+ Reply to Thread
Results 1 to 8 of 8
  1. Senior Member nethacker's Avatar
    Join Date
    Jun 2011
    Location
    Houston
    Posts
    179

    Certifications
    UMUC - BS Computer Networks & Security. CCIE, JNCIE-SEC, JNCIE-ENT
    #1

    Post Design recommendations for Network of 75 hosts

    Hi all,
    I am no professional in the area of design so i want to ask for a recommendation as regards the above subject. A friend of mine who is a newbie in cisco world was made the network admin of a small hotel with 50 employees and approximately 75 hosts on the existing network.From what he explained to me,there are 7 different departments and all hosts in that building reside on the same subnet(A bad design IMO).The existing infrastructure include 3x24ports 3Comm switches(which has no password to),a modem connecting to the ISP and a linksys router.The management are not willing to spend much on IT infrastructure. He wants to migrate to cisco equipments so he asked for my advice and invited me to come assist him in the design and implementation aspect. From my little knowledge and experience, these are my recommendations.
    Hardware:
    1) 1 x 1800 series router with FW capabilities
    2) 3 x 24ports catalyst 2960 series switches

    Design:

    1) Configure 7 vlans excluding VLAN 1 and inter vlan routing
    2) configure basic firewall commands on the router to prevent DDoS and IP snooping.
    3) trunk link between the router & a switch then i will enable VTP on the switches.

    I'll like experts in the house to guide me if I am not making the right choice of equipments and/or configurations.
    Reply With Quote Quote  

  2. SS -->
  3. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #2
    I think the problem here is you're looking at an enterprise approach to a small business solution. It's totally impractical to create a subnet for each department, especially with the relatively low security requirements of the hospitality industry. As long as the end-user nodes and the servers are locked down properly, there are neither traffic nor security concerns for having 75 hosts on one subnet.

    A larger concern would be if guest wireless or wired connections are on the same subnet as the employee nodes. So you might end up with two or three VLANs separating employee devices and guest devices 2960-24TC-L would not be a bad switch choice.
    However, it might be practical to only have one or two, and to use un-managed, layer 2 switches in conjunction. Keep in mind you're asking a small business owner to replace something that works fine and will continue to work fine the way it is.

    A more typical approach on the router/firewall side would be to replace the Linksys with something that's easy to manage but more sophisticated than Linksys, eg Sonicwall, Astaro, Watchguard. Cisco does not see a lot of use in small business networks, though Cisco's shown more competition in the last couple of years. In any case, there is nothing wrong with the 1800 series and if your friend is comfortable with that, then more power to him. The solution you designed will work and the budget is not unreasonable. It's just a bit more complicated than such a small (in terms of IT needs) organization would typically need.
    Reply With Quote Quote  

  4. Senior Member nethacker's Avatar
    Join Date
    Jun 2011
    Location
    Houston
    Posts
    179

    Certifications
    UMUC - BS Computer Networks & Security. CCIE, JNCIE-SEC, JNCIE-ENT
    #3
    Quote Originally Posted by ptilsen View Post
    I think the problem here is you're looking at an enterprise approach to a small business solution. It's totally impractical to create a subnet for each department, especially with the relatively low security requirements of the hospitality industry. As long as the end-user nodes and the servers are locked down properly, there are neither traffic nor security concerns for having 75 hosts on one subnet.

    A larger concern would be if guest wireless or wired connections are on the same subnet as the employee nodes. So you might end up with two or three VLANs separating employee devices and guest devices 2960-24TC-L would not be a bad switch choice.
    However, it might be practical to only have one or two, and to use un-managed, layer 2 switches in conjunction. Keep in mind you're asking a small business owner to replace something that works fine and will continue to work fine the way it is.

    A more typical approach on the router/firewall side would be to replace the Linksys with something that's easy to manage but more sophisticated than Linksys, eg Sonicwall, Astaro, Watchguard. Cisco does not see a lot of use in small business networks, though Cisco's shown more competition in the last couple of years. In any case, there is nothing wrong with the 1800 series and if your friend is comfortable with that, then more power to him. The solution you designed will work and the budget is not unreasonable. It's just a bit more complicated than such a small (in terms of IT needs) organization would typically need.
    i thought about it too but he sounded like he wants to use that to get himself working on cisco gears daily. I already explained to him that since the existing infrastructure works fine at present, it's going to be hard to convince the decision makers to approve of the budget.
    I know wireless doesn't exist on the network but yes guest connections are on the same subnet as employee nodes. in that case, one 2960 would be suitable combined with the existing 3comm unmanaged switches. Will check out sonicwall and let him review it himself. Thanks
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #4
    how low is the budget? You could "get by" with an opensource firewall package on good hardware (and support if they want it). At my last place, I was able to switch our some very old cisco gear for a Pfsense router/firewall and it worked excellently. It is gui based and has tons of packages you can install and deploy. If you want to go the dedicated firewall route, why not look at an ASA 5505 (staying with the cisco theme) or 5510 (rack mount, faster) with an IPS module (or go open source on the modules). I don't know how important the internet is to the company but you may want to stack your firewalls and switches for failover/dr purposes (especially if you want something to "just run"). The 2960s can do power stacking (I think) and the ASAs can do stateful failover.


    IMO you probably only need a few vlans. Servers (maybe) and desktop vlan (maybe) an untrusted machine/patching vlan and a vlan for wireless guest access (which I know you don't have, but they will ask you for it eventually). Some (small) businesses like having a different vlan for the financial folks (I do) so you may want to do that. ROAS should be painfully easy to set up . it might seem stupid to set up different vlans/subnets for every department now, but if they grow in a few years you are going to want to have security built in. Just watch your VACLs.

    You may want to look at some cisco "verified" designs to get some ideas:

    http://www.cisco.com/en/US/netsol/ns...gram_home.html
    Last edited by Bl8ckr0uter; 12-07-2011 at 09:56 PM.
    Reply With Quote Quote  

  6. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #5
    Also, Why not use 2 or 3 48 port switches. You've got 3 x 24 port which brings you to 72 access ports. There is no room for growth without more equipment. 2 x 48 might be cheaper than 3 x 24.
    Reply With Quote Quote  

  7. Senior Member nethacker's Avatar
    Join Date
    Jun 2011
    Location
    Houston
    Posts
    179

    Certifications
    UMUC - BS Computer Networks & Security. CCIE, JNCIE-SEC, JNCIE-ENT
    #6
    Quote Originally Posted by cisco_trooper View Post
    Also, Why not use 2 or 3 48 port switches. You've got 3 x 24 port which brings you to 72 access ports. There is no room for growth without more equipment. 2 x 48 might be cheaper than 3 x 24.
    i am also thinking about the link between the switch and the router. I am thinking of configuring etherchannel (layer2) between the switch and the router but i don't know if the ESW module support etherchannel
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jul 2011
    Location
    Sydney,Australia
    Posts
    753
    #7
    Maybe have any pos equipment on a separate vlan to the rest of the network ,same with servers and building management system.

    How many floors in the building?

    For ease of wiring it may make sense to have a switch on each floor( assuming multistorey).

    A better way to sell it to management is get them to put an IT infrastructure item in the budget for each year for network maintenance and improvement. Keep the existing network but gradually upgrade it floor by floor or building area by area.

    Start with a firewall , then a main switch and onwards from there.

    Sell it to them on security and keeping guests happy( need to support higher bandwidth and better services).

    Your friend may also need to look at the telephone system and also entertainment/ video as these are usually the IT guys responsibility as well( or dealing with the external providers).

    He may want to do an audit on the existing systems first to show the owners where there are problems and also where it seems to be working well. Then do a three to five year maintenance plan.Hospitality industry is used to budgeting for maintenance but is usually rather tight on other spending.
    Reply With Quote Quote  

  9. Senior Member nethacker's Avatar
    Join Date
    Jun 2011
    Location
    Houston
    Posts
    179

    Certifications
    UMUC - BS Computer Networks & Security. CCIE, JNCIE-SEC, JNCIE-ENT
    #8
    Quote Originally Posted by alxx View Post
    Maybe have any pos equipment on a separate vlan to the rest of the network ,same with servers and building management system.

    How many floors in the building?

    For ease of wiring it may make sense to have a switch on each floor( assuming multistorey).

    A better way to sell it to management is get them to put an IT infrastructure item in the budget for each year for network maintenance and improvement. Keep the existing network but gradually upgrade it floor by floor or building area by area.

    Start with a firewall , then a main switch and onwards from there.

    Sell it to them on security and keeping guests happy( need to support higher bandwidth and better services).

    Your friend may also need to look at the telephone system and also entertainment/ video as these are usually the IT guys responsibility as well( or dealing with the external providers).

    He may want to do an audit on the existing systems first to show the owners where there are problems and also where it seems to be working well. Then do a three to five year maintenance plan.Hospitality industry is used to budgeting for maintenance but is usually rather tight on other spending.
    Thanks i appreciate. we already did all you suggested and it seems like they are not interested but now that PCI is on the verge of auditing them, they are running helter skelter
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks