• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 600
  • Last Modified:

RV042 and Network Design

We have a kind of spoke and hub setup with a main site, and several smaller sites, some only 1 or 2 people small.  We do not have a network guru here of any kind.  We have a couple of programmers and a couple of guys that take care of everything from exchange, to toner, to vmware.  

For the larger sites we have vpn lines from TW of t-1 or greater.  For the smaller sites (12) we have cable or dsl connections.  As of now we have rv042's at the smaller sites, and various cisco routers at the larger sites (which some are ours some are TW's, it isn't consistent).  We are wanting to get our network to a more manageable level, and add in vlan's with qos for our ip phones.  We're looking at putting 1 layer 3 switch at each location, in order to handle the qos.  Edit: on the vlan's we're planning data, voice, servers, network hardware, wireless guest seperate, possibly credit card machines which are on our network and need to be moved off or vlan'd off;

My question then would be, will those rv042's which are vpn'd in to a cisco router at our hub, pass the vlan data to the hub ok?  If not, what would you recommend as a replacement.  To take that a step further, if you offer a replacement does it make sense to not get l3 switches at the smaller sites and just do the qos at the router level (or is that even possible).  Also, feel free to point out any flaws or ask any questions.
0
CoffeeBlack
Asked:
CoffeeBlack
  • 2
  • 2
2 Solutions
 
ddiazpCommented:
L3 switches would be a waste for offices with so few people. The whole point of QoS is to prioritize voice traffic when there's enough traffic to actually require it to be classified. In addition, for the users with DSL, keep in mind their upload speed is very low - are you deploying your own call server on the main site? If so, you'd want to focus on compression more.

VLAN data does not get passed across VPNs. For easy manageability, you'd create the same VLANs on all sites but they still would not know about each other. They just get routed as usual.

What we do where I work is:

VLAN 500 on all sites for data (10.1.5.0/24 site A, 10.2.5.0 site B, 10.3.5.0 site C,..etc).
VLAN 600 on all sites for servers (10.1.6.0/24 site A, 10.2.6.0 site B, 10.3.6.0 site C,..etc).
VLAN 700 on all sites for voice (10.1.7.0/24 site A, 10.2.7.0 site B, 10.3.7.0 site C,..etc).

and so on. We have a couple of l3 switches stacked on the main site, and regular layer2 switches everywhere else (our smallest offices have 5-10 people).
0
 
CoffeeBlackAuthor Commented:
How do/would you deal with pci compliance (running credit cards) in places without vlans which are still going to be required to run over the same network?
0
 
ddiazpCommented:
Our Database servers that do contain credit card information which are PCI compliant, are on their own VLAN on our main site and we have strict access-list rules on what can talk to these databases on the access switches they connect to, but we don't send this information to our other sites via VPN.

In your case, because you do need to transmit this information via VPN that runs traffic over public/external private networks, you need to make sure the encryption is strong enough (PCI compliance doesn't specifically how strong) - AES256 would be the minimum i think, and should use an established protocol like IPSec or SSL/TLS.

On your remote office you could indeed have 2 or more VLANs, and place your credit card devices /servers on a VLAN, and restrict VPN traffic based on that VLAN. When traffic gets to your head office, your firewall will not see any VLAN tag, but based on the destination IP, it will send it off to the credit card VLAN.
0
 
CoffeeBlackAuthor Commented:
Thank you, that's exactly what I was looking for.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now