Need Help on segmented network/VLAN setup

[QuiteSufficient]

This is my fourth attempt at this and I never seem to get it quite right - frustrating.

I get a lot of work from a property management company. They divide old, dilapidated buildings into smaller, executive suites which seem to rent much better. In most cases they can only secure a single AT&T fiber line.

I am tasked with dividing the fiber connection between several suites where each suite is given their own private network.

This scenario:

• AT&T 20/20 fiber
• 48 CAT6 for data and 24 CAT6 for phone
• 10 rooms divided into 4 suites, data and phone pretty evenly split up

I need to segment the one internet connection into 4 parts. All of the voice and data from each of those suites needs to be on their own network. They will all share one internet connection and...I hope...one DHCP server? I am not providing wireless, just hookup points in the walls.

These are not situations where people will be running their own complex environments. Each business uses only a few rooms. I do not think there will ever be domains, complicated servers, or anything of that realm.

This is my plan:

This seems stupidly complicated for such a fairly simple environment, but I can't see how else to do it. Do I need tagging in an environment like this? From what I read it seems like as long as a port on the managed switch is set to a VLAN it will divide any traffic below that.

Is there a simpler way to do this? That is a lot of switches, but they also aren't very expensive. Also a lot of failure points if one of them were to expire. The reason I want to do the seperate VOIP and data VLANS is for QOS, and it is likely individual tenants will have their own phone solutions.

 

[goodcooper]

is all the cabling centralized?

also need details on the router

 

[Ocellaris]

72 Ethernet/VOIP ports on a 20/20 connection? Good bless your support personal when a few of them try using that data pipe at the same time.

 

[Raekwon]

Your diagram looks complicated in that it is wordy. It isn't complicated in a logical way. What is that going to cost you? Find out how many tech rooms you have and the number of voice and data runs going to each room. That will help plan port density on the switches. I've heard good things about Cisco small business switches. You can get by with one DHCP server as long as the link to it is tagged and the server is setup that way also.

 

[ComputerBox34]

Just some things off the top of my head -

-What does the ATT Fiber Router do? DHCP? NAT? Or does it simply pass through a public IP to whatever device is connected?
-You will need something to route those VLAN's to ATT. Based on your diagram, this will be up to the switch (operating in Layer 3 mode) but I would not recommend this. It would be better to either get a PFSense box or small ASA5505 with a security plus license to handle all of this as well as DHCP + NAT
-It's generally not a good idea to use VLAN1. Use a different tag
-Will devices on different internal VLANs need to be able to talk to each other? (Goes back to my point above)
-The phones attached to the "dumb" switches - do they have data ports on them that users will attach their PC's to? If this is the case, this will not work unless you want to mix your data/voice broadcast domains
-If you are going to use VLANs, it generally a good idea to use switches capable of tagging throughout your topology and not "dumb" switches. This also helps with other protocols such as spanning tree - right now, if someone were to create a broadcast storm on one of those TP Link switches, it may bring down your entire VLAN. If you had STP enabled all the way down, the switch facing the offending party could block the offending port on the "bottom" of your topology rather than having the Cisco switch at the "top" blocking the port attached to an entire TP Link switch along with all of the users connected to that switch

 

[QuiteSufficient]

72 Ethernet/VOIP ports on a 20/20 connection? Good bless your support personal when a few of them try using that data pipe at the same time.

You probably arent from Southern California...that 20/20 is costing $800/month here.

 

[QuiteSufficient]

Just some things off the top of my head -

-What does the ATT Fiber Router do? DHCP? NAT? Or does it simply pass through a public IP to whatever device is connected?

I don't know what it CAN do. They are only big on me using it to pass on public IPs. I do need a router. Still researching what to use. The netgear router/firewall units I have used at the last few jobs have failed within months.

-You will need something to route those VLAN's to ATT. Based on your diagram, this will be up to the switch (operating in Layer 3 mode) but I would not recommend this. It would be better to either get a PFSense box or small ASA5505 with a security plus license to handle all of this as well as DHCP + NAT

I will look into this.

-It's generally not a good idea to use VLAN1. Use a different tag

Ok

-Will devices on different internal VLANs need to be able to talk to each other? (Goes back to my point above)

No the whole point is not to let devices on VLAN 2 talk to devices on VLAN 3.

-The phones attached to the "dumb" switches - do they have data ports on them that users will attach their PC's to? If this is the case, this will not work unless you want to mix your data/voice broadcast domains

No they will not. I may not do anything with phones except punch them down for now since I have no way of knowing what people will do. Some may use analog phone systems.

-If you are going to use VLANs, it generally a good idea to use switches capable of tagging throughout your topology and not "dumb" switches. This also helps with other protocols such as spanning tree - right now, if someone were to create a broadcast storm on one of those TP Link switches, it may bring down your entire VLAN. If you had STP enabled all the way down, the switch facing the offending party could block the offending port on the "bottom" of your topology rather than having the Cisco switch at the "top" blocking the port attached to an entire TP Link switch along with all of the users connected to that switch

I understand this but it also increases the cost of the project from hundreds to thousands.

 

[Ocellaris]

You probably arent from Southern California...that 20/20 is costing $800/month here.

That must be megabytes and not megabits then?

 

[QuiteSufficient]

AT&T Fiber 20 MEGABITS symmetrical in North San Diego County runs about $800, 50 about $1100, and 100 $1500-2000 at any business I've serviced.

I don't know if you are familiar with the area but there are many corridors in North San Diego County where 3 and 6mbps DSL are the only option available to industrial/manufacturing businesses without paying for fiber buildout.

 

[diizzy]

You probably want to avoid using VLAN 1 as it's usually used for management by default, apart from that it looks good unless you want to do things overly complicated. Unless hardware is already purchased I would strongly advice you to get managed switches which will save you a lot of headache when doing diagnostics (even remotely). That will however be more expensive, doesn't need to be a super high-end switch however. Given the diagram above I guess you're looking at TL-SG1024 which runs for about 100$? Zyxel GS1910-24 will set you back 180$ but that 80 bucks per switch is well spent in the end. The VoIP switches should also be managed but if cost is an issue Zyxel GS1100-16 is a pretty decent choice and still a jump from the TP-Link switches.

As far as router goes it's going to be a bit trickey depending on what you want to achieve.

 

[stormy1]

You are going to have to do some qos to get that to work.
If any of those companies are covered by pci in the US then vlan separation is not good enough you have to use firewalls.

 

[boss6021]

Just did a very similar scenario for a client. 12 offices in one building with a symmetrical 10x10 fiber connection. Used a Sonicwall TZ300 connected to the main switch, then had each business provide their own router, that was fed reserved DHCP addressess to each. This allowed us to throttle the traffic for each individual business. The other benefit is that if they ever got a different or faster internet connection, it would be very easy to change.

The cost of such a scenario was their main concern. They were told to just VLAN the suites, which is not a good solution as it didn't actually solve their issues of slowness. It only addressed some of their security concerns. They had the choice to either out rightly purchase the Sonicwall, or do it as a service.

 

[stormy1]

I would consider using a pfsence box with 2 4 port intel nic and the on board nic for internet with at&t router in pass through mode if at all possible.
Give the phone networks higher qos than the others.

 

[boss6021]

You are going to have to do some qos to get that to work.
If any of those companies are covered by pci in the US then vlan separation is not good enough you have to use firewalls.

This is a very good point. Something to go over with the tenants for sure.

 

[QuiteSufficient]

Now also considering a PFSense box then a single Cisco 48 Port switch with VLANS. I think I can keep everything to 48 data ports or less, and I could accomplish all of my data VLANS (4 of them) on this one switch. That would eliminate smart vs dumb switches in the topology, but also put a lot of processing load on that single switch (but I guess no different than having the 10 port upstream from the dumb switches).

Something like this - this example is just for Data

The old Dell 1U units I have only have a dual NIC, but I could get more NICs for them. I am only routing to a 20mbps connection, is it important to have a NIC port per VLAN in this scenario?

My understanding is the 4 VLANs I create on the Cisco switch would be 10-12 ports each untagged/access. Then I would have one port going to and from the PFSense box tagged for all four VLANs on each side.

 

[Deleted member 238539]

So lets start at the Gateway and move in so this makes some sense.
Starting Questions:
1. How many drops per space are required (Total for Voice, and Total for Data)?
2. What is the total budget?

Just some thoughts, in all honesty if the users are going to be providing a lot of their own services then I would change the unmanaged switches to a smart switch where you can just give them 24-48 ports and have it split with two different uplinks for each VLAN. I do like the idea of the way you set it up but there might be a better way with less equipment. When I get home I can draw something up, just don't have the capability at work right now.

 

[J-Will]

I think you need to plan for a scenario where multiple suites are rented by the same tenant, and are required to be on the same vLAN

 

[Deleted member 238539]

I think you need to plan for a scenario where multiple suites are rented by the same tenant, and are required to be on the same vLAN

This also just made me think.

"Well what if a company opens a small regional office and has a network requirements?"

I have an Idea how I would do this whole set up, but now I am wondering if it just wouldn't be better for you to just create 4 patch panels and a demarc space and have the tenants be responsible for their own internet connection.

You could create 4 different patch panels for each space and make a whole nice area for mounting of gear and other equipment.

 

[/dev/null]

Also: If you are doing voip, are your switches that the phones are connecting to POE?

 

[goodcooper]

20/20 isnt a bad connection, that's fiber with a nice SLA... that said if i were you i may run dual wan and supplement it with a biz class cable connection

another 50 or so download for prob less than $150 would be nice to work with

definitely have any voip routing over your fiber though, if you're going off site with it