Advice for new office setup
-
So I have a small project coming up and I was wondering how you'd configure the networks infrastructure...
Here's the brief:
5x individual businesses (approx 15-20 staff each) are set to move into a shared office space.
We're providing a 1GB bearer managed pipe with a 100/100 failover (internet connectivity is a must here) to the office, and the objective is to keep each business segregated and invisible to each other on the LAN, yet share this same pipe.
I was thinking of using a Draytek 2860n inside our LAN as our firewall/router to control and create VLANs using each one of the ports (there are 6) to each individual office.
Each port will be connected to its own dedicated switch to then provide connectivity to the devices in each office.
Is this at all best practice or the appropriate way you'd configure this network?
Your thoughts and advise are appreciated
-
Why are you putting it inside your LAN? That is asking for trouble.
I would use something like the Ubiquiti EdgeRouter (ER-8) and then just set each port port for a different LAN. Put in a basic drop all rule for inter LAN traffic and you are done. One wire to each dedicated switch and no VLAN's to deal with.
-
I am assuming you are legally allowed to sublet this service in the first place.
-
@JaredBusch yes of course
-
@JaredBusch nice, thanks - i'll take a look at this
-
@JaredBusch is spot on, an eight way Ubiquiti router is cheap and gives you full enterprise routing keeping each of these customers totally separate like they should be. It's not a big investment at all, but it means not skimping or fooling around. It's how an enterprise would handle it.
-
Thanks SAM...Is this also a firewall?
-
@Joel said in Advice for new office setup:
Thanks SAM...Is this also a firewall?
It is a fully functional Layer 3 switch, so yes.
Will the businesses not have their own network deployment? Normally I'd think each company would want control over their own firewall.
-
@Joel said in Advice for new office setup:
Thanks SAM...Is this also a firewall?
Yes. You can basically always use the term router and firewall interchangeably. There are exceptions somewhere, but I'm not aware of any on the market. All available firewalls, both hardware and software, do so by being routers (at least optionally.) And all routers include firewall functionality.
-
@travisdh1 said in Advice for new office setup:
@Joel said in Advice for new office setup:
Thanks SAM...Is this also a firewall?
It is a fully functional Layer 3 switch, so yes.
Will the businesses not have their own network deployment? Normally I'd think each company would want control over their own firewall.
Even if they did, you'd still use the Ubiquiti on his side and they would each attach their own router to it.
-
I love this forum - thanks guys.
Always such wise advise and speedy responses. Much appreciated. -
if the OP is the MSP for these 5 businesses, then a single router/firewall setup as Jared suggests is the easiest. Of course any services provided by a specific business, say an onsite OwnCloud (what's the new name for it?), then a rule would be added to pass that through.
The other option is to have the ER-8 do not firewalling at all, and each customer would have their own ER-? that someone would manage and the ER-8 upfront just splits out the connections, assuming the pipes have a dedicated IP per customer (which personally I would demand).
Also, how does failover work? Simple web surfing I can understand, but if the clients are hosting anything onsite, there could be issues.
-
@Dashrender said in Advice for new office setup:
assuming the pipes have a dedicated IP per customer (which personally I would demand).
There was no assumption of that. In fact with the second connection for a failover connection, there is an implied impossibility of that.
-
So there will be a single pipe that will come into the building which comes with a failover.
Each office will share the pipe but be its own separate entity in the building. Each office will have its own LAN (on different subnets) and use their own resources (servers, access points, nas etc). I was planning on using the Draytek router to apply specific bandwidth to each office but assume this can also be done on the ER-8? -
@Joel I know you can use traffic shaping with an ER-8 (I have one at home). I have never seen it done outside of vlans though. I'm sure you can but wait for someone who has actually done it to reply.
-
@Joel said in Advice for new office setup:
I was planning on using the Draytek router to apply specific bandwidth to each office but assume this can also be done on the ER-8?
is that a good idea? that means that everyone gets poor performance. Do you really want the network to be split into eight slices and no one gets good performance? That means that an 80/80 pipe turns into eight 10/10 pipes. That just sucks. Letting everyone have access to everything is way better, 99% of the time, and why pretty much all ISPs handle things in that way.
-
@scottalanmiller said in Advice for new office setup:
@Joel said in Advice for new office setup:
I was planning on using the Draytek router to apply specific bandwidth to each office but assume this can also be done on the ER-8?
is that a good idea? that means that everyone gets poor performance. Do you really want the network to be split into eight slices and no one gets good performance? That means that an 80/80 pipe turns into eight 10/10 pipes. That just sucks. Letting everyone have access to everything is way better, 99% of the time, and why pretty much all ISPs handle things in that way.
I was wondering about this as well, but from the OP, not the more recent post.
I'm assuming there is a way to ensure minimum bandwidth - right? I guess you would want to ensure that each line has a minimum of some thing available so you don't run into an issue where one company decides to suck up 95% of the bandwidth.
-
@Dashrender said in Advice for new office setup:
@scottalanmiller said in Advice for new office setup:
@Joel said in Advice for new office setup:
I was planning on using the Draytek router to apply specific bandwidth to each office but assume this can also be done on the ER-8?
is that a good idea? that means that everyone gets poor performance. Do you really want the network to be split into eight slices and no one gets good performance? That means that an 80/80 pipe turns into eight 10/10 pipes. That just sucks. Letting everyone have access to everything is way better, 99% of the time, and why pretty much all ISPs handle things in that way.
I was wondering about this as well, but from the OP, not the more recent post.
I'm assuming there is a way to ensure minimum bandwidth - right? I guess you would want to ensure that each line has a minimum of some thing available so you don't run into an issue where one company decides to suck up 95% of the bandwidth.
Yeah, some basic QOS should cover that, and be easy to setup. I don't have a Ubiquity router to try it with tho.
-
@travisdh1 How does this actually behave? It wouldn't be minimum, it would be a soft maximum, right?
4 companies have a soft cap of 25% of the bandwith. If 3 companies use 10% the fourth would be able to use 70%. Right? Decreasing the more bandwidth is being used by the other companies.
Basically each company out prioritizes all others up to 25% but all resources are usable by everyone--or something?
-
@wirestyle22 said in Advice for new office setup:
@travisdh1 How does this actually behave? It wouldn't be minimum, it would be a soft maximum, right?
4 companies have a soft cap of 25% of the bandwith. If 3 companies use 10% the fourth would be able to use 70%. Right? Decreasing the more bandwidth is being used by the other companies.
Basically each company out prioritizes all others up to 25% but all resources are usable by everyone--or something?
That's ideally how you want to do it, let everyone use 100% if no one else is using it. And have them all agree to prioritize RTP traffic no matter whose it is or why.