[c-nsp] how to secure a vlan?

Peter Rathlev peter at rathlev.dk
Sat Mar 1 09:18:00 EST 2008


Just a few "corrections":

It sounds like OP want's to secure VLAN 250, so the direction should
either be outbound on VLAN 250 or inbound on VLAN 200 (and any other
client VLANs).

The logging might not be a terrific idea, since a lot of traffic could
lead to a DoS situation. You can look at ACL counters to see hits. AFAIK
they are updated also for hardware CEF-switched traffic on a 3560.

Configuring InterVLAN routing with Catalyst 3560 switches:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml
http://tinyurl.com/6hu9c

Configuring network security with ACLs:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swacl.html
http://tinyurl.com/3agutf

Regards,
Peter


On Sat, 2008-03-01 at 20:11 +0900, Aaron R wrote:
> Just apply the necessary acl's to the relevant vlan interfaces. i.e. 
> 
> access-list 101 permit tcp source-network mask destination-network mask eq
> 80
> access-list 101 permit tcp source-network mask destination-network mask eq
> 21
> 
> int vlan 250
> ip access-group 101 in
> 
> if you are concerned about applying this in a production environment simply
> add a permit ip any any at the end of the ACL and log the other traffic to
> see if the ACL is being matched.
> 
> Cheers,
> 
> Aaron.
>  
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
> Sent: Saturday, March 01, 2008 8:08 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] how to secure a vlan?
> 
> What would be the best way to go about securing networks on 3560 switches?
> 
> Currently i'm trunking multiple vlans between 3560's.  Each switch has
> multiple connected networks and ospf is the routing protocol.
> 
> What I would like to do is secure a vlan so you can't access that
> network from another vlan.  For example:  My server farm vlan is vlan
> 250, but I dont want the workstations from vlan 200 to access those
> servers except port 21 & port 80 traffic.
> 
> I understand that I would need to do this with acl's, but im unsure
> where to start.  Any examples would be helpfull.
> 
> Thanks,
> Dan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list