Design recommendations for Network of 75 hosts

Hi all,
I am no professional in the area of design so i want to ask for a recommendation as regards the above subject. A friend of mine who is a newbie in cisco world was made the network admin of a small hotel with 50 employees and approximately 75 hosts on the existing network.From what he explained to me,there are 7 different departments and all hosts in that building reside on the same subnet(A bad design IMO).The existing infrastructure include 3x24ports 3Comm switches(which has no password to),a modem connecting to the ISP and a linksys router.The management are not willing to spend much on IT infrastructure. He wants to migrate to cisco equipments so he asked for my advice and invited me to come assist him in the design and implementation aspect. From my little knowledge and experience, these are my recommendations.
Hardware:
1) 1 x 1800 series router with FW capabilities
2) 3 x 24ports catalyst 2960 series switches

Design:

1) Configure 7 vlans excluding VLAN 1 and inter vlan routing
2) configure basic firewall commands on the router to prevent DDoS and IP snooping.
3) trunk link between the router & a switch then i will enable VTP on the switches.

I'll like experts in the house to guide me if I am not making the right choice of equipments and/or configurations.

Find more posts tagged with

Comments

ptilsen

I think the problem here is you're looking at an enterprise approach to a small business solution. It's totally impractical to create a subnet for each department, especially with the relatively low security requirements of the hospitality industry. As long as the end-user nodes and the servers are locked down properly, there are neither traffic nor security concerns for having 75 hosts on one subnet.

A larger concern would be if guest wireless or wired connections are on the same subnet as the employee nodes. So you might end up with two or three VLANs separating employee devices and guest devices 2960-24TC-L would not be a bad switch choice.
However, it might be practical to only have one or two, and to use un-managed, layer 2 switches in conjunction. Keep in mind you're asking a small business owner to replace something that works fine and will continue to work fine the way it is.

A more typical approach on the router/firewall side would be to replace the Linksys with something that's easy to manage but more sophisticated than Linksys, eg Sonicwall, Astaro, Watchguard. Cisco does not see a lot of use in small business networks, though Cisco's shown more competition in the last couple of years. In any case, there is nothing wrong with the 1800 series and if your friend is comfortable with that, then more power to him. The solution you designed will work and the budget is not unreasonable. It's just a bit more complicated than such a small (in terms of IT needs) organization would typically need.

nethacker

ptilsen wrote: »

I think the problem here is you're looking at an enterprise approach to a small business solution. It's totally impractical to create a subnet for each department, especially with the relatively low security requirements of the hospitality industry. As long as the end-user nodes and the servers are locked down properly, there are neither traffic nor security concerns for having 75 hosts on one subnet.

A larger concern would be if guest wireless or wired connections are on the same subnet as the employee nodes. So you might end up with two or three VLANs separating employee devices and guest devices 2960-24TC-L would not be a bad switch choice.
However, it might be practical to only have one or two, and to use un-managed, layer 2 switches in conjunction. Keep in mind you're asking a small business owner to replace something that works fine and will continue to work fine the way it is.

A more typical approach on the router/firewall side would be to replace the Linksys with something that's easy to manage but more sophisticated than Linksys, eg Sonicwall, Astaro, Watchguard. Cisco does not see a lot of use in small business networks, though Cisco's shown more competition in the last couple of years. In any case, there is nothing wrong with the 1800 series and if your friend is comfortable with that, then more power to him. The solution you designed will work and the budget is not unreasonable. It's just a bit more complicated than such a small (in terms of IT needs) organization would typically need.

i thought about it too but he sounded like he wants to use that to get himself working on cisco gears daily. I already explained to him that since the existing infrastructure works fine at present, it's going to be hard to convince the decision makers to approve of the budget.
I know wireless doesn't exist on the network but yes guest connections are on the same subnet as employee nodes. in that case, one 2960 would be suitable combined with the existing 3comm unmanaged switches. Will check out sonicwall and let him review it himself. Thanks

Bl8ckr0uter

how low is the budget? You could "get by" with an opensource firewall package on good hardware (and support if they want it). At my last place, I was able to switch our some very old cisco gear for a Pfsense router/firewall and it worked excellently. It is gui based and has tons of packages you can install and deploy. If you want to go the dedicated firewall route, why not look at an ASA 5505 (staying with the cisco theme) or 5510 (rack mount, faster) with an IPS module (or go open source on the modules). I don't know how important the internet is to the company but you may want to stack your firewalls and switches for failover/dr purposes (especially if you want something to "just run"). The 2960s can do power stacking (I think) and the ASAs can do stateful failover.

IMO you probably only need a few vlans. Servers (maybe) and desktop vlan (maybe) an untrusted machine/patching vlan and a vlan for wireless guest access (which I know you don't have, but they will ask you for it eventually). Some (small) businesses like having a different vlan for the financial folks (I do) so you may want to do that. ROAS should be painfully easy to set up . it might seem stupid to set up different vlans/subnets for every department now, but if they grow in a few years you are going to want to have security built in. Just watch your VACLs.

You may want to look at some cisco "verified" designs to get some ideas:

http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html

cisco_trooper

Also, Why not use 2 or 3 48 port switches. You've got 3 x 24 port which brings you to 72 access ports. There is no room for growth without more equipment. 2 x 48 might be cheaper than 3 x 24.

nethacker

cisco_trooper wrote: »

Also, Why not use 2 or 3 48 port switches. You've got 3 x 24 port which brings you to 72 access ports. There is no room for growth without more equipment. 2 x 48 might be cheaper than 3 x 24.

i am also thinking about the link between the switch and the router. I am thinking of configuring etherchannel (layer2) between the switch and the router but i don't know if the ESW module support etherchannel

alxx

Maybe have any pos equipment on a separate vlan to the rest of the network ,same with servers and building management system.

How many floors in the building?

For ease of wiring it may make sense to have a switch on each floor( assuming multistorey).

A better way to sell it to management is get them to put an IT infrastructure item in the budget for each year for network maintenance and improvement. Keep the existing network but gradually upgrade it floor by floor or building area by area.

Start with a firewall , then a main switch and onwards from there.

Sell it to them on security and keeping guests happy( need to support higher bandwidth and better services).

Your friend may also need to look at the telephone system and also entertainment/ video as these are usually the IT guys responsibility as well( or dealing with the external providers).

He may want to do an audit on the existing systems first to show the owners where there are problems and also where it seems to be working well. Then do a three to five year maintenance plan.Hospitality industry is used to budgeting for maintenance but is usually rather tight on other spending.

nethacker

alxx wrote: »

Maybe have any pos equipment on a separate vlan to the rest of the network ,same with servers and building management system.

How many floors in the building?

For ease of wiring it may make sense to have a switch on each floor( assuming multistorey).

A better way to sell it to management is get them to put an IT infrastructure item in the budget for each year for network maintenance and improvement. Keep the existing network but gradually upgrade it floor by floor or building area by area.

Start with a firewall , then a main switch and onwards from there.

Sell it to them on security and keeping guests happy( need to support higher bandwidth and better services).

Your friend may also need to look at the telephone system and also entertainment/ video as these are usually the IT guys responsibility as well( or dealing with the external providers).

He may want to do an audit on the existing systems first to show the owners where there are problems and also where it seems to be working well. Then do a three to five year maintenance plan.Hospitality industry is used to budgeting for maintenance but is usually rather tight on other spending.

Thanks i appreciate. we already did all you suggested and it seems like they are not interested but now that PCI is on the verge of auditing them, they are running helter skelter