Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1584
Views
29
Helpful
13
Replies

Advice for L3 device with CCNA in mind

Go to solution
amrogers3
Level 1
Level 1

‎12-16-2010 12:58 PM - edited ‎03-06-2019 02:34 PM

Afternoon all,

http://i145.photobucket.com/albums/r213/amrogers3/networkdiagram7.jpg

I am attempting to implement a device on a home network which can provide the following functionality:

  1. 4+ VLANs
  2. ability to apply ACLs to VLANs
  3. RADIUS capability
  4. port mirroring (for SNORT box)
  5. >= 12 ports

Was initially going to implement a ASA 5505 for an additional stateful firewall into my network but I would have to purchase a Security + license to have more than 2 VLANs.

Been researching and believe two boxes may be able to provide the functionality I need:

SFE1000 (only 8 ports but has VLANs, fanless, port mirroring, RADIUS, and believe it does ACLs if I am reading correctly)
Cisco 3560 (12 ports, fanless, VLANs, RADIUS, VLAN ACLs and even IP ACLs and MAC ACLs, not sure about port mirroring)

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/product_data_sheet09186a00801f3d7d.html

or the Cisco ASA 5505 (8 port, fanless, RADIUS, VLAN ACLs, not sure about port mirroring)

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Good with computers but begineer at routers. Looking to learn and at same time better secure my home network. Any feedback would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to amrogers3

‎12-25-2010 10:43 AM 

Thanks Ganesh, appreciate all you help

Hi Aaron,

I am glad that post are really helpful for you to design and make decision for home network,It will be helpful if you can mark this thread as answered so that other can be beniffited.

Ganesh.H

View solution in original post

0 Helpful
13 Replies 13

Go to solution
AJ Cruz
Level 3
Level 3

‎12-16-2010 01:36 PM

Two of the greatest things on Earth: 1. Virtual Machines (I use VirtualBox on Ubuntu)    2. GNS3

When you put those two working together on a linux host with a few NICs that connect to a Cisco router with a few interfaces, you can do all kinds of amazing things woot!

I have one nic in my linux box that is my home connection, another nic goes to my cisco router for lab connections, my 3rd nic connects to a span port on my cisco router (I run snort/nessus/nmap/etc/etc on my linux box for probing and testing my lab).

My lab connection runs to a virtual router on GNS3 where I can build any topology my heart desires and connect as many virtual machines as my CPU can handle to the GNS3 lab which has connectivity to the outside world (if I want) through the Cisco router (2nd nic)

0 Helpful

Go to solution
amrogers3
Level 1
Level 1
In response to AJ Cruz

‎12-16-2010 05:00 PM

Thanks for reply. I agree virtual is great but I am actually trying to find a hardware device to implement into my home network.

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎12-16-2010 08:19 PM 

Advice for L3 device with CCNA in mind
                    
                    
                        
Afternoon all,
http://i145.photobucket.com/albums/r213/amrogers3/networkdiagram7.jpg
I am attempting to implement a device on a home network which can provide the following functionality:
  1. 4+ VLANs
  2. ability to apply ACLs to VLANs
  3. RADIUS capability
  4. port mirroring (for SNORT box)
  5. >= 12 ports
Was
initially going to implement a ASA 5505 for an additional stateful
firewall into my network but I would have to purchase a Security +
license to have more than 2 VLANs.
Been researching and believe two boxes may be able to provide the functionality I need:
SFE1000 (only 8 ports but has VLANs, fanless, port mirroring, RADIUS, and believe it does ACLs if I am reading correctly)
 
 
Cisco 3560 (12 ports, fanless, VLANs, RADIUS, VLAN ACLs and even IP ACLs and MAC ACLs, not sure about port mirroring)
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/product_data_sheet09186a00801f3d7d.html
or the Cisco ASA 5505 (8 port, fanless, RADIUS, VLAN ACLs, not sure about port mirroring)
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
Good
with computers but begineer at routers. Looking to learn and at same
time better secure my home network. Any feedback would be appreciated.

Hi ,

If you want to secure your network then you should go with firewall but with layer 3 switch 3560 ou can achive by applying acl on vlans to restrict the traffic and port mirroring is supported in 3560,check out the below link for span configuration in 3560.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swspan.html

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Go to solution
amrogers3
Level 1
Level 1
In response to Ganesh Hariharan

‎12-17-2010 06:24 PM

Thanks for reply.

Would it better to use the 3560 or an ASA with security + license? They will be approx the same cost wise.

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to amrogers3

‎12-18-2010 01:08 AM 

Thanks for reply.
Would it better to use the 3560 or an ASA with security + license? They will be approx the same cost wise.

Hi,

All depends on your requirement if it suffucie with L3 switch then go with l3 switch,but as it a small network where you can controll traffic with deploying ACL's on l3 interface or on vlan interface which a firewall can do also.If your cost is same for both the device and requirement is getting full filled with ASA then i would suggest for securing a network firewall is better than a normal l3 switch.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful

Go to solution
amrogers3
Level 1
Level 1
In response to Ganesh Hariharan

‎12-18-2010 01:18 AM

Hi Ganesh, thanks for reply.

Does it matter if the device will be on the internal network behind a pre-existing firewall?

Looking for a fanless device that supports Zone-Based Policy.  Can you recommend a device?

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to amrogers3

‎12-18-2010 09:38 PM 

Hi Ganesh, thanks for reply.
Does it matter if the device will be on the internal network behind a pre-existing firewall?
Looking for a fanless device that supports Zone-Based Policy.  Can you recommend a device?

If the network is well secure behind the firewall then there is no requirement for having another firewall inside the network, genrally two factor security is being used high network like Data centre where you desiging for two layer firewall but with small network no require we can have l3 switch for your requirement.

But for zone based firewall check out the below link for supported paltform

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.html

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Go to solution
amrogers3
Level 1
Level 1
In response to Ganesh Hariharan

‎12-19-2010 02:58 PM

Hi Ganesh, you've been very helpful. Thanks for the reply.

I would like to implement two factor security in my network. I know it is probably not necessary but I want to do it anyway using a L3 device with zone based firewall router.

I have been looking at the 871 and 891.

I checked the link and it looks like the 871 is a Zone-Based Firewall supported device but it appears the 891 is not. Is it correct that the 891 does not support Zone-Based Firewall policy?

Thanks again Ganesh.

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to amrogers3

‎12-20-2010 11:15 AM 

Hi Ganesh, you've been very helpful. Thanks for the reply.
I
would like to implement two factor security in my network. I know it is
probably not necessary but I want to do it anyway using a L3 device
with zone based firewall router.
I have been looking at the 871 and 891.
I
checked the link and it looks like the 871 is a Zone-Based Firewall
supported device but it appears the 891 is not. Is it correct that the
891 does not support Zone-Based Firewall policy?
Thanks again Ganesh.

Hi,

I think you can use it cisco 891 with ios c890-universalk9-mz.151-2.T1, check out the below link for more information.

https://supportforums.cisco.com/thread/2040241

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Go to solution
amrogers3
Level 1
Level 1
In response to Ganesh Hariharan

‎12-23-2010 11:13 AM

Hi Ganesh. Thanks for all your help. Would you recommend the 891 as something to learn on? I would also like to implement it into my home network for a 2nd layer of security. I understand it has a lot of functionality I could use in the future to learn and expand my home network.

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to amrogers3

‎12-23-2010 10:15 PM 

Hi Ganesh. Thanks for all your help. Would you recommend the 891 as
something to learn on? I would also like to implement it into my home
network for a 2nd layer of security. I understand it has a lot of
functionality I could use in the future to learn and expand my home
network.

Hi Aaron,

See every device has something to learn the thing is how you use it..As cisco 891 or 871 are having of support of zone based firewall which is also a good feature to learn and to work.

And yes no doubt it has other functionality also which will be useful if you will try in future which will be helpful to you also.

Hope to Help !!

Ganesh.H

Go to solution
amrogers3
Level 1
Level 1
In response to Ganesh Hariharan

‎12-24-2010 09:41 AM

Thanks Ganesh, appreciate all you help

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to amrogers3

‎12-25-2010 10:43 AM 

Thanks Ganesh, appreciate all you help

Hi Aaron,

I am glad that post are really helpful for you to design and make decision for home network,It will be helpful if you can mark this thread as answered so that other can be beniffited.

Ganesh.H

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card