Cymphonix Network Composer and 802.1q VLAN Trunk Links

If your not familiar with Cymphonix Network Composer, here's a brief overview of my experience with it.

First of all it's an appliance based gateway security device. It analyzes, monitors and filters network traffic in and out of your gateway router or firewall and is specifically designed for small to medium sized businesses. Through out the year I've had several clients approach me with the following concerns and questions regarding internet connection troubleshooting and end user web traffic monitoring:

• Is there a way for me to monitor and log what my users are doing on the internet?
• How can I prioritize and or throttle certain types of web traffic?
• I've got a 5mb internet connection but it always seems so slow, can you tell my why?
• How can I block BitTorrent, LimeWire, YouTube, MySpace or FaceBook?

In most cases Cymphonix Network Composer has been my preferred solution for these reasons:

• Appliance based
• Deep packet inspection
• Gateway traffic "total visibility"
•  Prioritize critical traffic
• Throttle, or completely block non critical traffic
• Realtime application, url and bandwidth monitoring
• Spyware and Antivirus protection
• Integrates with Active Directory
• Filter by already established Active Directory groups
• Identify users in realtime

A more thorough review and testimonials can be found at www.cymphonix.com or check out an actual Network Composer for yourself at http://demo.cymphonix.com using demo as the login and password.

A few months ago I had a request from a potential client who wanted to know if the Network Composer could be used on a trunk link. I wasn't sure and had to call Cymphonix tech support to find out. In most implementations the Network Composer is assigned a LAN accessible ip and sits transparently inline between the gateway and the LAN side switch. So what if the gateway is also providing interVLAN routing services?  "As long as the Network Composer is assigned an ip from the untagged or native vlan it should be fine on a trunk link" was the response from Cymphonix tech support. Just to be sure, I setup a test network with a Network Composer DC10 model connected inline on a trunk link and configured it with an ip address (192.168.1.2) on the untagged (192.168.1.x) VLAN.

Here's the relevant router and switch code.

Cisco 2600 Router

ip dhcp pool Native
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 216.136.95.2
!
ip dhcp pool VLAN200
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1
   dns-server 216.136.95.2
!
ip dhcp pool VLAN150
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   dns-server 216.136.95.2
!
interface Ethernet0/1
 description Connected to 2950 Switch
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Ethernet0/1.150
 description Data10 VLAN 150
 encapsulation dot1Q 150
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
!
interface Ethernet0/1.200
 description Data VLAN 200
 encapsulation dot1Q 200
 ip address 172.16.10.1 255.255.255.0
 ip nat inside

Cisco 2950 Switch

interface FastEthernet0/9
 description Connected to 2600 Router
 switchport trunk allowed vlan 1,150,200,1002-1005
 switchport mode trunk
 speed 10
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast

From within Network Composer I setup two VLAN id configured Groups labeled VLAN 150 and VLAN 200.

Separate laptops were plugged into ports 10 & 12 on the 2950 switch. Web traffic was generated from each laptop and almost immediately the Network Composer began to display the traffic correlated by the respective VLAN groups. I tested some of the Internet Usage Rules against the VLAN groups and they worked just fine. Here's a Group Details activity screenshot.

As I mentioned earlier, Network Composer is my preferred choice for web activity monitoring and filtering. It's very flexible, not too difficult to implement and for the most part does what it claims to be able to do. And seems to do it well. Comments, questions, suggestions, personal Network Composer experiences or implementation stories are welcomed.