[c-nsp] how to secure a vlan?

Dan Letkeman danletkeman at gmail.com
Sat Mar 1 13:33:39 EST 2008 

Well there are about 30 different vlan's that will need different
access to the server farm.  Would it be in my best interested to have
one acl on vlan 250 and secure things accordingly or just have an acl
per client vlan and work with it that way?  I also understand that I
can only have one access group per vlan or port.  I've done some
reading and I think the best way to manage the acl's is to have two
identical acl's, labeled 101 and 102, then make the changes needed to
the acl that is not assigned to the port, then once the changes are
done and tested then apply the access group change to the port(change
it from 101 to 102 and vise versa).  Does that make sense?

Dan.

On Sat, Mar 1, 2008 at 8:18 AM, Peter Rathlev <peter at rathlev.dk> wrote:
> Just a few "corrections":
>
>  It sounds like OP want's to secure VLAN 250, so the direction should
>  either be outbound on VLAN 250 or inbound on VLAN 200 (and any other
>  client VLANs).
>
>  The logging might not be a terrific idea, since a lot of traffic could
>  lead to a DoS situation. You can look at ACL counters to see hits. AFAIK
>  they are updated also for hardware CEF-switched traffic on a 3560.
>
>  Configuring InterVLAN routing with Catalyst 3560 switches:
>  http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml
>  http://tinyurl.com/6hu9c
>
>  Configuring network security with ACLs:
>  http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swacl.html
>  http://tinyurl.com/3agutf
>
>  Regards,
>  Peter
>
>
>
>
>  On Sat, 2008-03-01 at 20:11 +0900, Aaron R wrote:
>  > Just apply the necessary acl's to the relevant vlan interfaces. i.e.
>  >
>  > access-list 101 permit tcp source-network mask destination-network mask eq
>  > 80
>  > access-list 101 permit tcp source-network mask destination-network mask eq
>  > 21
>  >
>  > int vlan 250
>  > ip access-group 101 in
>  >
>  > if you are concerned about applying this in a production environment simply
>  > add a permit ip any any at the end of the ACL and log the other traffic to
>  > see if the ACL is being matched.
>  >
>  > Cheers,
>  >
>  > Aaron.
>  >
>  >
>  > -----Original Message-----
>  > From: cisco-nsp-bounces at puck.nether.net
>  > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
>  > Sent: Saturday, March 01, 2008 8:08 AM
>  > To: cisco-nsp at puck.nether.net
>  > Subject: [c-nsp] how to secure a vlan?
>  >
>  > What would be the best way to go about securing networks on 3560 switches?
>  >
>  > Currently i'm trunking multiple vlans between 3560's.  Each switch has
>  > multiple connected networks and ospf is the routing protocol.
>  >
>  > What I would like to do is secure a vlan so you can't access that
>  > network from another vlan.  For example:  My server farm vlan is vlan
>  > 250, but I dont want the workstations from vlan 200 to access those
>  > servers except port 21 & port 80 traffic.
>  >
>  > I understand that I would need to do this with acl's, but im unsure
>  > where to start.  Any examples would be helpfull.
>  >
>  > Thanks,
>  > Dan
>  > _______________________________________________
>  > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  > https://puck.nether.net/mailman/listinfo/cisco-nsp
>  > archive at http://puck.nether.net/pipermail/cisco-nsp/
>  >
>  > _______________________________________________
>  > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  > https://puck.nether.net/mailman/listinfo/cisco-nsp
>  > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list