cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1585
Views
29
Helpful
13
Replies

Advice for L3 device with CCNA in mind

amrogers3
Level 1
Level 1

Afternoon all,

http://i145.photobucket.com/albums/r213/amrogers3/networkdiagram7.jpg

I am attempting to implement a device on a home network which can provide the following functionality:

  1. 4+ VLANs
  2. ability to apply ACLs to VLANs
  3. RADIUS capability
  4. port mirroring (for SNORT box)
  5. >= 12 ports

Was initially going to implement a ASA 5505 for an additional stateful firewall into my network but I would have to purchase a Security + license to have more than 2 VLANs.

Been researching and believe two boxes may be able to provide the functionality I need:

SFE1000 (only 8 ports but has VLANs, fanless, port mirroring, RADIUS, and believe it does ACLs if I am reading correctly)
Cisco 3560 (12 ports, fanless, VLANs, RADIUS, VLAN ACLs and even IP ACLs and MAC ACLs, not sure about port mirroring)

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/product_data_sheet09186a00801f3d7d.html

or the Cisco ASA 5505 (8 port, fanless, RADIUS, VLAN ACLs, not sure about port mirroring)

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Good with computers but begineer at routers. Looking to learn and at same time better secure my home network. Any feedback would be appreciated.

1 Accepted Solution

Accepted Solutions

Thanks Ganesh, appreciate all you help 

Hi Aaron,

I am glad that post are really helpful for you to design and make decision for home network,It will be helpful if you can mark this thread as answered so that other can be beniffited.

Ganesh.H

View solution in original post

13 Replies 13

AJ Cruz
Level 3
Level 3

Two of the greatest things on Earth: 1. Virtual Machines (I use VirtualBox on Ubuntu)    2. GNS3

When you put those two working together on a linux host with a few NICs that connect to a Cisco router with a few interfaces, you can do all kinds of amazing things woot!

I have one nic in my linux box that is my home connection, another nic goes to my cisco router for lab connections, my 3rd nic connects to a span port on my cisco router (I run snort/nessus/nmap/etc/etc on my linux box for probing and testing my lab).

My lab connection runs to a virtual router on GNS3 where I can build any topology my heart desires and connect as many virtual machines as my CPU can handle to the GNS3 lab which has connectivity to the outside world (if I want) through the Cisco router (2nd nic)

Thanks for reply. I agree virtual is great but I am actually trying to find a hardware device to implement into my home network.

Ganesh Hariharan
VIP Alumni
VIP Alumni

Advice for L3 device with CCNA in mind                                                                

Afternoon all,

http://i145.photobucket.com/albums/r213/amrogers3/networkdiagram7.jpg

I am attempting to implement a device on a home network which can provide the following functionality:

  1. 4+ VLANs
  2. ability to apply ACLs to VLANs
  3. RADIUS capability
  4. port mirroring (for SNORT box)
  5. >= 12 ports

Was initially going to implement a ASA 5505 for an additional stateful firewall into my network but I would have to purchase a Security + license to have more than 2 VLANs.

Been researching and believe two boxes may be able to provide the functionality I need:

SFE1000 (only 8 ports but has VLANs, fanless, port mirroring, RADIUS, and believe it does ACLs if I am reading correctly)
Cisco 3560 (12 ports, fanless, VLANs, RADIUS, VLAN ACLs and even IP ACLs and MAC ACLs, not sure about port mirroring)

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/product_data_sheet09186a00801f3d7d.html

or the Cisco ASA 5505 (8 port, fanless, RADIUS, VLAN ACLs, not sure about port mirroring)

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Good with computers but begineer at routers. Looking to learn and at same time better secure my home network. Any feedback would be appreciated.

Hi ,

If you want to secure your network then you should go with firewall but with layer 3 switch 3560 ou can achive by applying acl on vlans to restrict the traffic and port mirroring is supported in 3560,check out the below link for span configuration in 3560.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swspan.html

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Thanks for reply.

Would it better to use the 3560 or an ASA with security + license? They will be approx the same cost wise.

Thanks for reply.

Would it better to use the 3560 or an ASA with security + license? They will be approx the same cost wise.

Hi,

All depends on your requirement if it suffucie with L3 switch then go with l3 switch,but as it a small network where you can controll traffic with deploying ACL's on l3 interface or on vlan interface which a firewall can do also.If your cost is same for both the device and requirement is getting full filled with ASA then i would suggest for securing a network firewall is better than a normal l3 switch.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Hi Ganesh, thanks for reply.

Does it matter if the device will be on the internal network behind a pre-existing firewall?

Looking for a fanless device that supports Zone-Based Policy.  Can you recommend a device?

Hi Ganesh, thanks for reply.

Does it matter if the device will be on the internal network behind a pre-existing firewall?

Looking for a fanless device that supports Zone-Based Policy.  Can you recommend a device?

If the network is well secure behind the firewall then there is no requirement for having another firewall inside the network, genrally two factor security is being used high network like Data centre where you desiging for two layer firewall but with small network no require we can have l3 switch for your requirement.

But for zone based firewall check out the below link for supported paltform

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.html

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Hi Ganesh, you've been very helpful. Thanks for the reply.

I would like to implement two factor security in my network. I know it is probably not necessary but I want to do it anyway using a L3 device with zone based firewall router.

I have been looking at the 871 and 891.

I checked the link and it looks like the 871 is a Zone-Based Firewall supported device but it appears the 891 is not. Is it correct that the 891 does not support Zone-Based Firewall policy?

Thanks again Ganesh.

Hi Ganesh, you've been very helpful. Thanks for the reply.

I would like to implement two factor security in my network. I know it is probably not necessary but I want to do it anyway using a L3 device with zone based firewall router.

I have been looking at the 871 and 891.

I checked the link and it looks like the 871 is a Zone-Based Firewall supported device but it appears the 891 is not. Is it correct that the 891 does not support Zone-Based Firewall policy?

Thanks again Ganesh.

Hi,

I think you can use it cisco 891 with ios c890-universalk9-mz.151-2.T1, check out the below link for more information.

https://supportforums.cisco.com/thread/2040241

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Hi Ganesh. Thanks for all your help. Would you recommend the 891 as something to learn on? I would also like to implement it into my home network for a 2nd layer of security. I understand it has a lot of functionality I could use in the future to learn and expand my home network.

Hi Ganesh. Thanks for all your help. Would you recommend the 891 as
something to learn on? I would also like to implement it into my home
network for a 2nd layer of security. I understand it has a lot of
functionality I could use in the future to learn and expand my home
network.

Hi Aaron,

See every device has something to learn the thing is how you use it..As cisco 891 or 871 are having of support of zone based firewall which is also a good feature to learn and to work.

And yes no doubt it has other functionality also which will be useful if you will try in future which will be helpful to you also.

Hope to Help !!

Ganesh.H

Thanks Ganesh, appreciate all you help

Thanks Ganesh, appreciate all you help 

Hi Aaron,

I am glad that post are really helpful for you to design and make decision for home network,It will be helpful if you can mark this thread as answered so that other can be beniffited.

Ganesh.H

Review Cisco Networking for a $25 gift card