This article is part 2 of a 2 part series: Part 1 is at Why Is Cisco Equipment a Smart Investment for Small Businesses?
Moving from the broad over view covered in Part 1 lets now move into demonstrating some of the direct benefits of the more commonly implemented features of Cisco router and switches by using a simple, small office scenario as a case study.
Typical of a small organization is there are departments for financial matters, marketing and sales and one or more managers. The personnel in each of these areas has specific computer functions and data needs with some being in common such as Internet access and others being necessarily limited to certain workers such as access to financial data.
Let’s assume we’re a consulting firm that’s been hired to design this network and as the the first step we have met with the key managers to develop a list of criteria for each department in regards to computer resources, security and performance. In our meeting we agreed to the following goals.
Network Design Goals and Numbers
A reasonable level of network security. This particular business isn’t subject to any set of specific regulations such as HIPAA but management well understands that good security practices are both a sound investment in protecting the company’s IT assets, the company image and as a deterrent against legal proceedings. It was agreed that the following basic security procedures are to be implemented.
– Centralized anti-virus on a server that can “push-out” anti-virus software to all client machines on the network and can monitor and update those clients as needed.
– Only those services that are required in general will be permitted to pass through the various router interfaces and all others will be blocked. Core external (Internet/WAN side) services were identified as HTTP and HTTPS (web/secure web), SMTP and POP3 (email services), DNS (domain name lookup) and FTP (file transfers).
- Internet access for web services, email and file transfers.
- Each employee will have an area on the server for storage of personal files that is accessible only by them, managers and IT staff.
Managers: Subnet 22.214.171.124/24
- Unlimited access to all computer resources and data.
Sales and Marketing: Subnet 126.96.36.199/24
- Access to the server based CRM (Customer Relationship Management) software.
Accounting and Finance: Subnet 188.8.131.52/24
- Access to the server based accounting software and financial records. All other personnel restricted with no access.
Hardware and Software
To implement our case scenario the following equipment and software is ordered, placed and wired with Category 5E cable. Our equipment list includes:
- One server running a server operating system such as Microsoft 2003 Server or an appropriate Linux distribution such as Red Hat or SUSE for use as a file server at address 184.108.40.206/24
- One server running a server operating system such as Microsoft 2003 Server or an appropriate Linux distribution such as Red Hat or SUSE for use as an application server running the accounting package at address 220.127.116.11/24.
- One Cisco 2621XM router using the two Fast Ethernet interfaces with no other modules/cards installed.
- One Cisco Catalyst 2950 – 48 port switch.
Given that the focus of this article is in how we utilize the Cisco router and switch to achieve our goals I’m won’t go into any detail as to server configuration. Suffice to say both Microsoft and Linux servers can be configured to provide appropriate access control through the use of user and group level permissions.
As the first step in implementing our network design we’ll look at the configuration of the Cisco 2621XM router. This router has two Fast Ethernet interfaces, referred to as FA0/0 and FA0/1, built in which are what we’ll be using for our network.
On the WAN (Wide area network) side we’ll connect the cable from the Internet Service Provider’s hardware (DSL, cable modem etc) Ethernet interface into FA0/0 of our router and run a cat 5e cable from router interface FA0/1 to port FA0/1 on our Cisco Catalyst 2950 switch.
We now have a setup where the insecure side of the WAN (Internet) enters into the router on interface FA0/0, the secure trusted network (LAN) connects to router interface FA0/1 and any traffic between them passes through the router. It’s on these interfaces we can at the simplest level implement ACLs (Access Control Lists) to meet one of our basic security goals.
(As an aside if the router is running IOS 12.4(6)T and later we can take advantage of the newer Cisco zone based firewall features which offer an even richer and more granular way to control traffic.)
Starting with the WAN side interface (FA0/0) we would build an ACL only allowing the HTTP, HTTPS, SMTP, POP3, DNS and FTP protocols while restricting all others. With this in place we have significantly improved our security profile by vastly limiting the “attack surface” which in this case is the number of ports open to the insecure/WAN side of the network. Also given it’s likely we only have a single public IP but have numerous devices on the trusted LAN that wish to connect to Internet based resources we would implement Port Address Translation (PAT) to provide the mapping of the multiple internal addresses to the single public address.
Before moving to the configuration of FA0/1 interface of the router we need to outline the basics of the LAN design. To implement our desired internal security/access control goals we will use a combination of VLans (virtual LANs) on the switch and access control lists (ACLs) on the LAN side router interface (FA0/1).
For those not familiar a VLan is a software level method that allows a switch to be configured such that it can have groups of ports divided such that each group can be assigned to a different subnet (network level address) yielding a number of benefits. Our primary interest here is that by having the various groups of users on different subnets we can add an additional level of control over access to server resources and files. Specifically we will create the following VLans and correlate them with the following subnets.
VLan 8 : 18.104.22.168/24 – Managers
VLan 9 : 22.214.171.124/24 – Sales & Marketing
VLan 10 : 126.96.36.199/24 – Accounting and Finance
Because a Catalyst 2950 is only a layer 2 switch (doesn’t have layer 3 routing capabilities) we have to use the LAN side router interface (FA0/1) to provide routing between the VLans via a configuration somewhat humorously known as a “router on a stick!” In sum the router interface is configured with three sub-interfaces with one each assigned an address within one of the network address ranges and corresponding VLan number. To clarify using an example we could configure a sub-interface for VLan 8 using the following commands. (Router configuration commands are enclosed in quotes)
“interface fa0/1.08” : This creates the sub-interface
“encapsulation dot1q 8” : Set encapsulation to 802.1q and assign this interface to VLan 8
“ip address 188.8.131.52 255.255.255.0” : Set the IP address for the interface to network 172.10.8 and for host address 1.
We would then create two more sub-interfaces for the remaining two VLans/subnets in a similar fashion.
Note: 802.1q or VLan tagging is a method that allows correlation of packets to a specific VLan.
Now with the router configured we need to do a bit of magic (configuration) on the switch by making the Fast Ethernet port of the switch connecting to the LAN side interface of the router into what’s referred to as a trunking port. In sum a trunking port recognizes packets from all VLans and allows then to pass over the cable to the router and back. This configuration allows packets to move between the several VLans/subnets unless otherwise restricted as we illustrate in the following.
Meeting Design Goals
Let’s return to our design specification above where we wanted to restrict traffic to the accounting package server at address 184.108.40.206 to only the members of the Accounting and Finance group. Notice we assigned this group to VLan 10 with the subnet of 220.127.116.11/24 thus appropriately placing the users and server on the same network. This provides a faster response for the users and removes unnecessary traffic from having to traverse the LAN side router interface of FA0/1.
Moreover we can easily met our design goal by using an appropriate ACL to prevent traffic from the Sales and Marketing subnet from entering the Accounting and Finance VLan (10). Other design goals for restricting traffic would be implemented in a similar fashion.
The above scenario may seem overly complex but in fact is a configuration that an experienced Cisco technician could implement in less than an hour or two. Although we have only “scratched the surface” of the capabilities for controlling traffic, improving performance and implementing security we have accomplished a fair amount in building a solidly performing network that can easily be expanded to accommodate growth.
Moreover this need not be vastly more expensive as the Cisco hardware described above can currently be bought in used but excellent condition on eBay from a reputable dealer for under $300 USD. Considering that a low-end “router” and switch would run about $100 or so the differential of $200 is rather insignificant for the benefits obtained from having real professional level equipment.
Hopefully, by my case example above, you as the owner and/or manger of a small business or similar sized organization will begin to see using real professional networking equipment such as that produced by Cisco in a new, and very favorable light.
As an IT professional I can vouch there’s a lot more cost to a network then the purchase price and those bargain basement routers and switches are in fact a very expensive choice!
To your networking and business success!