Advice for new office setup



  • So I have a small project coming up and I was wondering how you'd configure the networks infrastructure...

    Here's the brief:

    5x individual businesses (approx 15-20 staff each) are set to move into a shared office space.

    We're providing a 1GB bearer managed pipe with a 100/100 failover (internet connectivity is a must here) to the office, and the objective is to keep each business segregated and invisible to each other on the LAN, yet share this same pipe.

    I was thinking of using a Draytek 2860n inside our LAN as our firewall/router to control and create VLANs using each one of the ports (there are 6) to each individual office.

    Each port will be connected to its own dedicated switch to then provide connectivity to the devices in each office.

    Is this at all best practice or the appropriate way you'd configure this network?

    Your thoughts and advise are appreciated



  • Why are you putting it inside your LAN? That is asking for trouble.

    I would use something like the Ubiquiti EdgeRouter (ER-8) and then just set each port port for a different LAN. Put in a basic drop all rule for inter LAN traffic and you are done. One wire to each dedicated switch and no VLAN's to deal with.

    0_1469748679267_upload-2c00017a-bf76-4914-b1e5-a1f5602dcf34



  • I am assuming you are legally allowed to sublet this service in the first place.



  • @JaredBusch yes of course



  • @JaredBusch nice, thanks - i'll take a look at this



  • @JaredBusch is spot on, an eight way Ubiquiti router is cheap and gives you full enterprise routing keeping each of these customers totally separate like they should be. It's not a big investment at all, but it means not skimping or fooling around. It's how an enterprise would handle it.



  • Thanks SAM...Is this also a firewall?



  • @Joel said in Advice for new office setup:

    Thanks SAM...Is this also a firewall?

    It is a fully functional Layer 3 switch, so yes.

    Will the businesses not have their own network deployment? Normally I'd think each company would want control over their own firewall.



  • @Joel said in Advice for new office setup:

    Thanks SAM...Is this also a firewall?

    Yes. You can basically always use the term router and firewall interchangeably. There are exceptions somewhere, but I'm not aware of any on the market. All available firewalls, both hardware and software, do so by being routers (at least optionally.) And all routers include firewall functionality.



  • @travisdh1 said in Advice for new office setup:

    @Joel said in Advice for new office setup:

    Thanks SAM...Is this also a firewall?

    It is a fully functional Layer 3 switch, so yes.

    Will the businesses not have their own network deployment? Normally I'd think each company would want control over their own firewall.

    Even if they did, you'd still use the Ubiquiti on his side and they would each attach their own router to it.



  • I love this forum - thanks guys.
    Always such wise advise and speedy responses. Much appreciated.



  • if the OP is the MSP for these 5 businesses, then a single router/firewall setup as Jared suggests is the easiest. Of course any services provided by a specific business, say an onsite OwnCloud (what's the new name for it?), then a rule would be added to pass that through.

    The other option is to have the ER-8 do not firewalling at all, and each customer would have their own ER-? that someone would manage and the ER-8 upfront just splits out the connections, assuming the pipes have a dedicated IP per customer (which personally I would demand).

    Also, how does failover work? Simple web surfing I can understand, but if the clients are hosting anything onsite, there could be issues.



  • @Dashrender said in Advice for new office setup:

    assuming the pipes have a dedicated IP per customer (which personally I would demand).

    There was no assumption of that. In fact with the second connection for a failover connection, there is an implied impossibility of that.



  • So there will be a single pipe that will come into the building which comes with a failover.
    Each office will share the pipe but be its own separate entity in the building. Each office will have its own LAN (on different subnets) and use their own resources (servers, access points, nas etc). I was planning on using the Draytek router to apply specific bandwidth to each office but assume this can also be done on the ER-8?



  • @Joel I know you can use traffic shaping with an ER-8 (I have one at home). I have never seen it done outside of vlans though. I'm sure you can but wait for someone who has actually done it to reply.



  • @Joel said in Advice for new office setup:

    I was planning on using the Draytek router to apply specific bandwidth to each office but assume this can also be done on the ER-8?

    is that a good idea? that means that everyone gets poor performance. Do you really want the network to be split into eight slices and no one gets good performance? That means that an 80/80 pipe turns into eight 10/10 pipes. That just sucks. Letting everyone have access to everything is way better, 99% of the time, and why pretty much all ISPs handle things in that way.



  • @scottalanmiller said in Advice for new office setup:

    @Joel said in Advice for new office setup:

    I was planning on using the Draytek router to apply specific bandwidth to each office but assume this can also be done on the ER-8?

    is that a good idea? that means that everyone gets poor performance. Do you really want the network to be split into eight slices and no one gets good performance? That means that an 80/80 pipe turns into eight 10/10 pipes. That just sucks. Letting everyone have access to everything is way better, 99% of the time, and why pretty much all ISPs handle things in that way.

    I was wondering about this as well, but from the OP, not the more recent post.

    I'm assuming there is a way to ensure minimum bandwidth - right? I guess you would want to ensure that each line has a minimum of some thing available so you don't run into an issue where one company decides to suck up 95% of the bandwidth.



  • @Dashrender said in Advice for new office setup:

    @scottalanmiller said in Advice for new office setup:

    @Joel said in Advice for new office setup:

    I was planning on using the Draytek router to apply specific bandwidth to each office but assume this can also be done on the ER-8?

    is that a good idea? that means that everyone gets poor performance. Do you really want the network to be split into eight slices and no one gets good performance? That means that an 80/80 pipe turns into eight 10/10 pipes. That just sucks. Letting everyone have access to everything is way better, 99% of the time, and why pretty much all ISPs handle things in that way.

    I was wondering about this as well, but from the OP, not the more recent post.

    I'm assuming there is a way to ensure minimum bandwidth - right? I guess you would want to ensure that each line has a minimum of some thing available so you don't run into an issue where one company decides to suck up 95% of the bandwidth.

    Yeah, some basic QOS should cover that, and be easy to setup. I don't have a Ubiquity router to try it with tho.



  • @travisdh1 How does this actually behave? It wouldn't be minimum, it would be a soft maximum, right?

    4 companies have a soft cap of 25% of the bandwith. If 3 companies use 10% the fourth would be able to use 70%. Right? Decreasing the more bandwidth is being used by the other companies.

    Basically each company out prioritizes all others up to 25% but all resources are usable by everyone--or something?



  • @wirestyle22 said in Advice for new office setup:

    @travisdh1 How does this actually behave? It wouldn't be minimum, it would be a soft maximum, right?

    4 companies have a soft cap of 25% of the bandwith. If 3 companies use 10% the fourth would be able to use 70%. Right? Decreasing the more bandwidth is being used by the other companies.

    Basically each company out prioritizes all others up to 25% but all resources are usable by everyone--or something?

    That's ideally how you want to do it, let everyone use 100% if no one else is using it. And have them all agree to prioritize RTP traffic no matter whose it is or why.



  • @scottalanmiller said in Advice for new office setup:

    @wirestyle22 said in Advice for new office setup:

    @travisdh1 How does this actually behave? It wouldn't be minimum, it would be a soft maximum, right?

    4 companies have a soft cap of 25% of the bandwith. If 3 companies use 10% the fourth would be able to use 70%. Right? Decreasing the more bandwidth is being used by the other companies.

    Basically each company out prioritizes all others up to 25% but all resources are usable by everyone--or something?

    That's ideally how you want to do it, let everyone use 100% if no one else is using it. And have them all agree to prioritize RTP traffic no matter whose it is or why.

    So it's @Joel 's responsibility to judge when bandwidth upgrades are needed? What if the bandwidth usage is way higher for one company but others are within their normal ranges? Are you going to charge them based on the percentage of bandwidth used @Joel? Seems hard to manage that.



  • @wirestyle22 said in Advice for new office setup:

    @scottalanmiller said in Advice for new office setup:

    @wirestyle22 said in Advice for new office setup:

    @travisdh1 How does this actually behave? It wouldn't be minimum, it would be a soft maximum, right?

    4 companies have a soft cap of 25% of the bandwith. If 3 companies use 10% the fourth would be able to use 70%. Right? Decreasing the more bandwidth is being used by the other companies.

    Basically each company out prioritizes all others up to 25% but all resources are usable by everyone--or something?

    That's ideally how you want to do it, let everyone use 100% if no one else is using it. And have them all agree to prioritize RTP traffic no matter whose it is or why.

    So it's @Joel 's responsibility to judge when bandwidth upgrades are needed? What if the bandwidth usage is way higher for one company but others are within their normal ranges? Are you going to charge them based on the percentage of bandwidth used @Joel? Seems hard to manage that.

    That's what IT does normally. Think about an ISP, how is it normally handled? @joel is the ISP in this situation.



  • @scottalanmiller said in Advice for new office setup:

    @wirestyle22 said in Advice for new office setup:

    @scottalanmiller said in Advice for new office setup:

    @wirestyle22 said in Advice for new office setup:

    @travisdh1 How does this actually behave? It wouldn't be minimum, it would be a soft maximum, right?

    4 companies have a soft cap of 25% of the bandwith. If 3 companies use 10% the fourth would be able to use 70%. Right? Decreasing the more bandwidth is being used by the other companies.

    Basically each company out prioritizes all others up to 25% but all resources are usable by everyone--or something?

    That's ideally how you want to do it, let everyone use 100% if no one else is using it. And have them all agree to prioritize RTP traffic no matter whose it is or why.

    So it's @Joel 's responsibility to judge when bandwidth upgrades are needed? What if the bandwidth usage is way higher for one company but others are within their normal ranges? Are you going to charge them based on the percentage of bandwidth used @Joel? Seems hard to manage that.

    That's what IT does normally. Think about an ISP, how is it normally handled? @joel is the ISP in this situation.

    It just sounds odd to me



  • @wirestyle22 said in Advice for new office setup:

    @scottalanmiller said in Advice for new office setup:

    @wirestyle22 said in Advice for new office setup:

    @scottalanmiller said in Advice for new office setup:

    @wirestyle22 said in Advice for new office setup:

    @travisdh1 How does this actually behave? It wouldn't be minimum, it would be a soft maximum, right?

    4 companies have a soft cap of 25% of the bandwith. If 3 companies use 10% the fourth would be able to use 70%. Right? Decreasing the more bandwidth is being used by the other companies.

    Basically each company out prioritizes all others up to 25% but all resources are usable by everyone--or something?

    That's ideally how you want to do it, let everyone use 100% if no one else is using it. And have them all agree to prioritize RTP traffic no matter whose it is or why.

    So it's @Joel 's responsibility to judge when bandwidth upgrades are needed? What if the bandwidth usage is way higher for one company but others are within their normal ranges? Are you going to charge them based on the percentage of bandwidth used @Joel? Seems hard to manage that.

    That's what IT does normally. Think about an ISP, how is it normally handled? @joel is the ISP in this situation.

    It just sounds odd to me

    ISPs do exactly this over a huge range of users. The only thing weird here is that there are only eight of them. This is a much more casual situation, I'm sure. But an ISP sells you a connection, say 100/100. They don't promise ANY level of overcommitting or even that they have 100/100 to provide to you. You get 100/100 to the ISP, nothing more. @joel's customers will get GigE between each other, and share what goes out on the WAN.

    He can limit each of them and charge more for more, but that would just screw everyone. Everyone would lose, a lot. Because they'd have to pay for SO much more than they could use, causing it to be totally wasted.



  • So, we're actually going for a 1GB bearer so each office will have a super super super amount of bandwidth to play with.
    I will probably let it all open as SAM suggested and apply some QOS to priotitise phone and data traffic (can this also be done on Ubiiquiti ER8?) .

    I will however limit the guest network in the building to only consume say 8mb for example as I dont want guests using much at all.

    The guys are VERY heavy internet users and need a super quick and reliable network to work from so need a reliable and secure base infrastructure



  • @Joel said in Advice for new office setup:

    So, we're actually going for a 1GB bearer so each office will have a super super super amount of bandwidth to play with.
    I will probably let it all open as SAM suggested and apply some QOS to priotitise phone and data traffic (can this also be done on Ubiiquiti ER8?) .

    Yes.

    I haven't heard of any switches failing in years now. Failed due to bad configuration/wiring/heat/cold yes. Anyone around here actually had a switch go bad on them?

    The cold thing, someone thought it would be a good idea to keep the window open in the middle of winter to attempt to cool the server room. He came home one day to 2 feet of snow sitting inside the room (melting), and a nice large pile on top of the main Cisco switch.



  • @travisdh1 Same here, haven't lost a switch in many years.



  • @Joel said in Advice for new office setup:

    So, we're actually going for a 1GB bearer so each office will have a super super super amount of bandwidth to play with.
    I will probably let it all open as SAM suggested and apply some QOS to priotitise phone and data traffic (can this also be done on Ubiiquiti ER8?) .

    Yes, by protocol for example. Prioritize RTP the most.



  • @Joel said in Advice for new office setup:

    I will however limit the guest network in the building to only consume say 8mb for example as I dont want guests using much at all.

    that makes sense, you don't want guest getting comfortable and using a lot even if no one else is using it.



  • @travisdh1 I haven't ever had a switch die on me.


Log in to reply