We help IT Professionals succeed at work.

New office location

seven45
seven45 asked
on
question:  We have a new business starting up that will use a portion of the office for their own use, but rent out the other offices (5-7 offices) to several small businesses, as physical offices as well as virtual offices. The idea is to provide Voice and Data to these separate businesses while segmenting them to their own sub networks. (for security purposes).

What is a good recommendation to go about on this?
Option1: Several ISP's installed (one for each office)---but that gets cumbersome and costly.

Option 2:  fiber or an ISP with high bandwidth (any suggestions). created several VLANS and subnet each office and restrict them to their own individual office for phone and data.  Can anyone elaborate on either option in terms of how to go about doing this---and more importantly, the network equipment that would work well for this.    ps. phones can be voip phones if it helps.  

Thanks as always for the expert advices!!
Comment
Watch Question

Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
Even simple, inexpensive Managed switches can set up VLANs.  Effectively this separates the traffic in the switch between ports so that you can have a different AND isolated set of subnets.

Something like a Cisco SFE2000 or SGE2000 would do it.
Cyrill ReiserIT Director
CERTIFIED EXPERT

Commented:
Yes, I agree with marshal's comment.

If you have to buy new hardware I suggest that you buy router with a built in firewall. I personally can recommend the Fortinet Fortigate  100a

You then can configure multiple VLANS (Subnets) for each office. The nice thing about the Fortigate is that you can even create separate Subnets if the switch is connected to the same port.

Author

Commented:
I was hoping to get some details on the setup on option 2. can one of you can chime in on a structure or add details to the structure below.
Since Im assuming all offices will be patched to a patch panel in the closet.  i can put in a layer 2 switch with the specified vlan's below and then configure a router for intervlan (or is intervlan necessary since i dont want them to talk to each other).  I would also need to incorporate voice into the mix---any ideas.
5 to 7 subnets (usable)
10.1.7.0/24
10.1.9.0/24
10.1.17.0/24
10.1.25.0/24
10.1.33.0/24
10.1.41.0/24
10.1.49.0/24
10.1.57.0/24
IT Director
CERTIFIED EXPERT
Commented:
Since we use Fortinet Fortigate 100a Firewalls/Routers in our offices, I'm gonna give you a configuration example based on that type of hardware.  Even if you use different hardware yourself, it should help you designing something for your network.

The Fortigate Firewall offers the following PORTS:

- WAN1
- WAN2
- DMZ1
- DMZ2
- INTERNAL 1
- INTERNAL 2
- INTERNAL 3
- INTERNAL 4

Depending on how many switches you have available you can actually "physically" split the networks by using different INTERNAL PORTS.

Let's assume that you only have one switch available. In that case you would connect your hardware the following way:

Modem (WAN1 PORT) -> Firewall/Router (INTERNAL PORT 1) -> Switch -> Patch Panel

In the online interface of the firewall/router you can now create the VLAN Networks using the Internal PORT. Since you said you wanted the data and phones to be separate I will name the appropriate VLANS bellow:


VLAN1 -> DATA-OFFICE1
Network Address: 10.1.7.0
Address Of First Host: 10.1.7.1
Address Of Last Host 10.1.7.254
Broadcast Address: 10.1.7.255

VLAN2-> PHONE-OFFICE1
Network Address: 10.1.9.0
Address Of First Host: 10.1.9.1
Address Of Last Host 10.1.9.254
Broadcast Address: 10.1.9.255

VLAN3 -> DATA-OFFICE2
Network Address: 10.1.17.0
Address Of First Host: 10.1.17.1
Address Of Last Host 10.1.17.254
Broadcast Address: 10.1.17.255

VLAN4 -> PHONE-OFFICE2
Network Address: 10.1.25.0
Address Of First Host: 10.1.25.1
Address Of Last Host 10.1.25.254
Broadcast Address: 10.1.25.255


And so on.

VLAN5:10.1.33.0/24
VLAN6:10.1.41.0/24
VLAN7:10.1.49.0/24

Depending on how you wanna set it up you can configure a DHCP server on the Firewall/Router or configure it on a Windows/Linux server. Just make sure that the computers get an IP from the appropriate Subnet.


The next thing you have to configure is the routing of the different networks. Since all the offices have to be secure from each other, you only have to route between the phone and data subnets. This way you can still access your VoIP phones from your data sub network, but all access to the other subnets will be blocked.

Let me know if you need some ideas on how to configure the routing tables.


I hope this makes sense. Let me know if I need to clarify on something.

Author

Commented:
Cyrrei88: this is great info and pretty much what I wanted to get confirmation and direction on---ur comments gave a pretty clear pic.   If you wouldn't mind elaborating on the routing table setup in ur example--it would be much appreciated.  
Cyrill ReiserIT Director
CERTIFIED EXPERT
Commented:
Attached you will find an example routing table.

 Routing Table Example
I intentionally didn't route the PHONE-OFFICE subnets to the DATA-OFFICE subnets. The reasoning behind that is, that if you're VoIP account or phone get's compromised the attacker won't be able to access your DATA network. But as long as you route your DATA-OFFICE subnets to the PHONE-OFFICE subnets you should be able to use your VoIP devices without any issues.

Another thing you have to think about is the Firewall configration. Depending on how your firewall is configured you probably have to create some rules for all the subnets. Similar to the routing table you will have to grant the DATA-OFFICE subnets access to the PHONE-OFFICE subnets. Also make sure that the PHONE-OFFICE subnets are allowed to contact the VoIP Registrar servers.
Cyrill ReiserIT Director
CERTIFIED EXPERT

Commented:
Did the above routing table help you clarify?

Author

Commented:
Thanks for the info---this helps a great deal.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.