Solved

Configuration suggestions (CISCO)

Posted on 2004-10-04
7
377 Views
Last Modified: 2008-02-07
I need to provide internet access to 14 rooms, each with 1 to 8 pc hosts. Internet access will be provided by ONE ADSL router. I need that no communication flows between rooms, but all of them will go Internet through the same ADSL router.
I have two ideas: a) VLANS b) Firewalls

a) Using VLANS would separate traffic from each room (1 VLAN per room), but i think that i need a multilayer switch in order to make every VLAN connect to the same ADSL router (is that correct?). If im correct, i would like to know the lowest (cheapest)Cisco Catalyst able to perform inter VLAN routing (which is what i think is necessary for this case, right?).

b) One firewall per room. Im thinking of one PIX 501 per room. Yes, i know, 14 PIX's, maybe that's too many little green boxes to deal with, but this solution im sure it would work, but not quite sure its the best one.

Please, i would like opinions on these two options also, which one do you think is the best? is there any other?

Thanks
0
Comment
Question by:llandajuela
7 Comments
 
LVL 3

Expert Comment

by:cagri
Comment Utility
Actually you have already given the answers but let me go over them;

PIX solution is not a good one, what you would like to do is exactly seperating subnets (or VLANs in your case), firewall per user is not a very good solution for this.

By mentioning "multi layer switch" you considering performing routing and access-list'ing on the switch (please correct me if I am wrong) but what you need exactly is (unfortunately a switch with at least 14 ports (generally this converges to 24) and a hub/micro switch for each room (or a bigger switch with a total port density of 14x8 ports). But you still need a router with access listing features.

Well, another, Cisco specific option would be PVLANs, Private-VLANs (someone correct me if I am wrong), PVLANs does exactly what you are looking for. So offers an option to complete the whole scenarion within a sigle switch.

2900/2950 series probably support this feature but please check. I am unable to check features at the moment, but please consider PVLANs.

Regards,
0
 
LVL 1

Expert Comment

by:jrskeen
Comment Utility
A 2950 will allow this feature to take place, and the 3500 series switches will do this but just a little bit faster and will allow you to scale up.
0
 
LVL 12

Expert Comment

by:Mazaraat
Comment Utility
In addition you could set a non-managed switch in each classroom (save$$) and have each classroom connect to either the Cisco Switch or 3Com Switch which connects to your ADSL Router.  The classroom switches don't have to be anything special just a basic unmanaged switch.

The 3com 3300XM version can seperate VLAN's like this, as can the above mentioned Cisco switches.  I have used both cisco and 3com, they work the same look for best price.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
A layer 3 switch with VLANS is certainly an option.
A PIX firewall everywhere is also certainly an option, but 14x PIX = several 3550 switches.
How much interaction between/amongst the rooms? Firewalls make this difficult at best.

Why not use a low-end broadband router like a Linksys (owned by Cisco) or something in place of the PIXs? Same concept, just a lot less money..

0
 

Accepted Solution

by:
dashburn earned 250 total points
Comment Utility
You need 1 Cisco 3550 and 14 cheap $100 switches (Linksys, 3Com, etc.).  Each port on the 3550 is set to a different vlan (one for each room) and a cheap switch is put into each room and uplinked to its respected port.  The 3550 does all the inter vlan routing and the routing to the adsl router.  

Set the default gateway on the 3550 to the adsl router (ip default-gateway x.x.x.x)

Do NOT set speed and duplexing (leave the default to auto) on the ports.  I have found that hardcoding it on a 3550 and then plugging in a cheap 3Com makes the duplex not work right.

Start with vlan 10 (or for don't use vlan1) Starting with 10 just makes counting up easier

If you are doing dhcp make sure to set a help address on each vlan interface
interface Vlan10
 description Room 1
 ip address 192.168.1.10 255.255.255.0
 ip helper-address 192.168.1.2

The only tricky part (and this isn't really that big a deal) is you mentioned that no access between any of the vlan.  You will need to create an access-list that allows only communication to the gateway and not inter-vlan.

Hope this helps,

0
 

Author Comment

by:llandajuela
Comment Utility
Great job!, guys. Your opinions really helped. I think that you all agree that the switch option is the best one, discarding the PIX's one.

I feel that every answer helped and deserves recognition, but the one that goes right to the point being extremely clear and specific is dasburn's. Thats why i accepted it as the valid answer, but please, tell me if i should award the rest of the experts and how to do it.

To dashburn, i need some clarifications:
- what is a help address?

- i see that i have 2 prerequisites: A) no inter-vlan communication B) every vlan communicates to the gateway. Because of A) i would think that i dont really need inter-vlan routing (right?). So, what i want to ask you is: do i really need vlan's and inter-vlan routing. If you say "You will need to create an access-list that allows only communication to the gateway and not inter-vlan", isnt there a switch just able to filter traffic with access-lists? and maybe is cheaper because there is no need to configure inter-vlan-routing.(Please, if you feel this is a stupid question, dont waste too much time with it, and go on)

- i checked the prices for the 3550, and to my surpise, i found that due to an special offer, a 48 ports 3550 is only 50 $ more expensive than a 24 port 3550!!. Now, considering that i will probably be using only 14 ports of the switch, wich one would you choose?


That's all, as i said, thank you everybody for your truly expert opinions !!

0
 

Expert Comment

by:dashburn
Comment Utility
Sorry for the slow response.

The "help" address is a typo.  It should be "helper" address.  DHCP works via broadcast and the point of the switch is to block broadcasts.  So the helper address allows dhcp requests to get through.  Without this you will need a different dhcp server on each vlan.

As far as the 3550 goes you may be able to find a cheaper cisco model then the 3550.  This has just become such a standard with for us, I used the model name really without thinking.  If you do go they 3550 route, pay the extra $50.   I think there is a 3xxx model that has 12 ports that works at layer 3 (routing) but I don't remember for sure.

You don't need inter-vlan routing really but, you do need to route the end users packets to the dsl modem.  So you will have to have a access-list to allow this.


Daniel
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now