I have a computer service shop and recently upgraded our network. Since then i've been having issues when other computers are updating, the whole network slows down to a crawl. If any 1 Mac is updating, the whole network drops down and I can barely open a website, I've also had issues with client PC's blacklisting my email server since they are all tied and using the same static IP. Below is a list of how I would like it to work. I had a friend helping me set it up but at this point I just need to get it done.
Overview of what I have:
- 2.0Mb Connection Telepacific
- 4 Line Phone System w/ PRI
- ASA 5505
- 3550 Switch
- D-Link 655 Wireless Router
- Zytel Gigabit Switch
- 4 Office PC's
- 3 Network Printers
- 1 Server (AD, File Server, Exchange, DNS)
- 5 Service PC's
- 12 Stations for Clients (Potential users accessing internet)
- 1 NAS Drive (Service Tools)
1. Seperate Server so it has it's own Public IP that it uses and nothing else uses that IP while still allowing Office PC's to access server via the LAN
2. Seperate the Office PC network from everything else but the Server, Network Printers, NAS Drive
3. Seperate the Service PC network from everything but the Network Printers, NAS Drive
4. Seperate the Client PC's from everything but the NAS Drive
5. Limit the connection speed for the Client PC's so they don't bring down the network or allow any 1 computer to hog all the resources.
I'm not sure how to do 1. but I was told you can allow the outgoing to use a certain public IP through NAT?
I know 2-4 is using vlans but i'm confused on what I have to do after I put them in vlans. I believe I have to create routes but not sure how to word it.
5. has me clueless and it would be nice if I could have a pool of bandwidth it could use. I prefer any computers on that network not to be able to talk to each other, other than accessing the NAS drive where we store commonly used tools.
I want to say I may have issues with my connection from telepacific and my friend told me it would be easier to diagnose with my ASA. I used to have the d-link connected to it. Now that I have all this hardware he's gone. Telepacific says the connection is good and if they send a tech out they would charge me hourly to troubleshoot.
I've also attached a network diagram how it's all setup. Hope you guys can help me out and point me in the right direction on how I can get this thing tuned.
1.5 Mb is not exactly great speed anymore. Not that chopping up the network is a bad idea, but if your chief concern is slowness when one system is updating, perhaps you should look at a faster connection as your first option. You might find that chopping up the network isn't necessary.
Sent from Cisco Technical Support iPad App
I think the reason nobody has responded, is because this is an awfully big kettle of worms.
I'll try to address a few of the concepts that might help.
First things first, I'd really kind of recommend you to split your networks up, and especially in terms of the public internet access. What I'd do if it was me, is buy a 2nd internet connection for your customers to use. Get a cheapo DSL or cable internet. Doesn't have to be expensive or fancy. Just something that works and has a little bandwidth. Put your d-link router on that network.
Then I'd put your business stuff behind the firewall with the tpac connection. If you bought an upgraded license for the ASA, you could run a DMZ. A DMZ is basically a place you put stuff that needs to be accessed by other people and is hence insecure, but in such a place if it is compromised, they can't take over your internal network.
One thing you should really look at is using your 3550 switch to implement VLANs. Make several subnets in your building, like vlan 100 customers, vlan 200 business, vlan 300 servers, vlan 400 wireless, whatever. Then lock it down with access lists, so that people on the business network can get to the customers network, and customers can get only to your file server, and wireless users can only get out to the internet, and so forth.
Use the 3550 with vlans to segment your network, then you can attach a dumb gigabit switch to that or whatever if you want to copy files faster between your computers. The 3550 may bottleneck you to 100mb connections, if the server is on one vlan and the PC is on another. This also gets into issues of how to serve DHCP on the networks if needed, enabling layer 3 routing on the 3550, etc.
You might have better luck to focus on only one thing you want to accomplish, post a picture again, and get some advice that way. Once you work that part out, post again with the next enhancement and so forth.
In my opinion, the fastest way to get out of your mess, is 1) Move downloading users to another internet feed, 2) Implement vlans to segregate users and traffic.
You could combine both solutions, if the d-link router would let you add routes. Basically, in my ideal world, you'd buy a DSL line, put the d-link router on it and set up a customer access network. Put that on vlan 100, say, on the 3550 switch. Your d-link router could be 192.168.1.1/24, and your 3550 switch can be 192.168.1.2/24. You put a route on the d-link that says if someone wants to get to 192.168.2.0/24 (your server network) or 192.168.3.0 (your business network) then go to 192.168.1.2. Add similar routes to your ASA firewall pointing back to the 192.168.1.0/24 network via 192.168.1.1, and you could have a two headed network. Most of your internal stuff could use telepacific, while sending the other users out via the DSL.
Hope this helps you get started!
Erk, realized one thing in my last bit there.
You'd actually have to put an IP on the layer 3 switch as well, and then on the ASA firewall, your route would actually be 192.168.1.0/24 via 192.168.x.x, which is the IP of the 3550 switch on whatever VLAN the ASA firewall is plugged in to. For example, the ASA firewall might be 192.168.100.1 and the 3550 switch might be 192.168.100.2 on vlan 500. The route would be 192.168.1.0/24 via 192.168.100.2.
Basically all of the routing internally would go through the 3550.
Sounds kind of like your friend didn't help you out too much, just sold you a firewall you didn't really need.
Although one other thing I meant to mention, if telepacific gave you some public IP addresses, you could use the firewall to perform a public NAT and give your server its own IP address you could access from the outside world.
I think bandwidth is your #1 issue, a single T-1 is about 200k/sec download speed, which isn't much these days, especially with several people using it, or downloading bulky updates. I'd try to offload some traffic by getting more bandwidth one way or the other.
Look into cable business class, 2nd connection or something....
Edit: fixed my crappy bandwidth estimate. T-1 = 1536kbits/sec divided by 8 bits per byte or roughly 192k/sec, not counting IP overhead and so forth...