Design Request - Split Current Network in Two

You may wish to investigate the Cisco Solution Designer:

formatting link
as well as the Cisco Product Advisor:

formatting link

Brad Reese BradReese.Com Cisco Repair Service Experts

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA/Canada Toll Free: 877-549-2680 International: 828-277-7272 United Kingdom: 44-20-70784294

Reply to
Loading thread data ...

I am in the IT department for a retail chain that sells -- oh, let's say coffee. (Not really, but it will do for this example.)

Our core business is selling coffee and coffee-related products. The remote shops rely on internet connectivity to do this. Credit card transactions, inventory maintenance, technical support, e-mail, etc. They do a bunch of stuff over the internet, and any downtime is a big problem.

The marketing department has decided that it would be a really big selling point if we allowed customers to use the Internet while they are in our shop.

I have a problem with this. I don't want Joe Hacker coming in with his computer full of viruses getting on my network to download 500MB of .mpg files and sending out a spam blast.

I told the marketing department that the only way I will support this is to put a separate Internet line in the store -- totally different circuit, totally different subnet.

However, I have been asked to reconsider this position.

So my question is: is there any solution that would allow me to safely segregate my existing network into two subnets.

Right now at each location I have a t1 connection with a 1700 router doing VPN back to the corporate office.

I'm guessing that probably the best design would involve putting in some kind of Pix for the new network. Not sure what model or how I'd configure. Would I need to upgrade the 1700? Maybe put in a router that can hold another card? (If there even is such a thing.)

Anyway, I'm hoping I can get some suggestions here. It's really a pretty straightforward objective -- I'm just not experienced enough with all the various firewalls and routers and IOSes to know what the safest, most cost effective solution is or how to implement it.


Reply to

Email me at jschwefel at copesan dot com. I think I could give you hand with this. (work email, will be in on monday)

There are a variety of solutions that, depending on specifics such as current carrier(s), specifically how you have you VPN connection set up, you can explore.

Reply to

Recently went through a similar exercise for one of my Clients (a retail chain with HIPAA requirements that needed to support third party systems at their stores). We used a PIX 501 at each retail location to provide a second, physically independent LAN for the untrusted devices; a separate, physically independent LAN at the HQ for untrusted servers; and VPNs from the HQ PIX for remote access by third parties. To prevent a configuration nightmare, the individual store PIXes have a simple security policy: traffic coming from the untrusted store LAN to the trusted store LAN must have 1 - a valid source address identifying the source as on that store's untrusted LAN, and 2 - a destination address that is either on the untrusted core LAN or that would always be routed through a core firewall. That way, as third parties come and go, we only have to adjust the core router access lists (for the untrusted core LAN) and core PIX access lists (for VPNs and other Internet access).

To protect the store network from denial of service attacks, traffic shaping is used on all routers to limit the third party aggregate to at most 50% of the T1 servicing each store. Further limits are placed on backup links so that high profit, low traffic third parties like ATM machines can continue operation even when a store is on dial backup while high bandwidth operations like photo processing are put on hold. Getting this part to work was a real bear, as every IOS release, every Cisco hardware platform, and every interface type seems to support different traffic shaping capabilities, non-trivial when working with point-to-point T1, MLPPP and single B channel ISDN, and analog (POTS or cellphone) using the AUX port. (Yes Virginia, retail clients do not like to stop selling. When the world trade center came down, the only stores which lost communications were those that lost all power, and the only store which was not back in operation when the power came back on was the branch in the WTC.)

As you put together your solution, keep in mind how it will operate when failures occur, and how you will maintain it over time. If you need some serious help, feel free to contact me directly to arrange consulting help. If you just want to bounce your ideas off of someone who has "been there, done that" feel free to post them here. I (and many others) are always willing to provide free advice in the form of quick responses to public usenet postings.

Good luck and have fun!

Reply to
Vincent C Jones

Americana. "Yes, Virginia, there is a Santa Claus" was the original phrase... to see the original context, any good search engine should be able to find it.

Reply to
Walter Roberson

In article , says... [cut off]

[cut off]

Vincent, if it is not a secret, who is Virginia? You mentioned her here a few times....

Reply to

Hm.. I knew that american opsession with Santa Clause has to come up to the surface, sooner or later.

Reply to

Thanks all for the info -- this give me some good leads to investigate.

Reply to

Thats ridiculous. Just get a bandwidth manager, create a NAT for the customers, and shape their traffic to whatever you're comfortable giving them. Its about a $2500. solution; they'll pay you more than that to implement something else. You can also shape each IP, so one bozo in the store can't eat up all the bandwidth. Its a must for small operations.

formatting link
for the boxes.


Reply to

In article , wrote: :Thats ridiculous. Just get a bandwidth manager, create a NAT for the :customers, and shape their traffic to whatever you're comfortable :giving them.

Unfortunately you posted without indicating context. If you had indicated context, you would have seen that your proposed solution does not meet the design goals.

The OP's foremost concern is not *bandwidth*, but rather *security*. He doesn't want the additional hosts to be able to infect his internal hosts, so he does need some kind of filtering between the additional hosts and his network. That filtering can be done via a firewall or via the Firewall Feature Set on an IOS router (or "Advanced IP Security" or whatever they renamed Firewall Feature Set to.)

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.