Routing Simulation/Lab

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

The school where I work has two distinct networks and I need to be able to connect (securely) to both networks. What model of router will I need? What other configurations will I need to make in order to pass traffic? I will also need to allow staff access to both networks and restrict pupils to only one (Network 2). What equipment will I need to do this?

Network 1 has a network of 10.6.56.0 with a mask of 255.255.248.0 and dg of 10.6.56.2 (ISA 2000)
Network 2 has a network of 172.16.0.0 with a mask of 255.255.0.0 and dg of 172.16.32.222 (ISA 2000)

I initially want to trial this using Boson NetSim v6 and then possibly buy a router and/or other equipment to conect the two school networks.
I will also need some form of domain trusts but that is the least of my problems at present.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

How big are the networks? There are all sorts of different ways of doing what you want, and what you are asking doesn't have a simple answer, as you'll find out as you get further into your CCNA, with different combinations of router / switches / vlan setups. You'll probably also be wanting to look at Access Lists.

You can route via software, but I guess this is more a question of wanting to have a go at cisco...

One way: using a vlan-capable switch; and a router, connected to the switch using a subinterface for each network:

Staff in VLAN 901 - 10.6.56.0
Pupils in VLAN 902 - 172.16.0.0
In both cases the default gateway is now the ip address of the router subinterface.
Router set up to route using EIGRP between vlans 901 and 902 with an access list to make sure it works from 901 to 902 but not vice versa.

Given the network size you may need +1 switch, and of course I've no idea about the rest of your setup, so the above may be complete pants......

 

We currently have about 100 staff and 1000+ pupils. The 10.6.56.0 network is dedicated to the admin staff and houses our school management system which, ideally, needs to be accessed from either network, but without any pupil access. We also have a number of shared folders which need to be only accessed by staff and these reside on both networks.
Basically I need to alllow any member of staff to log onto any computer and access data and applications on both networks whilst restricting pupil access.
On the admin network there are around 50 computers and 500+ computers for teacher and pupil access.

 

Well, others can pitch in here and say otherwise, but I don't think the solution for your problem is going to be resolved with cisco stuff: this is more about Network OS permissions. Cisco doesn't care about who is logged on at what PC, just the hardware such as IP address and MAC address which don't change with the user. Stick a router on a switch and tell it to route between the networks - the rest you'll have to do in software.

You'd probably be better running a linux box as the router .....(ducking and running) .......

 

Bonneville,

Questions:

1. Is network 1 a domain?
2. Is network 2 a domain?

 

Bonneville,

Question:

1. Why do you have two separate networks?

 

Yes both networks are on seperate domains. This was agreed upon many years ago to keep both networks seperate and so that pupils could not access private and confidential data. I believe this is not the way schools are being setup now.
Yes I could place everything onto a single domain and use permissions etc to restrict access. This is something we may have to do eventually. As a temporary 'solution' I was thinking about routing across the networks and see how that works.
I am also considering using the 172.16.0.0 network for both networks but this will not be as easy as in seems.

 

If you want to control traffic between two networks a router or L3 switch will do nicely. Traffic can be controlled based on a variety factors, such as time of day, ip address, port, etc.

You can also assign a dynamic vlan (network) to a computer based on things such as mac address, certificates or user login. You could, for example, set the computers and network such that the user login determines what network the computer is assigned to. When a teacher logs in, the computer is assigned to the teacher network; when a student logs in, the computer is assigned to the more restricted student network.

802.1x covers all this but it is not trivial to implement. As well, OS support varies - OS X and Vista are quite good, XP less so, depending on what you want to implement.

What I have used in the past are HP switches and freeRADIUS on the backend, with Cisco routers/ASA as needed.

Spice_Weasel