decepticon_eazy_e

VMware Fusion for Mac, not free, but worth it.

I think you could get a 2600 for cheap or even a 1710 ro 172x. I have a 2612 (token!!) and a 1721 that I got for maybe $40 total, WIC cards included. Then I got some switches that have a bad port. 1 bad port on a 24 or 48 port switch means it's garbage to a reseller. It's gold to people like us! You need to find a used reseller and see what they can get you. You would be surprised what goes out on the scrape pile. 3640s, 1721s, WS-C3524s, etc. The 2500 series stuff is worthless, so it will go out at pennies. I won't name names (shameless plugs), but there are tons of places like this with this equipment being tossed in the garbage.

I just like to jab at people, no harm meant! :) It's good to see people willing to learn no matter the circumstances. I've worked with and went to school with too many people who just want to pass the test and get the paycheck. They're never in it to learn anything. My job gives me access to network resources that most people probably can't get. I'll be more than happy to share what I can with everybody here. We had a really good bunch of teachers at my school, if you run into any road blocks, let us know! Peace.

There are some tidbits to think about when buying the equipment. In the switches, don't buy the 1900 line, they're too old. They don't do dot1q trunking, only ISL. Get the best switch you can, the higher models support more features. The 3550 line is the lowest layer 3 swtich you can get, learn layer 3 switching! Get a router with a "fastethernet" port, the regular ethernet ports don't do trunking either. Fastethernet = 10/100, ethernet = 10. Find a source for IOS files. Get the enterprise version for whatever router you get. You'll need to do BGP and crypto stuff in your labs, base IOS won't have all the features. Use the WIC-1T cards for your serial connections, they're a fraction of the WIC-2T cards, cables are also cheaper. Make an account on Cisco's site, it's free and you can download more stuff. There is a WAN sim live distro on there that makes a PC with 2 NICs act like the internet. You set the latency and packet loss and then can simulate networks. Try everything with the CLI first, they are pushing their SDM and web gui now, but you should know how to do it all on CLI first. The CCNA test will be on CLI, not web gui wizards that walk you through everything.

This is for a class project? Read your text books and the sources your instructor gave you! I hope you mention in your presentation that everyone in this thread just did all the work for you. Great way to learn, hope the rest of school is going well for you. Who's doing your math homework for you? </sarcasm>

I work for a hardware reseller and do the cisco gear here. If you want to post what you are looking at, I'll give you my opinions. By 2000 series, I assume you mean 2600 series. If you want to get really cheap routers, look at the 2500 series. They are pretty much only useful for labs. 2600s are end of life, so most businesses are dumping them, you could find good deals on those. You'll have better luck if you know the model numbers. You want a 2621, part num CISCO2621

You got it now! :) Have a look at the network configurations on the VMware server. There's so many cool things you can do with it. You can put a DMZ inside the box, there's a router virtual appliance that you can add and put servers behind it. There are some commercial firewalls available for the same purpose. If you have a switch that you can do to VLANs and trunking on, you can make some complex networks. VMware has done some really cool things with that area. It's worth reading up on.

Network security is like Ogres. It should have many layers. Have a firewall running one definition, your spam filter running another. Your servers being inspected by a third, and your desktops a fourth. That would be the most ideal way. Granted, nobody is going to sign off on that budget. Four anti-virus subscriptions a year is very wasteful to the outside observer. The more layers you can get the better off you'll be.

The single box is on multiple physical LANs. You get a 2 for 1 hack here, compromise the box from one LAN and you get the second LAN for free. Don't put the box in multiple LANs, virtual or physical. The VLANs are useful because it was mentioned that the firewall had a limited amount of NICs. The server, being Vmware, also had a limited amount of NICs. Make those trunks and assign your virtual machines to one VLAN only. The box has a management IP, which will reside in your most trusted network. At no point do these networks touch each other... UNTIL you plop a server down with 2 or more NICs in 2 or more networks. DMZ is to be treated as a hostile network, similar to the outside world. Granted, this is not as hostile a network, but still not to be trusted. This is the DMZ's purpose. If any box in the DMZ is compromised it will have limited, if any, access to the internal network. The firewall rules will look like this, internal hosts get port 80 to server A in DMZ, and port 110+25 to server B in DMZ. The rules will mimic those to the outside world, but you add port 3389 or something like that for administration. The point of the DMZ is that all traffic passes through the firewall and thus can be inspected or blocked. If a server in the DMZ has another NIC in the internal network, you have installed a backdoor into your network and bypassed the firewall completely.

Default settings for XP firewall is to not respond to pings. Default settings in a group policy are to turn on XP firewalls with default settings. Edit group policy or make yourself a Domain Admin and turn it off manually.

Adding a NIC and putting half of the server in the DMZ is not a secure solution. If security is the goal in this solution (which is where it originally headed), adding a NIC for another subnet is not ideal. If they compromise the box via the lower security of a DMZ, they can now have free reign in the INSIDE network. A server in 2 different security zones is not a solution, it's a fix. VLANs is how you accomplish this solution, if you don't understand them or have the equipment to implement them, you will not have the correct solution. VLANs are not that complicated, Wikipedia probably can explain it enough. Now I understand this is not a super-secure company with HIPPA or PCI-like requirements ("This is for a home setup."), but that was where the discussion was heading. I just want to put the 2 cents in that those recommendations are the answer to "how can I make this work" vs "what is the best way". DMZ implantation rule #1: If you have a rule that includes all hosts on the internal network can get to all hosts on the DMZ, you don't need a DMZ. So do you really need to bother with all this?

Can you do trunking on that firewall? You probably have the potential of 100+ VLANs then. In VMware, I can assure you can trunk that and have 1024 Vlans. Do you have managed switches that can do Vlans?

You are comparing the speed results to 2 different locations. There's no reason they should be the same.