  This will be their choice and the internet connection in that room will be their responsibility to set up and maintain as the current designs stands.  This also applies to any wireless devices they attach although I would advise that they are required to secure anything they set up with a minimum of WPA/PSK in their contract.

This extends as well to any PCs, servers and other network devices they bring on site, we would have no control over it so MAC address control will not be an option for this scenario.

I had envisaged providing nothing to them beyond this - so if they want DHCP, they will need to provide a server/router/etc and connect it to their network.  My current understanding of VLANs suggested this would be OK and looks like I am barking up the right tree here at least.

You're absolutely right as well, we don't want them going anywhere near the comms cabinet which is why we've pushed the ADSL link to their room instead of leaving it (and their router) in the comms room.

I had seen some advice regarding not using VLAN1 for anything live so totally understand this, thanks for clarifying it.

So my current thoughts on a VLAN are (for example):

All ports in static mode.

Room1: VLAN2(Switch ports 1-5)
Room2: VLAN3(Switch ports 6-12)
Room3: VLAN4(Switch ports 13-18)
Spare Ports: VLAN1(disabled switch ports 40-48)

I have zero experience of Cisco switches but will price one up - we're quite happy with the Netgears we've used in the past hence why I picked out the GS748TS.

It probably isn't quite as good as a Cisco but it does have the following specs listed:

IEEE 802.1Q VLAN (128 groups, Static)
Management VLAN

Which seems to cover the basics.  However, I have also now seen the Cisco SLM248G which does look pretty good and is a similar price, do either of you have any experience with this one?  I have some reservations having seen that it's actually a Linksys but not sure if that matters.

One final (and probably real stupid) question - how do I assign the switch to a VLAN, should it have its own VLAN?  Obviously it'll need an IP address of its own - as one of the rooms will be mine and I will be looking after it, how does that work?

Thanks again for all your help, I'm learning a lot about VLANs in a short space of time!
comphilAuthor Commented:
Unfortunately I think the Cisco Catalyst 6500 switches will be out of our scope due to their price - is it unrealistic to expect good security from anything less though?
atlas_shudderedSr. Network EngineerCommented:
Linksys is a subsid of cisco nowadays.  Not bad if you are fooling around in the house but I don't use them for my contract business deployments.  The 6500 series will be overkill for most anything you have described so far.  You should take a look at their smaller equipment like the 37s, 36s, 29s, etc.  These are access switches with increasing functionality depending on what you want them to do.

As far as vlan assignments, you don't assign the switch itself to the vlan, these are assigned on a port by port basis.  The nearest you get to assigning at the switch level is actually creating the vlans on the switch itself.

As far as Netgear goes, same as the Linksys statements above, that and like I said previously, I have imbibed the cool-aid.
comphilAuthor Commented:
OK I think I understand and yes comments noted on Linksys - I've never been a fan myself.

How do I communicate with the switch?  If I am in Room 1 > Vlan 2 which (for argument's sake) I am using 192.168.77.x on, should I therefore assign the switch an IP on that range so I can talk to it or would there normally be a way to assign certain ports as 'Management' ports that devices are allowed to communicate with it on?  Sorry if this is a stupid question but they say there's no such thing!
To manage the switch, you should create a management VLAN that only your infrastructure equipment connects to.

e.g. VLAN999, and that's where you plug your own workstation etc. into.  Then on the switch, assign an IP address to VLAN999, and voila! you're in.

Depending on platform, there may be a dedicated management port that you can use as well. . .

Regarding product/platform -- the NetGear and Linksys (now Cisco) lower-cost products may work out for you, but I'd be concerned about stability and ease of use.  Typically their CLIs are pretty clunky.  If you're more of a WebUI kind of tech, then you're probably better off with them, however.

If you want to run a real business-grade network, you should look at the Cisco product -- some of them will stack (e.g. 2960S, 3750G), allowing you to add ports without adding any more management burden.  If you like your tenants and don't like being sent out in emergencies, go for a product that has internal redundant power supplies, or purchase an external power supply redundancy solution.

- Dani
comphilAuthor Commented:
When it comes to switches I have to admit I am more of a web UI person myself and all the Cisco gear I've seen so far that is suitable is beyond the price range I think they'll want to pay, if the Netgear I mentioned above (which seems to get generally good reviews) is capable of providing good security when properly configured I would be more comfortable with it but only if it's secure and reliable so I will need to consider this carefully.  

I've got a lot of options to think about so this has been a really useful exercise and I'm very grateful for all the assistance you've both provided.

Good point on the power situation too, a little UPS would be a good move I think.
comphilAuthor Commented:
I have not abandoned this one but the work is in progress.

I have learnt a lot from this conversation and am very grateful for the assistance provided.

I will allocate points as suggested.
comphilAuthor Commented:
I have attempted to close this question but as it's now on auto-close I can't do this.

Please award points as suggested, thanks once again to Netfixr-Dani and atlas_shuddered, I'm very grateful.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.