From a network perspective, we cater for two types of Clients. Those who have their own firewall or router and would like to have public, unfiltered and untranslated IPs, and those who would like us to provide this service for them.
For Clients that want to bring in their own Router/Switch/Firewall/Telephones...
Generally we will require a customer to install their own router or firewall under the following circumstances:
They wish to operate their own DHCP Scope (Private IP Address range)
They wish to host services that require an inbound IP translation, such as email or remote access
They wish to set up a permanent IPSec/VPN tunnel
They have complex/bespoke security policies
They have their own Voice system
Customers who install their own router/firewall device will be issued a Public IP (either from a /30 or a /29), and their traffic will be carried as layer-2 past our shared firewall. There is no need for ACLs at this level, as the IPs are public.
If they require larger than a /29, they will need to justify their requirements to us and we will issue larger if the situation merits it.
For Clients that will only bring in their own PC's/Laptops...
Our shared firewall offering allows any traffic outbound, and no traffic inbound. We do not set up port or static NAT translations, as this will compromise the overall security of the offering, and greatly increase the difficulty in managing the service.
We will issue a customer with a /24 network from the 172.16.0.0/12 RFC1918 block, and set up a DHCP scope for them. The DHCP scope will follow a standard structure, with .1 being the router, and .2-.20 being excluded from the scope for use on servers/printers/etc. The Private IP details will be available for the client via the Service Guide which you can obtain from your centre team.
ACLs will prevent routing between 172.16 networks aside from into this utilities network, to isolate customer networks. The firewall will NAT the 172.16 addresses to its external IP, which is then routed out to the Internet.
How this will be set up...
Once the relevant services are added, the switchports need to be allocated and patched correctly.
On majority of our sites we utilise 802.1X authentication which involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols.
The WiFi Network is setup the same way as the above managed and unmanaged network but with the extension of customer network being broadcasted over the WiFi. As the customer login details and accounts are setup against their VLANs therefore devices only connect and stay within their respective network.