Hosting another companies servers and keeping them seperate

Solved
JRytter
Conversationalist

Hosting another companies servers and keeping them seperate

We are going to be hosting a sister companies servers in our racks in a data centre. They will be sharing our internet connection but we want to ensure the networks are 100% secure from each other. Currently we have a MX68 in the data centre that is used as a hub for 2 remote office 'spokes'.  This is connected directly to our core Cisco switches.  I've added a high level diagram.

 

My question is how would I get the 'Company B' servers connected to 'Company B remote office 1'?

 

If we were to buy another MX device for Company B servers to connect to, then create a point to point VPN tunnel would that separate the networks?  Basically, Company A and B need to be separate.

 

Any help would be very much appreciated!

High level pre-install.jpg

 

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

Put a new MX in the DC, in routed mode, with all of Company B's servers behind it, inside your existing firewall (you don't show this on your diagram, but I assume you have one?).
Put it in a different Organization from the existing Hub and existing Company A office Spokes (maybe configure a new Organization).   Put the the Company B MX65W as a Spoke of this new Hub, in the same Organization.   With the Company A and Company B MXs in different Organizations, the VPNs will be entirely separate.   If the MX65W is already in the existing (Company A) Organization, you can logically move the hardware between the Organizations yourself, but you'll need to call Support to get them to move licensing.

If you are mixing your Company A and B servers on the same switching, this gets more complex, but you imply that's not the plan.   If you keep it separate physically, it's harder to get wrong.

View solution in original post

3 Replies 3
GreenMan
Meraki Employee
Meraki Employee

Put a new MX in the DC, in routed mode, with all of Company B's servers behind it, inside your existing firewall (you don't show this on your diagram, but I assume you have one?).
Put it in a different Organization from the existing Hub and existing Company A office Spokes (maybe configure a new Organization).   Put the the Company B MX65W as a Spoke of this new Hub, in the same Organization.   With the Company A and Company B MXs in different Organizations, the VPNs will be entirely separate.   If the MX65W is already in the existing (Company A) Organization, you can logically move the hardware between the Organizations yourself, but you'll need to call Support to get them to move licensing.

If you are mixing your Company A and B servers on the same switching, this gets more complex, but you imply that's not the plan.   If you keep it separate physically, it's harder to get wrong.

JRytter
Conversationalist

Hi,

 

Thanks very much for your reply!

 

One more question regarding this setup, when in routed mode, will the users in the remote office still be able to get to the internet via the hub in the DC?  I'm not sure if the shared office Company B will be in would supply them with internet access but if they do can we direct the internet traffic directly out of their network rather than through the VPN tunnel to the DC and then out of our internet facing connection?

 

We need to get them internet access at either the remote office or via our breakout in the DC, are both of these possible with the solution you gave?

 

Thanks again,

 

James R

GreenMan
Meraki Employee
Meraki Employee

Why would you want them to access the Internet by hairpinning in and out of the other site?   Why not have their local MX split tunnel (don't tick the Default route box, when configuring the AutoVPN tunnel to the Hub).   make sure you have the Advanced Security license.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels