Network Design Sanity Check

Solved
scrapiron
Getting noticed

Network Design Sanity Check

I have a client that owns a building with many tenants. The client also has a office in the building and uses Comcast with 1 Static IP address. A new Tennant ordered Comcast service but I have a problem.

 

Comcast installed both Cable Modems in their Demarc (electrical Closet) My client (building owner) and tenant have their firewalls installed in their suites. Unfortunately, there is only 1 Ethernet cable connecting the electrical closet and a Janitor closet which is about 200'. My client uses this cable to connect from Janitor closet to their suite which is only about 40'. 

 

The new Tennant is located next to my clients suite. They have had contractors try to get a new ethernet cable from Electrical Closet to their suite but it is extremely difficult due to thick concrete, overfilled conduit, yada yada. 

 

New Tenants also want to use Comcast but Comcast will only install their modems in electrical closet because they couldn't get coax to other side of building either. 

 

So I'm proposing to use MS-120 switches in Electrical Closet and Janitor closet to create VLANs for each new tenant using the existing ethernet.  Easy I thought. 

 

After spending about 4 hours running back and forth with switches and MXs going offline, VLAN mismatches, Public IPs on switches all the while I'm trying to stick finger in dike holes with cloud managed devices getting angry and I'm pulling my hair out and bailed realizing I need a plan before I go back and implement. 

 

I created a Diagram in Google Docs Here and kindly ask if anyone could review and let me know if this looks like a good design. Honestly, I think I could have pulled a ethernet cable with the amount of time I have spent but hey, this is fun right?

 

Link to diagram

 

VLAN 10 - VLAN for my clients firewall configured on switches only

VLAN 20 - VLAN for Tennant's router configured on switches only

VLANs 100-102 - Native VLAN 100 is for my clients LAN configured on switches and MX67

 

thanks

 

1 Accepted Solution
jdsilva
Kind of a big deal

Your concept is good, but there's some things in your diagram I would suggest alternatives to.

 

First off, I wouldn't use a Meraki switch between the modems and the each tenant's router/firewall. Meraki switches with their requirement to talk to the could, and their very persistent nature to get an IP on any VLAN possible makes them, IMO, not ideal for WAN breakout duties.

 

Second, you can't trunk your Inside VLANs off a WAN port of an MX (the MX67 in your diagram) like that. I suspect you were doing that for Mgmt of the switches, but that's just not an option on the MX. It's Outside only.

 

You could maybe relocate the MX67 to the Electrical closet and put all the switches behind it, Then, create a dedicated VLAN for the other Tenant and run that VLAN out to their suite...   

 

 

View solution in original post

3 Replies 3
jdsilva
Kind of a big deal

Your concept is good, but there's some things in your diagram I would suggest alternatives to.

 

First off, I wouldn't use a Meraki switch between the modems and the each tenant's router/firewall. Meraki switches with their requirement to talk to the could, and their very persistent nature to get an IP on any VLAN possible makes them, IMO, not ideal for WAN breakout duties.

 

Second, you can't trunk your Inside VLANs off a WAN port of an MX (the MX67 in your diagram) like that. I suspect you were doing that for Mgmt of the switches, but that's just not an option on the MX. It's Outside only.

 

You could maybe relocate the MX67 to the Electrical closet and put all the switches behind it, Then, create a dedicated VLAN for the other Tenant and run that VLAN out to their suite...   

 

 

kYutobi
Kind of a big deal


@jdsilva wrote:

 

You could maybe relocate the MX67 to the Electrical closet and put all the switches behind it, Then, create a dedicated VLAN for the other Tenant and run that VLAN out to their suite...   

 

 


Agreed with @jdsilva putting switches behind MX would be the better option.

Enthusiast
scrapiron
Getting noticed

This makes sense. I will move the MX to the electrical closet and route the tenant's WAN traffic through a private VLAN. 

 

Thank you so much!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels