cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1633
Views
10
Helpful
5
Replies

Proposed Network SetUp

Sihanu N
Level 1
Level 1

Hi Experts,

We are planning to re-arrange our network setup as it is not well structured and to meet some new requirements. Below is my proposed network setup for everyone's kind reference. (Expecting everyone's valuable suggestions and support about my proposed diagram).

Proposed Network design.png

Following are our key requirements

1) How can we configure intervlan communication and internet access for the both the vlans

2) Secure access to the Servers from outside using the public ips (like static nat in the 1811 router to routers)

3) Need to implement unauthorized access/attacks from outside since in my plan the public is assigned in the 1811 router interface (like enabling firewall/IDS in router)

4) Need to configure wireless access to both VLANs in future since the wireless access point is integrated in the 1811W ISR

Kindly give your valuable suggessions and advice for meeting the above mentioned requirements, queries.

Thanks and Regards,

Sihanu N

5 Replies 5

viswamin
Cisco Employee
Cisco Employee

1. Since ur set up has a 3550 switch, the Inter vlan communication can be done creating SVI's and the internet access for both the vlans can be done by creating a static route from the router to the Internet.

(or)

We can use the router as well to perform inter-vlan routing and use the switch as a pure L2 Switch

2 and 3: Can be done with the help of Access Control Lists.

4. could not completely understand the requirement. can you please eloborate a little more on this.

-Vijay

Thanks a lot for your quick reply .

1.But how can we enable communication between 3550 Switch and 1811 Router . The link needs to be made trunk , right ?

Even if SVI s are created on the 3550 Switch how can the communication between 3550 Switch and the router be possible ? Would configuring a default gateway work ? Is it possible that we can create SVIs on router 1811 (considering the future wireless requirement) ?

2 and 3 )Since the router is open to the internet what all should I block to restrict unauthorized traffic and provide safe public access to Servers . Like in ASA we have predefined security levels blocking traffic from outside to inside .Can you also please provide the standard blocking guidelines for Routers open to the internet ?

4. May be in future I will need to provide wireless access to the two VLANs without re arranging the current setup . So I just want to make sure the current setup holds good when trying to configure Wireless in future

Many Thanks and Regards

Sihanu

1. yes.. if you are performing inter-vlan routing at Router, then the link between the switch and the router should be a trunk to carry the traffic of the required Vlan's.

if the intervlan routing is performed at the cisco 3550, you have to enable routing on the switch , the port leading towards the router should be a routed port, configure either a default route or run a routing protocol between the switch and the router.

SVI is only on L3 switch and not in Router.

2 and 3) MAy be this link  on access list might help. Look for Extended access list which can be tweeked according to the requirement.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

4) should not be a problem

-Vijay

Hi Vijay,

Thanks for all the support provided by giving exact answers to my queries.

I have started the configuration, but stucks at a point.

Current configurations setup and ip assigment is as follows

ISP modem/router(192.168.3.254)-->(192.168.3.1)1811W Router(192.168.2.254)-->(192.168.2.1)3550(interface vlan 10 - 10.0.1.254, interface vlan 192 - 192.168.1.254)--trunk-->2950

1)Configured 3550 as layer 3 switch and create a default route to  192.168.2.254

2) Configured 2 static routes(for 2 vlan range traffic) and one default route to 192.168.3.254

3) ip pass through is not configured yet, still the public ip is configured at the isp router

1811 static route configs

------------------------------------

Ip route 0.0.0.0 0.0.0.0 192.168.3.254

Ip route 192.168.1.0 255.255.255.0 192.168.2.1

Ip route 10.0.1.0 255.255.255.0 192.168.2.1

3550 static route config

--------------------------------------

Ip route 0.0.0.0 0.0.0.0 192.168.2.254

Testing results

1)All lan communications are working fine(inter vlan also), ping to all servers from router is getting and ping to outside public ips are getting from router,but not getting ping from switch to 192.168.3.254 and outside ips.

Kindly advice what is the problem in the current configs.

Thanks and Regards,

Sihanu N

hobbe
Level 7
Level 7

Hi

I do not know what your requirement for speed is

So this might be totally wrong from your point of view.

The router only has a throughput of 70Kpps in total, this might (will) be a bottleneck for the traffic if you set it up for vpn traffic, firewalling, IDS and Wireless.

I would setup a Firewall between the Internet and  the inside and by that take care of the vpn traffic that you will have inbound from the internet.

I would set the 1811w on one of the dmz of the firewall.

and if possible ie no traffic needed between the phones and the network with the computers, I would set the ip phones in their own dmz in the firewall.

now to your questions,

1) In my scenario most of that will be handled by the firewall

2) the firewall takes care of that.

3) the firewall can take care of that or you can add a separate ips/IDS inside the firewall. ( fx snort) if you need a free one its not the best but its free.

4) the wireless will be taken care of by the 1811w router. if you feel that you need better security you can add vpn to the wireless before you let them in through the firewall dmz.

good luck

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco