[nsp] Protected Ports
Alexandre Snarskii
snar at paranoia.ru
Wed Apr 9 11:39:10 EDT 2003
On Tue, Apr 08, 2003 at 09:26:13PM -0400, Terry Baranski wrote:
> > It also said that between protected ports you need a layer 3 device.
> > So, will the pix work for that? and do I just put an ACL on the DMZ
> > interface as to what device can talk to which one? I'm also assuming
> > that they will all be in the same subnet, right?
>
> Right -- protected ports are used when you don't want traffic passing
> between a set of ports at layer 2. This either means that 1) you don't
> want any traffic at all flowing between them, or 2) you want all traffic
> flowing between them to go through a layer 3 device (such as a firewall)
> for security reasons. I've only used them in the former case, and have
> wondered how people who use them for the latter reason get the traffic
> to
> the layer 3 device in the first place being that the hosts are on the
> same
> subnet. (The usual case, of course, is that the hosts just ARP for each
>
> other and that's the end of it -- no layer 3 device involved.) Can
> anyone who has done this before shed some light? Does it work to
> put a static host route on a given host telling it to send traffic to
> the other "protected" hosts to the firewall? Does this override the
> default behavior?
Just mark all customers port as 'protected', leave port to L3 device as
'unprotected', and enable 'ip local-procy-arp' on L3's interface.
With that layout, all arp broadcasts gone to L3 device, and L3 answers
with his mac-address in reply. So, the unicast traffic from customer1
goes to L3 and then to customer2.
I'm not sure, that PIX has the 'ip local-proxy-arp' feature, but at
least cat6500 with 12.1E and 75xx with 12.2(S) has.
More information about the cisco-nsp
mailing list