×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Equipment Selection/Setup Help

Answered Question
Jul 26th, 2013
User Badges:

I'm helping someone setup a network in their new office and want to see if my equipment selection is correct.  The products of the Small Business suite seemed to meet our needs as best I could tell. There is a dizzying array of products to choose from. I did my best.


Here are the requirements:

1. Need a Wireless AP to handle a Guest connection to Internet only and an employee connection to corp network services and Internet.

2. They have two buildings with a multimode fiber link between them.

3. Each building will have security camera's using PoE.

4. Remote Access to all VLANS in the buildings (except Guest)

   a. PCAnywhere to Security PC on VLAN30

   b. File services on VLAN20

5. All VLANS need internet access.  I guess the Mgmt VLAN40 wouldn't need it.


I planned on purchasing the following:

WAP561 for Wireless - Wanted both 2.4GHz and 5GHz frequencies

SF300-24P switch - 1 for each building w/ a 1000Base-SX module MGBSX1 for fiber link

RV320 Router/VPN


My first design attempt was to create the following VLANS on all devices

1 - Default VLAN, Native VLAN - Nothing will use this

10 - Guest, WAP Only, NO hardwired connections

20 - Corp, WAP and Wired

30 - Security, Wired Only at this point

40 - Mgmt, WAP and Wired


Trunks carrying All VLANS will be used for the AP<->Switch1,

Router<->Switch1 and Switch1<->Switch2 connections.


I'm most concerned with the Router/VPN setup.


Before we decided on adding VPN to the project I was thinking this would not be difficult to do. Turn off Inter-VLAN routing, setup a DHCP pool for each VLAN and everyone stays out of each others way. But then I opened my big mouth and asked if they wanted remote access.


So, what VPN setup would allow us to get to all the VLANS? Would PPTP work best? Is Inter-VLAN routing required? If I turn on Inter-VLAN routing would that mean that Guests could get to the other VLANS? Will an access list allow me to prevent Guests from crossing over?


Any glaring issues anyone sees?



Thanks.

Mark

Correct Answer by Tom Watts about 4 years 3 weeks ago

Yes, sounds right. It would be easier to restrict what can't go where then to try to tell everything where it can go.



-Tom
Please mark answered for helpful posts

Correct Answer by Tom Watts about 4 years 3 weeks ago

Hi Mark, admittingly I'm not familiar with the new RV320 router or the new WAP's. However, I can affirm that the basic set up should work as expected and you correctly identified the remote access is the hitch.


On the previous RV routers PPTP would be the easiest to get on to the network. The real question is, the remote connection what resource does it need access to? Surely not a guest network. In the past, if you wanted PPTP to intervlan communicate you would need the PPTP to connect in to one of the defined subnets and have the intervlan routing enabled.


This provides a different scenario. Meaning this would require access lists on the switch ports for the ingress traffic to be blocked from accessing undesired resources. I'm not sure if the RV320 supports inter-vlan ACL, I know it was introduced on the RV220w but that can be another idea to combat this concept.


So I think the consideration for now is, who needs access to what as a remote connection?



-Tom
Please mark answered for helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Tom Watts Fri, 07/26/2013 - 11:59
User Badges:
  • Green, 3000 points or more

Hi Mark, admittingly I'm not familiar with the new RV320 router or the new WAP's. However, I can affirm that the basic set up should work as expected and you correctly identified the remote access is the hitch.


On the previous RV routers PPTP would be the easiest to get on to the network. The real question is, the remote connection what resource does it need access to? Surely not a guest network. In the past, if you wanted PPTP to intervlan communicate you would need the PPTP to connect in to one of the defined subnets and have the intervlan routing enabled.


This provides a different scenario. Meaning this would require access lists on the switch ports for the ingress traffic to be blocked from accessing undesired resources. I'm not sure if the RV320 supports inter-vlan ACL, I know it was introduced on the RV220w but that can be another idea to combat this concept.


So I think the consideration for now is, who needs access to what as a remote connection?



-Tom
Please mark answered for helpful posts

mzeilenga Fri, 07/26/2013 - 12:27
User Badges:

Tom, you are correct the remote users do not need access to the GUEST VLAN.


Remote users would need access to VLAN30 so they can use PCAnywhere to control the security camera PC in case they need to watch video of an event.  They also need access to VLAN20 to get at the file server.  I would like access to VLAN40 because that is the router/switch/AP mgmt LAN.


The RV320 does have inter-VLAN routing capability so I assume that will need to be turned ON.  It also has Firewall Access Rules.  I'm guessing I would just need to deny all IP's from crossing to any other VLAN EXCEPT for the IP's I designate for remote access which would be allowed onto VLAN 20,30 and 40.  That sound right?

Correct Answer
Tom Watts Fri, 07/26/2013 - 12:59
User Badges:
  • Green, 3000 points or more

Yes, sounds right. It would be easier to restrict what can't go where then to try to tell everything where it can go.



-Tom
Please mark answered for helpful posts

mzeilenga Fri, 07/26/2013 - 13:04
User Badges:

Thanks for your help Tom. My confidence level on the project went up knowing I'm on the right track.