I have a small office in a building with several other clients. Each suite wants high-speed internet access, but we are being held hostage by the local provider.

Here is our solution, but we are not sure what it will take to implement and operate.

Solution
1 person buys the service with business grade bandwidth. Everyone chips in to purchase the switch (16 port), router and Server. Each office suite will have a cat 5 drop to their office from the switch.

The question:

Assuming the hardware is all compatible, what is the likelyhood this scheme will work?? How will we address each computer in the building?? What questions am I not asking to complete this and getting it up and running?? (DNS??Workgroup??)

We want to get past the tyrants who wish to fleece us.

Thanks

Well, it sounds like you are setting up nothing more then a simple home network really, but with just more users. Your best bet is to get your Biz class internet, buy a router (for cheap but very good routers, go with an SMC) and your switch. You don't really need to have a Server with this. The router will take the line from your ISP and disperse it where it needs to be and assign the proper IP to everyone (whatever you want it to be...defaults to a 192.168.0.0 address range) and the router should be able to handle 200+ connections which it sounds like you don't have near that many. You could have a Server anyway if you like so that your users could have a network drive that they store shared files/folders on and make sure you use a tape backup or some other backup solution on it to ensure that nobody loses important data.

If the router you purchase has enough ports to supply all the client PC's, you don't need a switch either.

You don't need a server either. If you're going to be sharing anything between the clients...just pick one computer with a fast processor and lot's of hard drive space and create a share on it.

First here is the big problem, if everyone is going to be connected to this router/switch, there is the security issue your forgetting.

So to take care of that issue you will need to setup on the switch one VLAN for each client

So you would have 5 LAN's connected to your one switch.

I think he saying that several clients in that building , are diff companies , not one company? that want to pool together and buy one high speed connection. So I think by using a switch would be better, so he can setup VLAN's for each company?? Right? Joe?

Yes, diiferent comapanies all wanting to avoid $100 a month each. They insist that we pay for Cable TV as well. Who wants cable TV at work?? Enuff distractions already!

Bottom line is to divide the cost of a high speed connection with everyone having their own E Mail.

The way I have this figured is after the cost of hardware, and the cost of different bandwidth options and a static IP address ... we could all get service for the cost of Dial-Up.

Hell, we can put the t.v. service in the main entry and leave the stock market on it.

Thanks guys ... Sounds pretty easy ... but that is always the case ... right??

And what about the security issue here?? I thought SOHO IP routers had a firewall. Am I overlooking something here??

The problem is that with all companies connected to the same router you will all get a IP adress from the same DHCP there for not limiting the other companies access to your shared resources.

The solution would be to have the 1st router where the DSL/Cable comes in from conect to other routers in each office, and have a diferent IP spec for each office.

How many offices are there?

you can get a linksys 4, or 8 port router for the main where the DSL/Cable comes in. Run a drop to each office.

Each office purchase a router to thier needs.

set them for DHCP from the WAN port (from the main router). and setup the DHCP for the internal to what ever specs you decide.

Your missing the point, if you have them all on the same subnet, they would be able to see each others computers. so to avoid all of that, you need to segment each company onto there own subnet and you can do this by using VLANS.

Not if the IP's are off.

Lets say Wan IP... what ever given by the ISP.

IP between routers 192.168.1.?
subnet 255.255.255.0

Internal IP's in each office, Lets say 5 offices.

office 1
external IP 192.168.1.?
subnet 255.255.255.0
Internal IP 192.168.2.?
subnet 255.255.255.0

Office 2
External 192.168.1.?
Subnet - You know
Internal IP 192.168.3.?
Subnet 255.255.255.0

And so on.

How about that each office has a Dif IP for thier DHCP, and each office has its own firewall from thier routers.

The subnet 255.255.255.0 with IP 192.168.2.?
says only talk to 192.168.2.? so all is good.

We will use 2 diff companies, okay and they are sharing the same Internet connection and router.

wan port will have a public address and the LAN would have a priv addresses , let say 192.168.0.0/24 keep it simple.

if you have a DHCP server on the router giving out IP address to who ever boots-up well then both companies would be using the same subnet of 192.168.0.0/24, right

say a computer on company 1 turns on his computer and get 192.168.0.40 then a few monments later someone from company 2 turns on his computer and gets 192.168.0.41.. you see what I am getting at. You can't have both companies on the same subnet or someone might hack the others networks, because both companies are on the same subnet.

By giving them there own subnet say company 1
could be 192.168.0.0/24 and company 2 can be 192.168.1.0/24. For one to talk to another you or someone would need to setup routing between the both of them.

If you go back and look the cleints would be getting a IP from diferent routers with diferent scope's set. Not from the same router. Each office would have its own router with its own DHCP and scope set up.

For this setup , I would look into a layer 3 switch.

So they have there own routers? right... you are just providing the Telco services for them.

Ok this should make it easy to see

http://home.attbi.com/~jrs36688/network.bmp

No reason you have to use DHCP internally. If you use static, one class C per office, you could easily do the layer 3 VLan. Someone would have to touch every PC though.

Hi Joe, (and Company)

Who will be the lead in configuring this network? That person will likely need to know how to work with VLANS. From what I've read (particularly Reply #3-Brian) creating VLANS will probably be your best, if not only, route to implement proper security for each company/user. Since the group will presumably be splitting the cost of setup, usage and maintenance, you might want to look into Cisco 1900 switches (unless somebody else knows of other vendors).

I've read John's suggestion of doing double DHCP and purchasing multiple routers, one for each company. Using double DHCP sounds too complicated and expensive (all those extra routers). I'm also not sure if a second layer of DHCP service would work. Maybe someone can shed some light or confirm my doubts.

Either way, good luck with the project.

Fred

your now missing the point, you can not have every company in that building on the same subnet, if they are all going to be plug into the same switch and using the same priv subnet.

You would have to NAT twice , I am sure that might work, but why would you do something like to bing with.

would have this

Buliding router -> Switch ->company1 router->LAN

Is that what your talking about, thats not going to work.

build router -> switch -> comp 1 (Vlan 1)
|
-------> comp 2 (Vlan 2)

Then each company can do there own DHCP if they want to..

Fred,

So you suggest using VLANs and implementing DCHP downstream (single layer) for each client?

The cost of the routers is a lot less then the cost of the 3 layer switch. A linksys 8 port router sells at your local store for about $120. The routers even have a built in fire wall to keep everyone else out.

Very easy to set up and maintain.

Why spend aton of cash on a 3 layer router to supply networks and internet acces.

I am guessing he wants to set this up for a few small companies.

How many PC's total are you looking at?

lets say 5 companies avarage 5 PC's per company. There is no need for a hugh switch to control 25 PC's when maybe 5 - 10 out of the 25 will be accessing the internet at one time.

Why spend $1500 on a switch when you can spend 6-700 on the routers?

There is the security issue again, everyone is now on the same subnet.. how are you going to firewall company 1 from company 2 on the same subnet??? if you put them on diff VLAN's the security issus is not gone.

They may be on the same subnet, but they have diferent IP's

Office 1 192.168.2.?
Office 2 192.168.3.?
Office 3 192.168.4.?

with subnets of 255.255.255.0

The router's block WAN request's so yes they are all firewalled from each other.

The subnet of 255.255.255.0 says only talk to PC's with the matching first 3.

(IE: 192.168.2.1 with subnet of 255.255.255.0 will only talk to 192.168.2.?. and the routers will not let anyone else in to the WAN port.)

Many options have been explored, which should they implement? It seems as though VLAN is too expensive (I based my pricing on quick ebay searches for the suggested equipment). I guess, according to John and Fred, each client gets their own private, static IP and can do DHCP/Firewall locally.

Just for my own clarity, where (on which device(s)) would you configure the separate class C addresses?

You would set up the addresses on the routers, and setup the DHCP on the routers. I just use the Class C's as a example. You can use anyIP scope you want. For even higher end secruity use 10.?.?.? IP's. No matter what the routers will not send a 10.?IP out through the WAN port,Yet will still provide NAT for them.

Can you put a price on security? and if they get hacked by the other company , what then? law-suite? so a better switch does not sound bad now..

Please, let me set up my router here and give you my IP. You cant beat a hardware firewall that is setup to not alow any WAN request. In fact you can set up the linksys router to not reply to pings to. Heck you cant even try to DoS attack it.

I believe Brian is referring to internal hacking among only these particular clients, not from folks outside the DSL Router. I suppose that their level of sophistication (probably minimal) would allow for a password protected share(s) to exist and be sufficient security. The DSL Router can be the outside watchdog.

Personally, I like the VLAN idea as the optimal solution. I see Catalyst 1900 switches for just around $150-$200 USD on ebay.

You don't need DHCP anywhere inside the Internet router. If you give company A 192.168.1.x 255.255.255.0 company B 192.168.2.x 255.255.255.0 and so on they won't be able to talk to each other (on the wire). The router would be subnetted as an A or B so it could hear all the IPs. The layer 3 VLans would prevent the router from routing company A to company B (although it shouldn't even pick up the packet if the destination is on the class A/B subnet) and also stop someone from changing their IP or mask to listen on a different subnet. A subnet mask is only used for listening not sending.

A cheapie broadband router probably won't work though - at least my SMC wouldn't. It assumes a class C internally - there is no place to enter your subnet mask.

A little more: the router lan port would be addressed 192.168.1.1 255.255.0.0 so it could hear all the internal IPs. What I meant above was the router should not process a packet if the source and destination IPs are on the same internal subnet. The subnet as far as the router is concerned is 192.168.x.x.

I'll give it try Monday - I have a small test network at work so I don't crash the company lan quite as often.

Actually, after I thought about it a bit, Brian's idea is actually really good (although mine was much more elegant;). With the price of broadband routers as cheap as they are, depending on how many companies there are, it may be less $$ than a new layer 3 switch.

Your (cheap) Internet router would have a static internal IP and be connected to a (cheap) 10MB hub. The hub ports would go out to each company and be connected to the WAN port of their (cheap) router also configured with static IP. The LAN port would have DHCP enabled dishing out any IP block.

I've never tried double NATing but I can't think of a reason it wouldn't work. Unless someone opened ports on their company's router or created a hole to a DMZ, company A would be blocked from company B no matter what their IPs were. This is just like your broadband at home - your external IP is part of a subnet but the guy next door on the same subnet can't get past your firewall.

There are a couple limitations with most broadband routers though: no more than 254 IPs and only one (sometimes 10) VPN sessions at a time. If you are talking about 50 or less PCs on the Internet at a time the whole setup should be able to handle the load.

Good thinking Brian - you were talking routers and I was thinking Cisco$.

John - Sorry I slighted you - looks like you were the first one with the multiple router idea.

Brian was the person pointing me down the VLan path (still more elegant though).

There are 20 office suites in the building. If I am lucky, 8 will share the cost of the Broadband Service.

So, if every office has their own SOHO router, this should keep everyone to themselves, right?? What about software firewalls instead of the router in each office??

I plan to use a switch as opposed to a hub to connect every office to the service. My understanding is that a switch can handle the traffic (if everyone is online) more efficiently than a hub. My concern was not lagging the service and providing the highset level of service. Switch YES/NO?

Keep it coming guys, your brainstorming session is educational for a layman like myself.

Joe

Well, software firewalls come in two flavors - individual host based (black ice) and server based (checkpoint). With individual packages you lose the NAT (company to company privacy) advantage of the hardware type and this is not considered non-commercial use so you would/should purchase a package for each PC. The UNIX/Linux/NT/2000 server based firewalls work great but as with the "toaster" type you would need one installed at each company. PCs are cheap unless you are buying a bunch of them.

As for the hub/switch I guess switches are nearly as low in cost as hubs these days so why not? As far as performance though, you can't push 10/100/1000MB switch packets down a T-1 any faster than 10MB hub packets. The restriction will be the speed of your Internet connection - not your hub/switch. Also, all sub $100 routers have 10MB WAN ports so you would still connect to your high speed switch at that speed - the only advantage would be traffic aggregation on the switch backplane but with the 10MB and T-1 (or less) connections who really cares if the switch backplane is shuffling packets at quantum speeds? All that aside, a switch might be useful in the future if the companies decide they need to communicate with each other or this new-fangled Internet thing really takes off and you need to pull in a T-3 pipe.

Just put one layer 3 switch, Cisco makes a mid size range one, you can route and switch from one device. You can setup all companies on diff VLAN's and if one company does not pay there bill, just block that VLAN from getting access to the NET. You can setup diff scopes on the layer 3 switch and it can support upto 1024 VLAN's.