Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Configuration suggestions (CISCO)

Posted on 2004-10-04
Medium Priority
Last Modified: 2008-02-07
I need to provide internet access to 14 rooms, each with 1 to 8 pc hosts. Internet access will be provided by ONE ADSL router. I need that no communication flows between rooms, but all of them will go Internet through the same ADSL router.
I have two ideas: a) VLANS b) Firewalls

a) Using VLANS would separate traffic from each room (1 VLAN per room), but i think that i need a multilayer switch in order to make every VLAN connect to the same ADSL router (is that correct?). If im correct, i would like to know the lowest (cheapest)Cisco Catalyst able to perform inter VLAN routing (which is what i think is necessary for this case, right?).

b) One firewall per room. Im thinking of one PIX 501 per room. Yes, i know, 14 PIX's, maybe that's too many little green boxes to deal with, but this solution im sure it would work, but not quite sure its the best one.

Please, i would like opinions on these two options also, which one do you think is the best? is there any other?

Question by:llandajuela
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 12220884
Actually you have already given the answers but let me go over them;

PIX solution is not a good one, what you would like to do is exactly seperating subnets (or VLANs in your case), firewall per user is not a very good solution for this.

By mentioning "multi layer switch" you considering performing routing and access-list'ing on the switch (please correct me if I am wrong) but what you need exactly is (unfortunately a switch with at least 14 ports (generally this converges to 24) and a hub/micro switch for each room (or a bigger switch with a total port density of 14x8 ports). But you still need a router with access listing features.

Well, another, Cisco specific option would be PVLANs, Private-VLANs (someone correct me if I am wrong), PVLANs does exactly what you are looking for. So offers an option to complete the whole scenarion within a sigle switch.

2900/2950 series probably support this feature but please check. I am unable to check features at the moment, but please consider PVLANs.


Expert Comment

ID: 12221039
A 2950 will allow this feature to take place, and the 3500 series switches will do this but just a little bit faster and will allow you to scale up.
LVL 12

Expert Comment

ID: 12222191
In addition you could set a non-managed switch in each classroom (save$$) and have each classroom connect to either the Cisco Switch or 3Com Switch which connects to your ADSL Router.  The classroom switches don't have to be anything special just a basic unmanaged switch.

The 3com 3300XM version can seperate VLAN's like this, as can the above mentioned Cisco switches.  I have used both cisco and 3com, they work the same look for best price.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 79

Expert Comment

ID: 12222605
A layer 3 switch with VLANS is certainly an option.
A PIX firewall everywhere is also certainly an option, but 14x PIX = several 3550 switches.
How much interaction between/amongst the rooms? Firewalls make this difficult at best.

Why not use a low-end broadband router like a Linksys (owned by Cisco) or something in place of the PIXs? Same concept, just a lot less money..


Accepted Solution

dashburn earned 1000 total points
ID: 12229391
You need 1 Cisco 3550 and 14 cheap $100 switches (Linksys, 3Com, etc.).  Each port on the 3550 is set to a different vlan (one for each room) and a cheap switch is put into each room and uplinked to its respected port.  The 3550 does all the inter vlan routing and the routing to the adsl router.  

Set the default gateway on the 3550 to the adsl router (ip default-gateway x.x.x.x)

Do NOT set speed and duplexing (leave the default to auto) on the ports.  I have found that hardcoding it on a 3550 and then plugging in a cheap 3Com makes the duplex not work right.

Start with vlan 10 (or for don't use vlan1) Starting with 10 just makes counting up easier

If you are doing dhcp make sure to set a help address on each vlan interface
interface Vlan10
 description Room 1
 ip address
 ip helper-address

The only tricky part (and this isn't really that big a deal) is you mentioned that no access between any of the vlan.  You will need to create an access-list that allows only communication to the gateway and not inter-vlan.

Hope this helps,


Author Comment

ID: 12230440
Great job!, guys. Your opinions really helped. I think that you all agree that the switch option is the best one, discarding the PIX's one.

I feel that every answer helped and deserves recognition, but the one that goes right to the point being extremely clear and specific is dasburn's. Thats why i accepted it as the valid answer, but please, tell me if i should award the rest of the experts and how to do it.

To dashburn, i need some clarifications:
- what is a help address?

- i see that i have 2 prerequisites: A) no inter-vlan communication B) every vlan communicates to the gateway. Because of A) i would think that i dont really need inter-vlan routing (right?). So, what i want to ask you is: do i really need vlan's and inter-vlan routing. If you say "You will need to create an access-list that allows only communication to the gateway and not inter-vlan", isnt there a switch just able to filter traffic with access-lists? and maybe is cheaper because there is no need to configure inter-vlan-routing.(Please, if you feel this is a stupid question, dont waste too much time with it, and go on)

- i checked the prices for the 3550, and to my surpise, i found that due to an special offer, a 48 ports 3550 is only 50 $ more expensive than a 24 port 3550!!. Now, considering that i will probably be using only 14 ports of the switch, wich one would you choose?

That's all, as i said, thank you everybody for your truly expert opinions !!


Expert Comment

ID: 12262237
Sorry for the slow response.

The "help" address is a typo.  It should be "helper" address.  DHCP works via broadcast and the point of the switch is to block broadcasts.  So the helper address allows dhcp requests to get through.  Without this you will need a different dhcp server on each vlan.

As far as the 3550 goes you may be able to find a cheaper cisco model then the 3550.  This has just become such a standard with for us, I used the model name really without thinking.  If you do go they 3550 route, pay the extra $50.   I think there is a 3xxx model that has 12 ports that works at layer 3 (routing) but I don't remember for sure.

You don't need inter-vlan routing really but, you do need to route the end users packets to the dsl modem.  So you will have to have a access-list to allow this.


Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question