Advice on Cisco 870 Series Router Purchase

JAMiE132JAMiE132 Member Posts: 7 ■□□□□□□□□□
in CCNA & CCENT
Hi all,

I currently have a small business client that would like to move the companies IT systems in house. This is a small company that will have a Small Business Server for all services; however they will also have a web server hosting IIS, this server will need to connect to the SBS sql instance.

I have looked online at some routers that are available and have come across the 870 series, I know that if the advanced version of the IOS is installed this will allow vlans to be created.

I plan on using the firewall features this router comes equipt with to protect against external attacks, is this a good idea? Also I would like to keep the SBS as secure as possible, therefore I was thinking I would create 2 vlans on the router, hopefully this router will support a router on a stick configuration, then I could create an access list that will only allow the web server access to the sql instance and create another access list going the opposite way to allow the clients full access to the web server.

So the question is, does the 870 series allow for the router on a stick configuration, which would enable me to create access lists across the vlans?

I look forward to some feed back


Kind regards,

Jamie
There is only 10 types of people in this world: Those who understand binary and those who don't

CompTIA A+
MCP
· Share on FacebookShare on Twitter

Comments

  • ilcram19-2ilcram19-2 Banned Posts: 436
    buy it i like the 871 i have 8 of those at the remote offices and they work really good
    · Share on FacebookShare on Twitter
  • ColbyGColbyG Member Posts: 1,264
    You don't need router-on-a-stick with an 871. You just configure SVIs for the VLANs and router between them. I use one at home.
    http://blog.alwaysthenetwork.com
    · Share on FacebookShare on Twitter
  • JAMiE132JAMiE132 Member Posts: 7 ■□□□□□□□□□
    Hi Guys,

    Thank you for your replies!

    I haven't heard of SVI until now, in fact I have not used an integrated router before. Would you be able to provide me with a sample config of configuring svi on the vlans, and what about the extended acls, would I configure them as I would on a non integrated router?

    Regards,

    Jamie
    There is only 10 types of people in this world: Those who understand binary and those who don't

    CompTIA A+
    MCP
    · Share on FacebookShare on Twitter
  • ColbyGColbyG Member Posts: 1,264
    SVI is just a fancy way of saying vlan interface. Here's some stuff from my 871:
    interface Vlan10
 description LAN
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 crypto map VPN_MAP
!
interface Vlan15
 description WIRELESS
 ip address 192.168.15.1 255.255.255.0
 ip access-group VLAN15_IN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow

    VLAN 10 is the wired LAN, and VLAN 15 is my wireless. I have some static DHCP bindings (IPs bound to MAC addresses) for trusted computers on the wireless subnet, I then applied ACL VLAN15 to the interface, which basically only allows the trusted computers to access the LAN and allows only internet access to the untrusted IPs (anyone who comes over and wants to use the wireless, or someone who broke in). Here's the ACL:
    ip access-list extended VLAN15_IN
 permit ip host 192.168.15.20 any
 permit ip host 192.168.15.22 any
 permit ip host 192.168.15.21 any
 permit ip host 192.168.15.23 any
 permit ip host 192.168.15.24 any
 permit ip host 192.168.15.2 any
 deny   ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.15.0 0.0.0.255 any
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit udp any any eq domain
 deny   ip any any

    That should give you an idea of how to segment everything. Let me know if you have any questions.
    http://blog.alwaysthenetwork.com
    · Share on FacebookShare on Twitter
  • JAMiE132JAMiE132 Member Posts: 7 ■□□□□□□□□□
    Hi ColbyNA,

    Thank you for the sample. So just to get it right, routing between the vlans on this router is the default behavior?

    I have created a quick acl regarding to my overall plan.



    webserver 172.16.0.2
    SBS 192.168.0.2


    interface vlan10
    description Webserver_Internet_Accessible
    ip address 172.16.0.1 255.255.0.0
    ip nat inside

    interface vlan20
    description Local area network
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    ip access-group VLAN20 in


    ACL


    ip access-list extended VLAN20
    ip access-list Remark Allow Webserver LAN Access via port 1433
    permit tcp 172.16.0.2 255.255.255.255 192.168.0.2 255.255.255.255 eq 1433
    permit ip 172.16.0.2 255.255.255.255 192.168.0.2 255.255.255.255 established
    deny ip 172.16.0.0 0.0.255.255 any
    permit ip any any


    My goal is to permit the web server access to the sql service and nothing else; however I want users to have access to the web server from their workstations to carry out administrator tasks on the web server; therefore I have added the established ace before the deny. What do you think?


    Regards,

    Jamie
    There is only 10 types of people in this world: Those who understand binary and those who don't

    CompTIA A+
    MCP
    · Share on FacebookShare on Twitter
  • ColbyGColbyG Member Posts: 1,264
    Yea, routing should be enabled by default, but to double check just go into global config ( #(config) ) and type "ip routing".

    I'm right in the middle of something, so I just skimmed your ACL, but it looks good to me.
    http://blog.alwaysthenetwork.com
    · Share on FacebookShare on Twitter
  • JAMiE132JAMiE132 Member Posts: 7 ■□□□□□□□□□
    ok, i will test the acl later just to make sure


    Thanks for your time buddy, it was much appreciated


    Regards,

    Jamie
    There is only 10 types of people in this world: Those who understand binary and those who don't

    CompTIA A+
    MCP
    · Share on FacebookShare on Twitter
Sign In or Register to comment.