Configuration suggestions (CISCO)

I need to provide internet access to 14 rooms, each with 1 to 8 pc hosts. Internet access will be provided by ONE ADSL router. I need that no communication flows between rooms, but all of them will go Internet through the same ADSL router.
I have two ideas: a) VLANS b) Firewalls

a) Using VLANS would separate traffic from each room (1 VLAN per room), but i think that i need a multilayer switch in order to make every VLAN connect to the same ADSL router (is that correct?). If im correct, i would like to know the lowest (cheapest)Cisco Catalyst able to perform inter VLAN routing (which is what i think is necessary for this case, right?).

b) One firewall per room. Im thinking of one PIX 501 per room. Yes, i know, 14 PIX's, maybe that's too many little green boxes to deal with, but this solution im sure it would work, but not quite sure its the best one.

Please, i would like opinions on these two options also, which one do you think is the best? is there any other?

Who is Participating?
dashburnConnect With a Mentor Commented:
You need 1 Cisco 3550 and 14 cheap $100 switches (Linksys, 3Com, etc.).  Each port on the 3550 is set to a different vlan (one for each room) and a cheap switch is put into each room and uplinked to its respected port.  The 3550 does all the inter vlan routing and the routing to the adsl router.  

Set the default gateway on the 3550 to the adsl router (ip default-gateway x.x.x.x)

Do NOT set speed and duplexing (leave the default to auto) on the ports.  I have found that hardcoding it on a 3550 and then plugging in a cheap 3Com makes the duplex not work right.

Start with vlan 10 (or for don't use vlan1) Starting with 10 just makes counting up easier

If you are doing dhcp make sure to set a help address on each vlan interface
interface Vlan10
 description Room 1
 ip address
 ip helper-address

The only tricky part (and this isn't really that big a deal) is you mentioned that no access between any of the vlan.  You will need to create an access-list that allows only communication to the gateway and not inter-vlan.

Hope this helps,

Actually you have already given the answers but let me go over them;

PIX solution is not a good one, what you would like to do is exactly seperating subnets (or VLANs in your case), firewall per user is not a very good solution for this.

By mentioning "multi layer switch" you considering performing routing and access-list'ing on the switch (please correct me if I am wrong) but what you need exactly is (unfortunately a switch with at least 14 ports (generally this converges to 24) and a hub/micro switch for each room (or a bigger switch with a total port density of 14x8 ports). But you still need a router with access listing features.

Well, another, Cisco specific option would be PVLANs, Private-VLANs (someone correct me if I am wrong), PVLANs does exactly what you are looking for. So offers an option to complete the whole scenarion within a sigle switch.

2900/2950 series probably support this feature but please check. I am unable to check features at the moment, but please consider PVLANs.

A 2950 will allow this feature to take place, and the 3500 series switches will do this but just a little bit faster and will allow you to scale up.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

In addition you could set a non-managed switch in each classroom (save$$) and have each classroom connect to either the Cisco Switch or 3Com Switch which connects to your ADSL Router.  The classroom switches don't have to be anything special just a basic unmanaged switch.

The 3com 3300XM version can seperate VLAN's like this, as can the above mentioned Cisco switches.  I have used both cisco and 3com, they work the same look for best price.
A layer 3 switch with VLANS is certainly an option.
A PIX firewall everywhere is also certainly an option, but 14x PIX = several 3550 switches.
How much interaction between/amongst the rooms? Firewalls make this difficult at best.

Why not use a low-end broadband router like a Linksys (owned by Cisco) or something in place of the PIXs? Same concept, just a lot less money..

llandajuelaAuthor Commented:
Great job!, guys. Your opinions really helped. I think that you all agree that the switch option is the best one, discarding the PIX's one.

I feel that every answer helped and deserves recognition, but the one that goes right to the point being extremely clear and specific is dasburn's. Thats why i accepted it as the valid answer, but please, tell me if i should award the rest of the experts and how to do it.

To dashburn, i need some clarifications:
- what is a help address?

- i see that i have 2 prerequisites: A) no inter-vlan communication B) every vlan communicates to the gateway. Because of A) i would think that i dont really need inter-vlan routing (right?). So, what i want to ask you is: do i really need vlan's and inter-vlan routing. If you say "You will need to create an access-list that allows only communication to the gateway and not inter-vlan", isnt there a switch just able to filter traffic with access-lists? and maybe is cheaper because there is no need to configure inter-vlan-routing.(Please, if you feel this is a stupid question, dont waste too much time with it, and go on)

- i checked the prices for the 3550, and to my surpise, i found that due to an special offer, a 48 ports 3550 is only 50 $ more expensive than a 24 port 3550!!. Now, considering that i will probably be using only 14 ports of the switch, wich one would you choose?

That's all, as i said, thank you everybody for your truly expert opinions !!

Sorry for the slow response.

The "help" address is a typo.  It should be "helper" address.  DHCP works via broadcast and the point of the switch is to block broadcasts.  So the helper address allows dhcp requests to get through.  Without this you will need a different dhcp server on each vlan.

As far as the 3550 goes you may be able to find a cheaper cisco model then the 3550.  This has just become such a standard with for us, I used the model name really without thinking.  If you do go they 3550 route, pay the extra $50.   I think there is a 3xxx model that has 12 ports that works at layer 3 (routing) but I don't remember for sure.

You don't need inter-vlan routing really but, you do need to route the end users packets to the dsl modem.  So you will have to have a access-list to allow this.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.