Solved

Configuration suggestions (CISCO)

Posted on 2004-10-04
7
388 Views
Last Modified: 2008-02-07
I need to provide internet access to 14 rooms, each with 1 to 8 pc hosts. Internet access will be provided by ONE ADSL router. I need that no communication flows between rooms, but all of them will go Internet through the same ADSL router.
I have two ideas: a) VLANS b) Firewalls

a) Using VLANS would separate traffic from each room (1 VLAN per room), but i think that i need a multilayer switch in order to make every VLAN connect to the same ADSL router (is that correct?). If im correct, i would like to know the lowest (cheapest)Cisco Catalyst able to perform inter VLAN routing (which is what i think is necessary for this case, right?).

b) One firewall per room. Im thinking of one PIX 501 per room. Yes, i know, 14 PIX's, maybe that's too many little green boxes to deal with, but this solution im sure it would work, but not quite sure its the best one.

Please, i would like opinions on these two options also, which one do you think is the best? is there any other?

Thanks
0
Comment
Question by:llandajuela
7 Comments
 
LVL 3

Expert Comment

by:cagri
ID: 12220884
Actually you have already given the answers but let me go over them;

PIX solution is not a good one, what you would like to do is exactly seperating subnets (or VLANs in your case), firewall per user is not a very good solution for this.

By mentioning "multi layer switch" you considering performing routing and access-list'ing on the switch (please correct me if I am wrong) but what you need exactly is (unfortunately a switch with at least 14 ports (generally this converges to 24) and a hub/micro switch for each room (or a bigger switch with a total port density of 14x8 ports). But you still need a router with access listing features.

Well, another, Cisco specific option would be PVLANs, Private-VLANs (someone correct me if I am wrong), PVLANs does exactly what you are looking for. So offers an option to complete the whole scenarion within a sigle switch.

2900/2950 series probably support this feature but please check. I am unable to check features at the moment, but please consider PVLANs.

Regards,
0
 
LVL 1

Expert Comment

by:jrskeen
ID: 12221039
A 2950 will allow this feature to take place, and the 3500 series switches will do this but just a little bit faster and will allow you to scale up.
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 12222191
In addition you could set a non-managed switch in each classroom (save$$) and have each classroom connect to either the Cisco Switch or 3Com Switch which connects to your ADSL Router.  The classroom switches don't have to be anything special just a basic unmanaged switch.

The 3com 3300XM version can seperate VLAN's like this, as can the above mentioned Cisco switches.  I have used both cisco and 3com, they work the same look for best price.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12222605
A layer 3 switch with VLANS is certainly an option.
A PIX firewall everywhere is also certainly an option, but 14x PIX = several 3550 switches.
How much interaction between/amongst the rooms? Firewalls make this difficult at best.

Why not use a low-end broadband router like a Linksys (owned by Cisco) or something in place of the PIXs? Same concept, just a lot less money..

0
 

Accepted Solution

by:
dashburn earned 250 total points
ID: 12229391
You need 1 Cisco 3550 and 14 cheap $100 switches (Linksys, 3Com, etc.).  Each port on the 3550 is set to a different vlan (one for each room) and a cheap switch is put into each room and uplinked to its respected port.  The 3550 does all the inter vlan routing and the routing to the adsl router.  

Set the default gateway on the 3550 to the adsl router (ip default-gateway x.x.x.x)

Do NOT set speed and duplexing (leave the default to auto) on the ports.  I have found that hardcoding it on a 3550 and then plugging in a cheap 3Com makes the duplex not work right.

Start with vlan 10 (or for don't use vlan1) Starting with 10 just makes counting up easier

If you are doing dhcp make sure to set a help address on each vlan interface
interface Vlan10
 description Room 1
 ip address 192.168.1.10 255.255.255.0
 ip helper-address 192.168.1.2

The only tricky part (and this isn't really that big a deal) is you mentioned that no access between any of the vlan.  You will need to create an access-list that allows only communication to the gateway and not inter-vlan.

Hope this helps,

0
 

Author Comment

by:llandajuela
ID: 12230440
Great job!, guys. Your opinions really helped. I think that you all agree that the switch option is the best one, discarding the PIX's one.

I feel that every answer helped and deserves recognition, but the one that goes right to the point being extremely clear and specific is dasburn's. Thats why i accepted it as the valid answer, but please, tell me if i should award the rest of the experts and how to do it.

To dashburn, i need some clarifications:
- what is a help address?

- i see that i have 2 prerequisites: A) no inter-vlan communication B) every vlan communicates to the gateway. Because of A) i would think that i dont really need inter-vlan routing (right?). So, what i want to ask you is: do i really need vlan's and inter-vlan routing. If you say "You will need to create an access-list that allows only communication to the gateway and not inter-vlan", isnt there a switch just able to filter traffic with access-lists? and maybe is cheaper because there is no need to configure inter-vlan-routing.(Please, if you feel this is a stupid question, dont waste too much time with it, and go on)

- i checked the prices for the 3550, and to my surpise, i found that due to an special offer, a 48 ports 3550 is only 50 $ more expensive than a 24 port 3550!!. Now, considering that i will probably be using only 14 ports of the switch, wich one would you choose?


That's all, as i said, thank you everybody for your truly expert opinions !!

0
 

Expert Comment

by:dashburn
ID: 12262237
Sorry for the slow response.

The "help" address is a typo.  It should be "helper" address.  DHCP works via broadcast and the point of the switch is to block broadcasts.  So the helper address allows dhcp requests to get through.  Without this you will need a different dhcp server on each vlan.

As far as the 3550 goes you may be able to find a cheaper cisco model then the 3550.  This has just become such a standard with for us, I used the model name really without thinking.  If you do go they 3550 route, pay the extra $50.   I think there is a 3xxx model that has 12 ports that works at layer 3 (routing) but I don't remember for sure.

You don't need inter-vlan routing really but, you do need to route the end users packets to the dsl modem.  So you will have to have a access-list to allow this.


Daniel
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to read network slash info 7 50
port redirection on cisco asa 5520 5 18
not able to to ping server on a switch 1 34
Upgrading from Sonicwall Tz210 6 14
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question