Networking advice

[Leonard Isham]

On Wed, 19 Jan 2005 16:15:56 -0500 (EST), ranbir sandhu
<m3freak at rogers.com> wrote:
> Hi all,
> 
> I'm not a networking expert or even "the network guy",
> and thus I am running into a problem figuring out how
> to improve the network at my new office.
> 
> The business centre I'm in is sharing a DSL connection
> with one dynamic IP between 19 tenants (simple
> Linksys/Dlink type of router).  Besides the obvious
> security problems, this makes it very difficult for
> tenants to host their own servers, including me.
> 
> Along with changing the ISP to one that can provide
> static IPs, here's what I'm thinking of suggesting:
> 
> Internet --> DSL Modem --> Hub/Switch
>                            |        |
>                         Router1   Router2
>                           |          |
>                         Switch      Tenant
>                           |           That
>                         Tenants      Cares
>                          That
>                       Don't Care
> 
> Router1 would have a static IP.  Like it says, tenants
> that want a simple Internet connection would
> essentially receive the same service they have now.
> 
> Router2 would be assigned another static IP.
> Additional tenants could easily be accommodated with
> more static IPs and routers.  Firewalls etc. would be
> the responsibility of the tenant.
> 
> The obvious problem with this is that if a simple
> switch or even a hub is used after the DSL modem, the
> business centre won't be able to control the traffic
> (i.e. prioritize and/or control bandwidth use).  One
> tenant could use up the entire pipe, for example.
> 
> I've considered dropping in a machine running mOnOwall
> to help solve the traffic shaping issue. Also, I've
> read that mOnOwall can transparently firewall/bridge:
> this would make it very easy to assign static IPs to
> those that want them. But, I don't know how many
> routes it can accomodate.
> 
> Is the above approach a good one? How else would
> something like this be handled?
> 
> Incidentally, I've spent quite a bit of time reading
> up on layer 2/3 switches, VLANs etc., but I still
> haven't figured out if plugging the modem directly
> into a switch is the right thing to do.
> 

Here is what I'd do ( I have a porposal submitted to do this for a
medical complex).

Internet
  |
DSL Modem or Internet Router
  |
Firewall----Tenant-2
  |
Tenant-1

Firewall each tenant from the other tenants.  Give each tenant a
different RFC 1918 address range.  Use a Switch capable of trunking,
and a Ethernet card capable of trunking in the firewall to allow
multiple  VLANs on one physical connection.

-- 
Leonard Isham, CISSP 
Ostendo non ostento.