Network design for 24 users

Answered Question
Aug 24th, 2010

Hai everyone,

I was planing on change one of my cleints network switches and routers from a D-Link to cisco. The office has around 22 users and all of them share printers and access the internet to send mails. They also have POP3 & SMTP clients.

I've setup the Cisco ADSL Router 877 and an old 2950 catalyst switch. I've created vlan to block youtube and facebook for specific users using extended accesslist on the router.

I'll post the config of both the router and the swithc lattter when i get to the clients place.

Questions:

1. Is there anything more that i should do to enhance security to protect the users from any virus or spyware from entering the network ?

2. What more should i add to create more VLANs as the present router lets me add only two vlans ?

Thank you in advance.

Correct Answer by Leo Laohoo about 6 years 6 months ago

2. What more should i add to create more VLANs as the present router lets me add only two vlans ?

Choose another router.  The 870 supports up to 2 VLANs and one of them is VLAN 1.

890 support up to 14 VLANs

880 support up to 8 VLANs

860 support up to 2 VLANs.

And yes, the VLAN support also includes default VLAN 1.

Don't forget to rate useful posts.  Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Leo Laohoo Tue, 08/24/2010 - 15:05

2. What more should i add to create more VLANs as the present router lets me add only two vlans ?

Choose another router.  The 870 supports up to 2 VLANs and one of them is VLAN 1.

890 support up to 14 VLANs

880 support up to 8 VLANs

860 support up to 2 VLANs.

And yes, the VLAN support also includes default VLAN 1.

Don't forget to rate useful posts.  Thanks.

anishkgthomas Wed, 08/25/2010 - 02:49

Thank you leo for the info,

following are the configs of the router and the switch

Router

Building configuration...

Current configuration : 5404 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R877
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
enable secret *********

enable password *************

!
no aaa new-model
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.252
ip dhcp excluded-address 192.168.2.253
ip dhcp excluded-address 192.168.3.254
ip dhcp excluded-address 192.168.2.254
!
ip dhcp pool Galileo
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 212.77.192.59 212.77.192.60
   domain-name AlQayedTravel
!
ip dhcp pool Galileovlan2
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254
   dns-server 212.77.192.59 212.77.192.60
   domain-name AlQayedTravel(vlan2)
!
!
ip host switch 192.168.1.252
ip host sw1 192.168.1.252
ip host r877 192.168.1.254
ip name-server 212.77.192.59
ip name-server 212.77.192.60
!
!
!
vtp domain AlQayedTravel
vtp mode transparent
username cisco password ***********
!
!
archive
log config
  hidekeys
!
!
vlan 2
name Restricted_Agents
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description To F0/24 of Cisco Swtich
switchport mode trunk
!
interface FastEthernet1
description Connected to Linksys Wireless device in vlan2
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
shutdown
!
interface Vlan1
description Default VLAN
ip address 192.168.1.254 255.255.255.0
ip access-group vlan1-block in
ip nat inside
ip virtual-reassembly
!
interface Vlan2
description 2blockFaceBook-specificUsers
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname s4368777
ppp chap password 7 13544541
ppp pap sent-username s4368777 password 7 08701E1D
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
!
ip access-list extended vlan1-block
deny   ip any host 82.148.98.144
deny   ip any host 82.148.98.147
deny   ip any host 82.148.98.148
deny   ip any host 82.148.98.150
deny   ip any host 82.148.98.151
deny   ip any host 82.148.98.153
permit tcp any any eq www
permit ip any host 97.74.67.139
permit tcp any any eq 5938
permit ip any host 208.255.223.98
permit ip any host 70.159.31.98
permit ip any host 70.159.31.115
permit ip any host 75.112.138.115
permit tcp any host 195.27.162.15 eq 9876
permit tcp any host 195.27.162.31 eq 9876
permit tcp any 192.168.2.0 0.0.0.255
permit tcp any 192.168.2.0 0.0.0.255 eq 445
permit tcp any host 192.168.1.254 eq telnet
permit tcp any eq telnet host 192.168.1.254
permit tcp any host 192.168.1.252 eq telnet
permit tcp any eq telnet host 192.168.1.252
permit tcp any any eq 443
permit tcp any any eq smtp
permit tcp any any eq pop3
permit udp any 192.168.2.0 0.0.0.255 eq netbios-dgm
permit udp any 192.168.2.0 0.0.0.255 eq netbios-ns
permit udp any 192.168.2.0 0.0.0.255 eq netbios-ss
permit udp any any
permit icmp any any echo
permit icmp any any echo-reply
deny   ip any any
ip access-list extended vlan2-block
deny   ip any host 82.148.98.144
deny   ip any host 82.148.98.147
deny   ip any host 82.148.98.148
deny   ip any host 82.148.98.150
deny   ip any host 82.148.98.151
deny   ip any host 82.148.98.153
deny   ip any host 82.148.98.154
deny   ip any host 82.148.98.156
deny   ip any host 66.220.153.11
deny   ip any host 66.220.146.18
deny   ip any host 66.220.146.32
deny   ip any host 66.220.147.44
deny   ip any host 66.220.153.19
deny   ip any host 69.63.189.16
deny   ip any host 69.63.189.31
deny   ip any host 69.63.189.26
deny   ip any host 66.220.147.22
deny   ip any host 212.77.199.217
deny   ip any host 212.77.199.211
deny   ip any host 212.77.199.224
permit tcp any any eq www
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq 443
permit tcp any any eq smtp
permit tcp any any eq pop3
permit udp any any
permit tcp any 192.168.1.0 0.0.0.255 eq 445
permit tcp any 192.168.1.0 0.0.0.255
permit udp any 192.168.1.0 0.0.0.255 eq netbios-dgm
permit udp any 192.168.1.0 0.0.0.255 eq netbios-ns
permit udp any 192.168.1.0 0.0.0.255 eq netbios-ss
permit ip any host 97.74.67.139
permit tcp any any eq 5938
permit tcp any host 195.27.162.15 eq 9876
permit tcp any host 195.27.162.31 eq 9876
permit tcp any host 192.168.1.254 eq telnet
permit tcp any eq telnet host 192.168.1.254
permit tcp any host 192.168.1.252 eq telnet
permit tcp any eq telnet host 192.168.1.252
deny   ip any any
!
access-list 10 permit any
!
!
!
control-plane
!
banner motd ^C
******* AL QAYED TRAVEL ADSL ROUTER *******
               DOHA QATAR
      UNAUTHORISED ACCESS PROHIBITED ^C
!
line con 0
password 7 050C070328404B064A5342
login
no modem enable
line aux 0
password 7 060506324F41
login
line vty 0 4
password 7 060506324F41
login
!
scheduler max-task-time 5000
end

Switch

Building configuration...

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname S2924
!
no logging console
enable secret 5 **********

enable password 7 ************
!
!
!
!
!
clock timezone Qatar 4
!
ip subnet-zero
ip host sw1 192.168.1.252
ip host r877 192.168.1.254
ip name-server 212.77.192.59
ip name-server 212.77.192.60
!
!
controller LongReachEthernet 0
!
controller LongReachEthernet 1
!
controller LongReachEthernet 2
!
controller LongReachEthernet 3
!
controller LongReachEthernet 4
!
controller LongReachEthernet 5
!
controller LongReachEthernet 6
!
controller LongReachEthernet 7
!
controller LongReachEthernet 8
!
controller LongReachEthernet 9
!
controller LongReachEthernet 10
!
controller LongReachEthernet 11
!
controller LongReachEthernet 12
!
controller LongReachEthernet 13
!
controller LongReachEthernet 14
!
controller LongReachEthernet 15
!
controller LongReachEthernet 16
!
controller LongReachEthernet 17
!
controller LongReachEthernet 18
!
controller LongReachEthernet 19
!
controller LongReachEthernet 20
!
controller LongReachEthernet 21
!
controller LongReachEthernet 22
!
controller LongReachEthernet 23
!
!
interface FastEthernet0/1
switchport access vlan 2
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 2
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
switchport access vlan 2
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
switchport access vlan 2
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface VLAN1
ip address 192.168.1.252 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN2
ip address 192.168.2.252 255.255.255.0
no ip directed-broadcast
no ip route-cache
shutdown
!
!
line con 0
password 7 **********
login
transport input none
stopbits 1
line vty 0 4
password 7 ********
login
line vty 5 15
login
!
end

The users on vlan2 says the browsing through Internet Explorer is very slow and it i'v experienced it myself. Is therere anything that i can do to resolve the browsing issue

Thank you in advance

mfurnival Wed, 08/25/2010 - 08:37

One thing you could do to protect your users and enhance your security is to not post your type 7 encrypted password in a public forum 

Actions

This Discussion