cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
988
Views
0
Helpful
4
Replies

Equipment Selection/Setup Help

mzeilenga
Level 1
Level 1

I'm helping someone setup a network in their new office and want to see if my equipment selection is correct.  The products of the Small Business suite seemed to meet our needs as best I could tell. There is a dizzying array of products to choose from. I did my best.

Here are the requirements:

1. Need a Wireless AP to handle a Guest connection to Internet only and an employee connection to corp network services and Internet.

2. They have two buildings with a multimode fiber link between them.

3. Each building will have security camera's using PoE.

4. Remote Access to all VLANS in the buildings (except Guest)

   a. PCAnywhere to Security PC on VLAN30

   b. File services on VLAN20

5. All VLANS need internet access.  I guess the Mgmt VLAN40 wouldn't need it.

I planned on purchasing the following:

WAP561 for Wireless - Wanted both 2.4GHz and 5GHz frequencies

SF300-24P switch - 1 for each building w/ a 1000Base-SX module MGBSX1 for fiber link

RV320 Router/VPN

My first design attempt was to create the following VLANS on all devices

1 - Default VLAN, Native VLAN - Nothing will use this

10 - Guest, WAP Only, NO hardwired connections

20 - Corp, WAP and Wired

30 - Security, Wired Only at this point

40 - Mgmt, WAP and Wired

Trunks carrying All VLANS will be used for the AP<->Switch1,

Router<->Switch1 and Switch1<->Switch2 connections.

I'm most concerned with the Router/VPN setup.

Before we decided on adding VPN to the project I was thinking this would not be difficult to do. Turn off Inter-VLAN routing, setup a DHCP pool for each VLAN and everyone stays out of each others way. But then I opened my big mouth and asked if they wanted remote access.

So, what VPN setup would allow us to get to all the VLANS? Would PPTP work best? Is Inter-VLAN routing required? If I turn on Inter-VLAN routing would that mean that Guests could get to the other VLANS? Will an access list allow me to prevent Guests from crossing over?

Any glaring issues anyone sees?

Thanks.

Mark

2 Accepted Solutions

Accepted Solutions

Tom Watts
VIP Alumni
VIP Alumni

Hi Mark, admittingly I'm not familiar with the new RV320 router or the new WAP's. However, I can affirm that the basic set up should work as expected and you correctly identified the remote access is the hitch.

On the previous RV routers PPTP would be the easiest to get on to the network. The real question is, the remote connection what resource does it need access to? Surely not a guest network. In the past, if you wanted PPTP to intervlan communicate you would need the PPTP to connect in to one of the defined subnets and have the intervlan routing enabled.

This provides a different scenario. Meaning this would require access lists on the switch ports for the ingress traffic to be blocked from accessing undesired resources. I'm not sure if the RV320 supports inter-vlan ACL, I know it was introduced on the RV220w but that can be another idea to combat this concept.

So I think the consideration for now is, who needs access to what as a remote connection?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Yes, sounds right. It would be easier to restrict what can't go where then to try to tell everything where it can go.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

4 Replies 4

Tom Watts
VIP Alumni
VIP Alumni

Hi Mark, admittingly I'm not familiar with the new RV320 router or the new WAP's. However, I can affirm that the basic set up should work as expected and you correctly identified the remote access is the hitch.

On the previous RV routers PPTP would be the easiest to get on to the network. The real question is, the remote connection what resource does it need access to? Surely not a guest network. In the past, if you wanted PPTP to intervlan communicate you would need the PPTP to connect in to one of the defined subnets and have the intervlan routing enabled.

This provides a different scenario. Meaning this would require access lists on the switch ports for the ingress traffic to be blocked from accessing undesired resources. I'm not sure if the RV320 supports inter-vlan ACL, I know it was introduced on the RV220w but that can be another idea to combat this concept.

So I think the consideration for now is, who needs access to what as a remote connection?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Tom, you are correct the remote users do not need access to the GUEST VLAN.

Remote users would need access to VLAN30 so they can use PCAnywhere to control the security camera PC in case they need to watch video of an event.  They also need access to VLAN20 to get at the file server.  I would like access to VLAN40 because that is the router/switch/AP mgmt LAN.

The RV320 does have inter-VLAN routing capability so I assume that will need to be turned ON.  It also has Firewall Access Rules.  I'm guessing I would just need to deny all IP's from crossing to any other VLAN EXCEPT for the IP's I designate for remote access which would be allowed onto VLAN 20,30 and 40.  That sound right?

Yes, sounds right. It would be easier to restrict what can't go where then to try to tell everything where it can go.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Thanks for your help Tom. My confidence level on the project went up knowing I'm on the right track.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X