Avaya IP Office-Partner
Avaya Phones
Avaya IP Office Peripherals
Avaya One-X Quick Edition
Cisco
Nortel Phones
Nortel BCM
Nortel Norstar MICS-CICS
ShoreTel
Audio Conferencing
Headsets
Technical Support
Wireless Handsets
Call Accounting
CallXpress Voice Mail System
Switches

.
 

Cisco Manual #1

This document provides a simple vision for a smart and secure business where everyday
communications are made easier, faster, and more efficient. Cisco partners and resellers
can use this guide to help small to medium size businesses (SMBs) leverage the full value
of their data networks by deploying reliable secure routers and switches from Cisco Systems,
which are easily provisioned and managed via the use of simple graphical user interface (GUI)
tools.

The validated implementation guidance provided in this document and the validated
design guidance contained in the Secure Network Foundation Design Guide for Single Site
Deployments provide verification that the individual components that the system is comprised
of work together as designed. NoteThe design described in this document is based on a
simplified and cost effective approach to establishing a Secure Network Foundation as the
initial phase of a network evolution. The redundancy in LAN and WAN design is a mandatory
attribute of a resilient network. A resilient network is recommended for any network that
transports mission-critical traffic.

This aspect of LAN and WAN design will be documented in a subsequent release of the validated design, targeted for Q1FY07. In the meantime, contact your Cisco representative if you have any questions. Contents Introduction2 Solution Components3 Secure Network Foundation3 Cisco 2851 Integrated Services Router3 Configuring Local Area Networking5 Configuring Wide Area Networking 6 Configuring IP Routing7 Configuring Network Address Translation (NAT)8 Performing a Security Audit9 2 Secure Network FoundationImplementation Guide for Single Site Deployments Introduction Configuring Firewall and Access Control Lists10 Configuring the Intrusion Prevention System11 Setting the Date and Time12 Catalyst Express 500 Switches12 Configuring Port Settings13 Configuring Virtual Local Area Networks14 Configuring Security15 Configuring Smartports16 Connectivity Tests17 Testing the WAN17 Testing the LAN18 2851 ISR Configuration18 Bill of Materials24 Introduction This document describes how to deploy a secure network foundation that supports up to 96 users in a single location.

The system provides the following services:
•Wide Area Network (WAN) access
•Local Area Network (LAN) switching
•Integrated Security features
•Provisioning and Management tools

The system provides a great deal of enhanced functionality for small and medium businesses
(SMBs). However, this functionality is implemented in a very simplistic manner in order to lessen the overall complexity. Additionally, the system is implemented with components that can support other advanced technologies, such as unified communications and mobility, thereby preserving the customer's initial investment and thus, enabling them to evolve their network as needs and new technologies warrant. Figure1 provides a topology diagram of the secure network foundation system for single site deployments. 3 Secure Network Foundation Implementation Guide for Single Site Deployments Solution Components Figure1Secure Network Foundation System for Single Site Deployments Solution Components The validated system described in this document supports up to 96 users.

Table1 provides a list of the hardware platforms used to build this system and also lists the required components for other systems that support a smaller number of users. 1 The Maximum User information is based on the number of IP phones that each router platform supports; this guideline helps partners, resellers and customers plan accordingly for the future. It is important to note that these systems can be built with other hardware components. However, each option has specific considerations. For example, an integrated LAN switch module (which resides in the router) could be used in the 0-24 user deployment instead of a separate LAN access switch, but that might require a different 2800 series router.

As another example, an integrated LAN switch module (which resides in the router) could be used in the 25-36, 37-48, or 49-96 user deployments instead of a separate LAN aggregation switch, but that would require managing two different types of LAN switches. 1539302800 ISRCatalyst Express500-24PCCatalyst Express500G-12TCVVVVVVInternet Table1Hardware Platforms Number of Users1 Router Aggregation Switch Access Switch 0-24 Cisco 2801 No Catalyst Express 500-24PC (1) 25-36 Cisco 2811 Catalyst Express 500G-12TC Catalyst Express 500-24PC (2) 37-48 Cisco 2821 Catalyst Express 500G-12TC Catalyst Express 500-24PC (2) 49-96 Cisco 2851 Catalyst Express 500G-12TC Catalyst Express 500-24PC (3-4) 4 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Refer to Bill of Materials, page25 for the bill of materials used for the validated design described in this document. Secure Network Foundation This section describes the process used to implement the secure network foundation system for single site deployments. For a detailed explanation of the technologies and features deployed in the system, refer to the Secure Network Foundation Design Guide for Single Site Deployments.

Cisco 2851 Integrated Services Router The Cisco 2851 Integrated Services router (ISR) deployed in this system provides several services, including:
•WAN access
•LAN connectivity
•IP routing and addressing
•Integrated security

All of these services are configured using the Cisco Router and Security Device Manager (SDM) web interface tool. This tool reduces the need for extensive Cisco command line interface (CLI) knowledge and expedites the overall implementation process. The following sections provide the steps used to configure the Cisco 2851 ISR. NoteWhen configuring the router for the first time, it is important to connect to the router from the LAN interface and not the WAN interface because the firewall configuration will block access on the WAN interface when complete.

Refer to the following documents for instructions on how to use the Cisco Router and Security
Device Manager, Downloading and Installing the Cisco Router and Security Device Manager
at the followingURL: http://www.cisco.com/en/US/partner/products/sw/secursw/ps5318/prod_installation_guide0918
6a00803e4727.html


Cisco Router and Security Device Manager 2.3 User Guide at the following URL: http://www.cisco.com/en/US/partner/products/sw/secursw/ps5318/products_user_guide_book09
186a0080645da3.html


NoteQuality of Service (QoS) is not explicitly configured on the router because no delay-sensitive traffic, such as voice or video, is sent over the WAN connection. Figure2 shows the Security Device Manager (SDM) web interface that you use to configure the router. 5 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Figure2SDM Web Interface Window Configuring Local Area Networking Perform the following steps to configure Local Area Networking.

Step 1 From the Main menu, click Configure and choose Interfaces & Connections from the Task pane.

Step 2 Choose Ethernet LAN and click Create New Connection. The Layer 3 Ethernet Interface
Configuration Wizard opens. Step3Click Next. Step4For an Ethernet configuration, choose Configure this interface for 802.1Q trunking. For an 802.1Q configuration, enter the VLAN ID for the Cisco-Data VLAN and place a check mark in the Native VLAN check box. Step5Click Next. Step6Enter the IP address and subnet mask designated for this interface.

For example, the LAN interface should be configured with a private, or reserved, IP address, such as 10.20.31.1/24. Click Next. Step7For DHCP Server, choose Yes to enable the DHCP server on the LAN interface and click Next. 6 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Configuring DHCP Options Step1For DHCP options, enter the following:

a. DHCP pool name. b.Starting and ending IP addresses for the DHCP pool and the subnet mask; the IP address range is part of the same network configured on the LAN interface (remember to exclude statically assigned IP addresses used for switches, servers, and so on, from the DHCP pool).

c. Default router IP address. d.Items, such as addresses for the DNS and WINS servers and the domain name, are optional (this information may be assigned by the service provider). Step2In the summary window, review the options and click Finish. Step3After the configuration is delivered to the router, click OK. Configuring Additional Logical Interfaces Perform the following steps to add additional logical interfaces, such as the Cisco-Voice VLAN. Step1Choose the LAN interface that you configured in the previous procedure and click Add.

Step 2 Choose New Logical Interface and choose Subinterface. Step3For Connection, enter the VLAN ID, IP address, and subnet mask for the interface. For example, the LAN interface should be configured with a private, or reserved, IP address, such as 10.20.41.1/24. Step4Click OK. Step5In the summary window, review the options and click Finish.

Step 6 After the configuration is delivered to the router, click OK. Configuring a DHCP Server for the Additional Logical Interface Perform the following steps to configure a DHCP server for this additional logical interface. Step1Click Additional Tasks in the Tasks pane.

Step 2 Open the DHCP folder, choose the DHCP Pools option and click Add. Step3Enter the following: a.DHCP pool name. b.Starting and ending IP addresses for the DHCP pool and the subnet mask; the IP address range is part of the same network configured on the LAN interface (remember to exclude statically assigned IP addresses used for switches, servers, and so on, from the DHCP pool).

c. Default router IP address. d.Items, such as addresses for the DNS and WINS servers and the domain name, are optional (this information might be assigned by the service provider). 7 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Step4After the configuration is delivered to the router, click OK. Configuring Wide Area Networking Perform the following steps to configure Wide Area Networking.

Step 1 From the Main menu, click Configure and choose Interfaces & Connections
from the Task pane. Step2Choose Ethernet (PPoE or unencapsulated routing) and click Create
New Connection. The Ethernet WAN Configuration Wizard opens. Click Next.

Step 3 For Encapsulation, click Next (if the connection was DSL instead of cable, choose to enable PPoE). Step4For the IP Address, choose the Dynamic option (choose Static if service provide assigns a specific IP address). Click Next.

Step 5 For Advanced Options, do not place a check mark in the PAT check box at this time;
this will be done later. Click Next. Step6In the summary window, review the options and click Finish.

Step 7 After the configuration is delivered to the router, click OK. Figure3 shows the Interfaces
and Connections configuration after you have configured the LAN and WAN interfaces. Figure 3Interfaces and Connections Configuration Window 8 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Configuring IP Routing Perform the following steps to configure IP routing. NoteThis information needs to be configured only if the service provider assigns static IP information including IP addresses, default router, and so on.

Step 1 From the Main menu, click Configure and choose Routing from the Task pane. Step2In the Static Routing section, click Add. Step3For the Destination Network, place a check mark in the Make this the default route check box. Step4Under Forwarding (Next Hop), choose the IP Address option and enter the IP address of the default router on the WAN. (The service provider will provide this IP address.)

Step 5 Place a check mark in the Permanent Route option check box to ensure that the route stays in the routing table. Step6Click OK. Step7After the configuration is delivered to the router, click OK. 9 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Configuring Network Address Translation (NAT) Perform the following steps to configure NAT. Step 1 From the Main menu, click Configure and choose NAT from the Task pane.

Step 2 Choose Basic NAT and click Launch Selected Task. Step 3 In the Welcome to the Basic NAT Wizard window, click Next. Step4For Sharing the Internet Connection, choose the interface (configured as the WAN interface) that connects to the Internet from the drop-down list options. Step 5 Choose the internal network (configured as the Cisco data VLAN) that will share the Internet connection. The Cisco-VLAN should not be selected because traffic never exits the LAN to the Internet. Click Next.

Step 6 In the summary window, review the options and click Finish. Step7After the configuration is delivered to the router, click OK. Figure4 displays the NAT configuration that you created in the
previous procedure. Figure4Network Address Translation Configuration Window 10 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Performing a Security Audit Perform the following steps to run the security audit, which configures infrastructure protection services on the router.

Note Before running the security audit, use the CLI to configure a password that is more than six characters in length to prevent users from being locked out when the router is reloaded. Step1From the Main menu, click Configure and choose Security Audit from the Task pane. Step2Click Perform Security Audit and then click Next. Step3Choose the outside (untrusted) and inside (trusted) interfaces and click Next. After the security audit is complete, a list of passed and failed items is displayed. Click Close. Step4Leave the default setting of Select an option: Fix the security problems. Step5Click the Fix all button to fix all of the security issues that have been identified and then clear the Cisco Discovery Protocol (CDP) check box. This is necessary on the LAN, but not on the WAN; CDP must manually be disabled on the WAN interface using the no cdp enable command.

Click Next. Note Figure5 displays the output of the security audit and the items that must be fixed.
Step 6 Follow the instructions, as prompted, to repair all of the security issues. When prompted to configure the Advanced Firewall, click Cancel and then click Yes. (The basic firewall option will be configured in a separate step.) Step 7 In the summary window, review the options and click Finish.

Step 8 After the configuration is delivered to the router, click OK. NoteWe recommend consulting with legal counsel for the wording of the banner so that all local laws are represented appropriately. 11 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Figure5Security Audit Window Configuring Firewall and Access Control Lists Perform the following steps to configure the firewall and the Access Control Lists (ACLs). Step1From the Main menu, click Configure and choose Firewall and ACL from the Task pane. Step2From from the Create Firewall tab, choose the Basic Firewall option.

Click Launch the selected task. Step 3 From the Basic Firewall Configuration Wizard window, click Next. Step 4 For the Basic Firewall Interface Configuration, choose the outside (untrusted) interface, which is the WAN interface, and clear the Allow secure SDM access from outside interfaces unless absolutely needed check box. Choose the inside (trusted) interface, which includes only the Cisco-Data VLAN (devices on the Cisco-Voice VLAN never have access to the Internet). Step 5 Click Next. Step 6 In the summary window, review the options and click Finish. Step 7 After the configuration is delivered to the router, click OK.

Figure 6 displays the firewall configuration that you created in the previous procedure. 12 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Figure6Firewall and ACL Configuration Window Configuring the Intrusion Prevention System Perform the following steps to configure the Intrusion Prevention System. Step1From the Main menu, click Configure and choose IPS from the Task pane. Step2From the Create IPS window, click Launch IPS Rule Wizard and then click OK in the SDEE notification window.

Step 3 Click OK on the SDM subscription window, then click Next on the Welcome to the IPS Policies Wizard window. Step4Choose both the inbound and outbound inspection rules for the WAN and LAN interfaces from the Select interfaces window and click Next. Step5Click
Add for the SDF Location, using the default setting of Specify SDF on flash and choose the signature file from the drop-down list (the 256MB.sdf file is the default for the 2851). Click OK and then click Next. NoteIf an information box regarding the order of SDF file locations is displayed, click OK.

Step 6 In the summary window, review the options and click Finish. Step 7 After the configuration is delivered to the router, click OK. 13 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation NoteActions, such as reset, deny, and alarm are pre-configured, based on the type of signature in the SDF file loaded on the router. Figure7 displays the IPS configuration that you created in the previous procedure. Figure 7 IPS Configuration Window Setting the Date and Time Perform the following steps to configure the date and time on the router.

Step 1 From the Main menu, click Configure and choose Additional Tasks from the Task pane. Step 2 Open Router Properties and choose Date/Time. Step3Click the Change Settings button. Step 4 In the Date and Time Properties window, edit the date and time.
Step 5 Click Apply.
Step 6 In the Router clock configured window, click OK.
Step 7 In the Date and Time Properties window, click Close. 14 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Catalyst Express 500 Switches The Catalyst Express 500 LAN switches deployed within
this system provide several services including:

•Layer 2 LAN access connectivity
•Layer 2 LAN aggregation connectivity
•Power over Ethernet for IP phones, wireless access points and other devices
•Integrated security and quality of service via Smartports macros All of these services are configured using the Cisco Network Assistant (CNA) graphical user interface (GUI) tool. This tool centralizes the administration of all the switches within the system and speeds the overall implementation process.

The following sections outline the simple steps used to configure the Catalyst Express 500 access and aggregation LAN switches. When installing and configuring the switches for the first time it is
important to follow the steps outlined in the document, Getting Started Guide for the Catalyst Express 500 Switches at the following URL: http://www.cisco.com/en/US/partner/products/ps6545/products_getting_started_guide0918
6a0080524310.html.

When installing Cisco Network Assistant for the first time it is important to follow the steps provided in Getting Started with CNA 3.1 at the following URL: http://www.cisco.com/en/US/partner/products/ps5931/products_installation_guide_book0918
6a008051a512.html

Figure8 shows the CNA GUI interface that you use to configure the switches. Figure8CNA GUI Interface 15 Secure Network Foundation Implementation Guide for Single Site Deployments Secure Network Foundation Configuring Port Settings Perform the following steps to configure port settings on the access and aggregation switches. Step1Highlight the appropriate switch in the Topology View window. Step2In the left pane, click Configure

Join Mailing List
Need Help. Free of Charge.
SSL Security