Today i got put on a project to solve a networking project for a friend who rents out multiple office suites. Internet is provided to all suites in the rent cost. The guy who originally set everything took a single fiber connection and put it into a BSD server.
So essentially what is happening is that the BSD server acts as a NAT & Firewall to all of the office suites. It has a single static private IP assigned to each suite, the tenants then use a standard router to serve all of their machines.
This works, but it's a double NAT and some tenants have issues with some services because of it.
I want to reduce it to a single NAT system and have each suite on its own subnet of IP's that they use directly (no additional router). The problem is that if anyone got smart they could simply change IP's and invade into another suite's network.
The primary issue is that i cannot have a DHCP server, as it will serve the whole complex not just one subnet. I need to have a DHCP server (or a single server that can serve multiple subsets) on each subnet.
What is the best way to achieve what i need? I am going to assume that VLAN's are the way to go, but i don't know much about them. Although i have always wanted to learn how to build a VLAN. I know i will need a managed switch, but i don't know if VLAN's are segregated on layer 2 or layer 3.
I ended up picking up a few Cisco Catalyst 3500 XL's on the cheap and giving each suite it's own VLAN. Then i made a trunk port with 802.1q encapsulation and fed it to a BSD server with NIC's that could decode 802.1q.
It works like a charm, each vlan get's its own subnet and the firewall rules prevent inter-vlan routing to keep everyone segregated.
I'm going to keep a close eye on traffic to make that 100mbps is enough at the server end, i may have to pick a 3550 and do link aggregation.
Thanks for the help!