Hello Shawn

I feel good now that atleast someone is willing to help me out. 

I will give you full details.

Current infrastructure of college:

( Sorry if I sound not so technical, I am just a CCNA who has only worked on GNS3   )

There are around 500 students but at anytime there are not more than 250 users accessing the internet.(In next 3 years there may be growth of 200 students so we can say concurrent users may become 350)

There is one campus building and 2 hostel buildings.

The main aim is to provide internet to students

In the main building they have one leased line internet connection of 8 MBPS that goes to a modem (Anda Telecom G.SHDSL )and then to a Unified Security Gateway(ZyWALL 300 USG).

There is no dedicated router and this USG has 7 ports which can form 7 networks.

As far as the switched network is concerned, thet have few managable switches and few unmanaged switches (both of  D'link brand) but the managable ones also not managed(not created vlans, nothing).

The students in the campus always complain that the internet is slow. Althought I believe 8 Mbps connection should be ok for browsing(not torrent etc).

Because of USG they have been able to create different networks for different user groups (like students/teachers/admins etc) by using the 7 ports.

For them the security requirements are very simple:

They need to allow/block websites during certain times of the day and for other groups there may be different websites and a different time to block/allow.

They are using AntiVirus on all machines.

What I have planned:

I have asked them to buy 1941 router(you can better suggest if its ok for them) and then create different VLANs for different user groups. The problem is that not all switches are managed.

I told them that in order to have port level group selection(VLAN) all switches (access,core and distribution) need to be managable switches. But it will be too much of investment to do this. S0 here is my plan:

I will use all unmanaged switches as access level switches and use managed switches for distrubution and core layer.

This way I will be able to provide switch level control(This access layer switch will belong to students etc) and they are OK with it.

Intervlan routing = router on a stick.

TO resolve local host names I will use a local DNS server with DNS of ISP as forwarder.

Hostel buildings connect to the main building and provide WIFI connection to students there.

Windows domain: they dont have one but we can set that in place if required.

Their budget is low because their requirements are low. The only things is that the router should have the possility to create VPN connection to other 3 colleges in future.

I have already mentioned other details in my original question.

Tell me if you need any other info.

Sorry for my bad english.

I'm not really sure if Cisco IOS is the right solution for this.

ISA570 should fit most of your needs, but also a fast appliance with IPFire (no license costs) would be ok.

If Cisco IOS is a must you could install a Linux proxy and to WCCP for http/s access control.

Michael

Please rate all helpful posts

Akshay,

Some initial thoughts and recommendations.

1. I don't believe you're going to get the desired result you're looking for out of a 1941 or an ISA570.  I'm not sure if you're planning to replace the ZyWall.  If so, the 1941, even with the security feature set, isn't going to truly be an effective enough firewall.  If you're not replacing the ZyWall and instead planning to use the 1941 to control VLANs and manage Inter-VLAN routing, then I believe you'll quickly run into some issues with configuration challenges meshing the ZyWall and 1941 together.  It's not that it isn't feasible, but may cause unnecessary challenges.  As for the ISA570, I believe it will be significantly underpowered for that many users, especially for a school as they tend to have many instances of multiple users selecting the exact same things at the exact same time, which isn't typical of a network.
   
2. I would replace the ZyWall with a Cisco ASA 5512-X or 5515-X.  I think anything higher than that would be overkill.  As well ASDM, which is the web GUI, doesn't require you to know CLI for the firewall and, in my opinion, is very user friendly.  I would manage all firewall and NAT/PAT functionality on the ASA.
   
   • http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html
     
3. Next I would put in a Barracuda Web Filter.  Sorry Cisco, I know you have yours, but I'm a fan of the functionality and price of the Barracuda Web Filter.  I'd recommend a model 410.  I would place the Web Filter in-line between the my firewall and my collapsed core (core/distribution).  That web filter will allow you to do time-based control by groups with policies as well as a host of other features including application control.  Doing it in-line would eliminate the possibility of getting around it and simplify deployment.
   
4. Attached to the Barracuda, I would install something like a Cisco 3560-X Layer 3 (IP Services) switch as your collapsed core.  Utilizing the existing switches as access switches is definitely a way to extend the budget and circle back around to replacing them later.  Let the L3 switch manage VLAN's and Inter-VLAN routing.  My concern with not putting in a capable collapsed core switch is that it will become the choke point for the rest of the network.
   
5. Windows AD is not necessary if not needed for any other purposes.  That said, it is a way to get more control over network access and have the ability to leverage things like LDAP and RADIUS at a later date.  A windows server running DNS forwarding to the ISP DNS should be sufficient.
   
6. For the other colleges, I'm going to strongly recommend getting away from the idea of VPNs.  Primary reasons are the number of users and decentralized security.  If you use VPNs, then you will have to turn off split-tunnelling to force all the users to go over the central connection, to maintain security.  Doing so will make manageable web filtering, among other things, far more difficult.  Alternatively you could turn on split-tunnelling and now you would have to duplicate all aspects of security and web filtering at each location.  My recommendation would be to being preparing them for something like MPLS.  With MPLS, all internet traffic will pass through the primary site and the web filter, with no other option, maintaining manageable centralized security.  As an FYI, cable providers that we work with are providing MPLS circuits of 2, 3, and 5MBPS so you may not have to go to the usual carriers and pay the higher price of typical circuits.  As well if they ever want to do anything that requires QoS (i.e. VoIP, Video, etc.) in the future, then something like MPLS, that supports QoS/CoS tagging, will be necessary.
   

To be perfectly candid, I would consider this type of design a bare minimum for that size environment.  I would generally add far more redundancy and implement some other components to improve security and functionality.  But that design would meet the minimum requirements and put in a structure that is ready to scale when they are.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Links to the devices I referenced.

https://www.barracuda.com/products/webfilter/features

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/data_sheet_c78-584733_ps10744_Products_Data_Sheet.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.