NETWORK SET UP FOR CISCO 2811 ROUTER?

[SYQUEST]

I am trying to figure out if the 2811 could be used in this network configuration:

My client has a 1720 w/ DS1 WIC, the 1720 connects to a small Gigafast switch, which in turn feeds three routers (SMC,Linksys & D-Link) for 3 LANs and a DVR server. My client needs NAT, wants to add virus protection and URL blocking on at least two of the LANs. Two of the three LANs are DHCP. Besides the DS1, they have a DSL that they want to reactivate and maybe share or put the DVR server on it with one of the LANs. They would like to get rid of the separate routers and have one box w/ security.

Would the 2811 work for this configuration?

What modules/interfaces and software would be needed to make it work?

Thanks in advance for your input!

....JIM....

 

[JOAMON]

I would keep the 1720 and leave it as an edge router to terminate the DS1 and the deliver it to the 2811. Add a 4 or 9 port switch into the 2811 and use VLAN's to seperate the networks. You should then have a Cisco managed switch on the management vlan and set ip up for port mirroring and monitor all traffic on the port to and from the router and the destination being the web filter device. I do not beleive the 2811 will do URL filtering. Think you would need an ASA device for that. You could purchase a program such as SurfControl and use that. If they have other unmanaged switches would also recommend getting Cisco managed equipment if the budget allows. This would allow another layer of security as you could then apply port security and also shutdown any unused ports so that anyone cant just plug in and be on the network.

My Two Cents......cost 3 cents to make it....

 

[JOAMON]

Actually with a managed switch environment you would not need the router switch card.......

 

[SYQUEST]

I thought the 2811 w/ a WIC can be configured as an Access Router. There are no servers available to run a separate security application like SurfControl or Websense, that is why we want to try to do this in one or two boxes if possible.

There are a mix of switches (Cisco2950 & 3Com) on the LANs. So Vlan I don't think is an option at this time.

If we kept the 1720, what other boxes would you suggest might work for this set up? Also the other reason I thought the 2811 would be better than the 1720 is adding a DSL interface card in addition to the WIC for the DS1 to the ISPs. In this area the 1720 only has one Ethernet jack! So that won't work for multiple LAN connections that have different requirements.

There are some cost limits also. What do you think of the SonicWall boxes?

....JIM....

 

[JOAMON]

I hear they are good but have no experience with them. We use SurfControl which works well for us. I dont think the 2811 will do web filtering but maybe there is a feature set that will allow that. Might want to check with Cisco.

 

[chadnick18]

Yes, it is actually possible to do url filtering with a 2811 router. This is the version I currently use which allows you to setup url filtering either locally (on the router itself), or using a server: Version 12.4(2)T3 . I'm sure there are other versions of IOS that will allow you to do this.

 

[SYQUEST]

Thanks for your input, chadnick18.

For the application I am currently putting together (see previous posts) the router would have to do URL filtering, but would that work for two LAN subnets?

Any idea how flexible the filtering is?

I haven't tried calling Cisco yet. Wondering how helpful their sales engineers might be?

....JIM....

 

[chadnick18]

Yes this will work with the 2811. If you plan to move to one router, all you need to with the 2811 is set FA0/0 as your WAN port, and then on FA0/1, you would create sub-interfaces (1 for each separate network). So if you have 3 local networks, you would have 3 subinterfaces: fa 0/1.1 , fa 0/1.2 , and fa 0/1.3. As for the URL filtering, you create a list of websites and apply it to which ever interfaces/subinterfaces you want. It also gives you the option of applying it to incoming or outgoing traffic, and whether to permit or deny it. I've never dealt with the cisco sales people so i don't know how helpful they would be, but i know the cisco support will not help you unless you have bought a service contract for your equipment. Hope that helps.