Options
Advice on Cisco 870 Series Router Purchase
JAMiE132
Member Posts: 7 ■□□□□□□□□□
in CCNA & CCENT
Hi all,
I currently have a small business client that would like to move the companies IT systems in house. This is a small company that will have a Small Business Server for all services; however they will also have a web server hosting IIS, this server will need to connect to the SBS sql instance.
I have looked online at some routers that are available and have come across the 870 series, I know that if the advanced version of the IOS is installed this will allow vlans to be created.
I plan on using the firewall features this router comes equipt with to protect against external attacks, is this a good idea? Also I would like to keep the SBS as secure as possible, therefore I was thinking I would create 2 vlans on the router, hopefully this router will support a router on a stick configuration, then I could create an access list that will only allow the web server access to the sql instance and create another access list going the opposite way to allow the clients full access to the web server.
So the question is, does the 870 series allow for the router on a stick configuration, which would enable me to create access lists across the vlans?
I look forward to some feed back
Kind regards,
Jamie
I currently have a small business client that would like to move the companies IT systems in house. This is a small company that will have a Small Business Server for all services; however they will also have a web server hosting IIS, this server will need to connect to the SBS sql instance.
I have looked online at some routers that are available and have come across the 870 series, I know that if the advanced version of the IOS is installed this will allow vlans to be created.
I plan on using the firewall features this router comes equipt with to protect against external attacks, is this a good idea? Also I would like to keep the SBS as secure as possible, therefore I was thinking I would create 2 vlans on the router, hopefully this router will support a router on a stick configuration, then I could create an access list that will only allow the web server access to the sql instance and create another access list going the opposite way to allow the clients full access to the web server.
So the question is, does the 870 series allow for the router on a stick configuration, which would enable me to create access lists across the vlans?
I look forward to some feed back
Kind regards,
Jamie
There is only 10 types of people in this world: Those who understand binary and those who don't
CompTIA A+
MCP
CompTIA A+
MCP
Comments
-
Options
ilcram19-2
Banned Posts: 436
buy it i like the 871 i have 8 of those at the remote offices and they work really good -
Options
ColbyG
Member Posts: 1,264
You don't need router-on-a-stick with an 871. You just configure SVIs for the VLANs and router between them. I use one at home. -
OptionsJAMiE132
Member Posts: 7 ■□□□□□□□□□
Hi Guys,
Thank you for your replies!
I haven't heard of SVI until now, in fact I have not used an integrated router before. Would you be able to provide me with a sample config of configuring svi on the vlans, and what about the extended acls, would I configure them as I would on a non integrated router?
Regards,
JamieThere is only 10 types of people in this world: Those who understand binary and those who don't
CompTIA A+
MCP -
OptionsColbyG
Member Posts: 1,264
SVI is just a fancy way of saying vlan interface. Here's some stuff from my 871:
interface Vlan10 description LAN ip address 192.168.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow crypto map VPN_MAP ! interface Vlan15 description WIRELESS ip address 192.168.15.1 255.255.255.0 ip access-group VLAN15_IN in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow
VLAN 10 is the wired LAN, and VLAN 15 is my wireless. I have some static DHCP bindings (IPs bound to MAC addresses) for trusted computers on the wireless subnet, I then applied ACL VLAN15 to the interface, which basically only allows the trusted computers to access the LAN and allows only internet access to the untrusted IPs (anyone who comes over and wants to use the wireless, or someone who broke in). Here's the ACL:ip access-list extended VLAN15_IN permit ip host 192.168.15.20 any permit ip host 192.168.15.22 any permit ip host 192.168.15.21 any permit ip host 192.168.15.23 any permit ip host 192.168.15.24 any permit ip host 192.168.15.2 any deny ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.255.255 permit ip 192.168.15.0 0.0.0.255 any permit udp any any eq bootpc permit udp any any eq bootps permit udp any any eq domain deny ip any any
That should give you an idea of how to segment everything. Let me know if you have any questions. -
OptionsJAMiE132
Member Posts: 7 ■□□□□□□□□□
Hi ColbyNA,
Thank you for the sample. So just to get it right, routing between the vlans on this router is the default behavior?
I have created a quick acl regarding to my overall plan.
webserver 172.16.0.2
SBS 192.168.0.2
interface vlan10
description Webserver_Internet_Accessible
ip address 172.16.0.1 255.255.0.0
ip nat inside
interface vlan20
description Local area network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group VLAN20 in
ACL
ip access-list extended VLAN20
ip access-list Remark Allow Webserver LAN Access via port 1433
permit tcp 172.16.0.2 255.255.255.255 192.168.0.2 255.255.255.255 eq 1433
permit ip 172.16.0.2 255.255.255.255 192.168.0.2 255.255.255.255 established
deny ip 172.16.0.0 0.0.255.255 any
permit ip any any
My goal is to permit the web server access to the sql service and nothing else; however I want users to have access to the web server from their workstations to carry out administrator tasks on the web server; therefore I have added the established ace before the deny. What do you think?
Regards,
JamieThere is only 10 types of people in this world: Those who understand binary and those who don't
CompTIA A+
MCP -
OptionsColbyG
Member Posts: 1,264
Yea, routing should be enabled by default, but to double check just go into global config ( #(config) ) and type "ip routing".
I'm right in the middle of something, so I just skimmed your ACL, but it looks good to me. -
OptionsJAMiE132
Member Posts: 7 ■□□□□□□□□□
ok, i will test the acl later just to make sure
Thanks for your time buddy, it was much appreciated
Regards,
JamieThere is only 10 types of people in this world: Those who understand binary and those who don't
CompTIA A+
MCP
