Sharing wide area network connections in shared buildings
Reduce costs, improve network efficiency and maintain control by sharing wide area network connections.
Read this guidance from Common Technology Services if you provide network infrastructure to government organisations (either as a lead department or service provider) to understand how to:
- reduce costs by sharing 2 internet and 2 Public Services Network (PSN) connections per building or building cluster
- improve efficiency by spreading traffic peaks amongst a larger number of users with different activity patterns
- allow end user devices with ‘always-on’ virtual private networks (VPNs) to connect to their home gateway
- provide access to the enterprise network to devices not using a client VPN
- maintain visibility and control of your end user devices on a shared network
Each organisation has their own IT team and can deliver their own independent solutions to meet their users’ needs. They normally have a contract with a single provider for a private national network. This works well but can be wasteful when sharing office buildings between multiple organisations. A tenfold increase in bandwidth is usually available for 2 to 3 times the cost, so 10 organisations with similar requirements could save 70 to 80% by sharing connectivity.
This guidance explains how to share connections across different organisations with:
- minimal change to network infrastructure
- full control of IP addressing and traffic routing
- clear demarcation of responsibilities
Follow this technical solution
The shared workplace network uses certificates to grant network access to end user devices. Each organisation’s user group is allocated their own virtual local area network (VLAN) to which a pair of VPN devices managed by their home organisation are connected. This means that each organisation controls their own IP address allocation to clients and IP routing.
Alternatively, the organisation can opt not to install devices and implement ‘always-on’ VPN clients on their end user devices.
The internet gateway provides direct internet access to ‘always-on’ VPN users and visitors only. All managed devices use their existing organisation’s internet gateway service. Content filtering is on a best effort basis using a filtered domain name system (DNS) provider. However, the gateway should enforce the use of this service by blocking any other (unfiltered) DNS servers.
The internet gateway provides firewalled connectivity for the individual departments’ VPN routers.
A central print solution is accessed via a VPN terminated on the internet gateway. This will be covered in a shared printing guidance.
Each organisation can decide which of the following 3 connectivity options is best suited to their requirements.
1. ‘Always-on’ VPN
An organisation using an ‘always-on’ VPN for their end user devices does not need to install any additional infrastructure. The building’s shared RADIUS server recognises the device certificate and connects the user to an ‘always-on’ VPN VLAN which only allows VPN traffic.
The diagram below shows different end user devices connected to a single shared infrastructure wirelessly. They connect back to their home departments either via client VPN over the internet or a VPN gateway.
2. One pair of VPN routers per organisation
The individual organisation’s VLAN is routed back to a shared cabinet in the main comms room for the building and delivered to their own managed VPN termination device, which may be a router or a firewall. This should be a pair of VPN routers located separately for resilience.
The organisation can then decide to connect back via the internet or via the PSN, depending on their requirements. Organisations with their main applications in a public cloud will probably choose to use a VPN over the internet. Those with existing PSN connectivity to their datacentres will probably prefer to use a VPN over the PSN as it delivers an assured path.
Local break out to a cloud-based web filtering service or cloud application can be used to avoid the added latency of internet traffic traversing the datacentre. Adoption of this depends on the organisation’s user and security requirements.
The connectivity from the end user’s device to their organisation’s VPN device is at layer 2 giving their IT team full control over the IP allocation and addressing.
The organisation decides how many users will be the threshold for installing the VPN endpoint, below which they use the remote access solution via the internet.
3. Private virtual routing and forwarding (VRF) over a PSN connection
The organisation can make arrangements with their WAN service provider to extend their network to any PSN network vendor connected to a site. The organisation must install a firewall or router to allocate IP addresses to their users and protect their WAN from threats.
Speak to your PSN service provider to find out whether this is available to you.
Consider your technical requirements
Shared internet gateways
Solution providers must install a single internet gateway service per building cluster to be used by everyone in those buildings. Although described as a single gateway it must include multiple devices to provide high availability.
The internet gateway must:
- support the bandwidth required for the site
- have the capability to establish a VPN to any central services as required supporting Internet Key Exchange (IKEv2) and next generation encryption
- export firewall and web request logs, including the full address of unencrypted requests and the destination address of encrypted connections, to a central service via the VPN
- export logs of IP addresses allocated to clients via the VPN
- continue to function if any single component fails
- provide accurate timestamps using Network Time Protocol (NTP)
Shared WAN connectivity
Solution providers must provide resilient connectivity to both the internet and the PSN so government organisations can connect to their resources in the most appropriate way.
The WAN connectivity must deliver:
- a resilient pair of internet connections
- a resilient pair of PSN connections - supporting private VRF where available
- public IP address range for the internet VPN endpoint DMZ
- PSN IP address range for the PSN VPN endpoint DMZ
The resilient connections can be split across 2 buildings in a building cluster where appropriate. This provides extra diversity and easier load sharing between the 2 connections as the users in each building can use their local connection but fail over to the other building if the connection goes down. For a single building infrastructure, the 2 cabinets and connection termination equipment should be as far apart as practical. Consider using different comms rooms to avoid total sustained outage from a single fire or flooding event.
For a pair of connections to be considered resilient, as a minimum they must use different building entry points and be diversely routed, never sharing the same duct. Consider using 2 different network providers for these connections where possible, taking care to ensure the providers are not using common underlying components.
Consider an active-active approach, so in normal circumstances both connections are around 50% average utilisation or less. This will give a better service by reducing contention during spikes at peak times while still allowing fail over.
VPN device colocation
Solution providers must help government organisations install firewalls or other VPN termination equipment. Ideally, each organisation should have their own secured section of a cabinet so that they can maintain it themselves. Where this isn’t possible, the solution provider should install the equipment on the organisation’s behalf. All cabinets should be located in suitably secured and controlled comms rooms.
Solution providers must deliver:
- 2 shared cabinets as far apart as possible, preferably in different buildings in each building cluster for installing the WAN connection termination equipment, and other shared infrastructure devices
- separate individually lockable cabinet sections to tenant organisations or install one pair of VPN routers per organisation in the shared cabinets
- top of rack switch ports giving connectivity to the internet, PSN or private VRF as requested by each organisation - ports can be preallocated to reduce management overhead
- a top of rack switch port giving access to each organisation’s internal VLAN on the shared infrastructure
- patching to the organisation’s switches if they have implemented their own
Organisations wishing to use buildings that follow this pattern must:
- comply with the requirements in the shared workplace network guidance
- provide either a pair of VPN routers or enough client VPN capacity for the number of users at a given site
- inform the service provider of their chosen pattern of connectivity
- provide different physical interfaces on their VPN routers for their own LAN switches (if installed) and the shared infrastructure switches
Read more about networks
Read about sharing workplace wireless networks if you are involved in deploying new or upgrading existing government networks.
Find out how to set up user.wifi service in your organisation.
Email firstname.lastname@example.org to:
- join the CTS review group
- provide feedback on CTS guidance
- submit ideas for solutions
- discuss how this guidance will help you use technology more efficiently and effectively
Return to the Common Technology Services page.
Published: 8 August 2016