Hello,
I'm in the process of setting up a new network and want to maximize security mostly from Internal threats. I have already ordered an ASA5510 with security bundle, 2 ESW540-24p-k9 switches and an Aironet 1141N with multiple SSIDs (public and private). An outside vendor will be setting up the VLAN/QOS for the IP phones once the model is decided. This question involves a multitude of configuration from different equipment.
How would I setup the following security on my network or is it even possible:
The IP phones will be located on a subnet 192.168.10.x and will get their IP from the Windows 2008 server. If an internal employee connects their PC or laptop (company owned or authorized personal lapotp) to either the wired network or the private SSID Access Point, they get an IP from the 192.168.2.x range and have full network access. If a guest connects their laptop to the wired network or public SSID Access Point, they will get an IP from a different range (10.10.10.x) and will only have access to the Internet. Those guests shouldn't be able to connect to the private Access Point unless an employee gives them the pass key. When the guests connects to either the wired or wireless network, they should be getting their IP from the DHCP server ideally on the ASA however, if not possible, the internal server (Windows 2008) can serve them IPs but using ISP DNS IP. Now to make matters even more complicated, could I allow a guest to access a printer that is located on the 192.168.2.x network? Many years ago, I had played around with MAC address filtering on the old Cisco switches but only to lock out completely guest access or only allow specific Nics to connect to specific ports on the switch. Now we need to allow the guest to access the Internet through our network. I know the solution will involve at least 3 VLANS (1 for the IP Phones, 1 for employee access and 1 for guest access) and some mac filtering (MACS of all authorized devices). Dedicating specifics wall jacks just for guests is not possible. We want to make the process as easy as possible because onsite IT is not always available. Am I asking for two much?
Thanks,
FS483
I'm in the process of setting up a new network and want to maximize security mostly from Internal threats. I have already ordered an ASA5510 with security bundle, 2 ESW540-24p-k9 switches and an Aironet 1141N with multiple SSIDs (public and private). An outside vendor will be setting up the VLAN/QOS for the IP phones once the model is decided. This question involves a multitude of configuration from different equipment.
How would I setup the following security on my network or is it even possible:
The IP phones will be located on a subnet 192.168.10.x and will get their IP from the Windows 2008 server. If an internal employee connects their PC or laptop (company owned or authorized personal lapotp) to either the wired network or the private SSID Access Point, they get an IP from the 192.168.2.x range and have full network access. If a guest connects their laptop to the wired network or public SSID Access Point, they will get an IP from a different range (10.10.10.x) and will only have access to the Internet. Those guests shouldn't be able to connect to the private Access Point unless an employee gives them the pass key. When the guests connects to either the wired or wireless network, they should be getting their IP from the DHCP server ideally on the ASA however, if not possible, the internal server (Windows 2008) can serve them IPs but using ISP DNS IP. Now to make matters even more complicated, could I allow a guest to access a printer that is located on the 192.168.2.x network? Many years ago, I had played around with MAC address filtering on the old Cisco switches but only to lock out completely guest access or only allow specific Nics to connect to specific ports on the switch. Now we need to allow the guest to access the Internet through our network. I know the solution will involve at least 3 VLANS (1 for the IP Phones, 1 for employee access and 1 for guest access) and some mac filtering (MACS of all authorized devices). Dedicating specifics wall jacks just for guests is not possible. We want to make the process as easy as possible because onsite IT is not always available. Am I asking for two much?
Thanks,
FS483