[c-nsp] Network Security.

David Prall dcp at dcptech.com
Tue Mar 6 22:40:25 EST 2012 

DHCP servers could care less about who you are. They will give out an
address to just about anyone. Now MBA or  802.1x authentication can be used
to block this. With MBA or 802.1x you could place the authenticated users in
to a different vlan, where all of your domain related information resides.
Then you could use a web based auth mechanism on the router, that is linked
to credentials, in order to require for external access they have a user id
and password.

David

--
http://dcp.dcptech.com



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rich Trinkle
Sent: Tuesday, March 06, 2012 10:22 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Network Security.

I apologize if this seems like a "rookie" question.  A colleague and I have
a stance that neither want to budge on. We have a cisco 861w core router for
our internal network and a typical domain server/client access. All of our
internal pc's are part of this domain and our client pc's obtain a dynamic
ip from an internal dhcp server. The question is this. Should I be able to
take a personal laptop that is not setup on our domain, plug into our
network, obtain an ip address dynamically through our cisco router and
browse the internet?


-----Original message-----
From: Zach Williams <zwilliams360 at gmail.com>
To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Sent: Wed, Mar 7, 2012 03:02:08 GMT+00:00
Subject: [c-nsp] Question on the Use of Policy Based Routing

Hello.  I have a question regarding the use of policy based routing.  I've
always thought of it as a way to selectively change routing in exceptional
circumstances.

I've come across an implementation where it is being used to explicitly set
a next-hop ip for 99% of all traffic headed from an application behind a
pair of of stacked 3750s.  The default route on these layer 3 switches is
set to a 192.168.x.x IP which is part of a management network.  The PBR is
in place to send the outbound application traffic towards a firewall and
out to the internet.

Part of the reasoning for doing this was because the application will
require only a few separate class C's and the management network has many
more routes.  A route-map matching an access-list or prefix-list for the
basis of PBR on the outbound application traffic would contain fewer lines
of configuration and thus it was deemed more elegant to set up PBR for the
application traffic rather than the management traffic.

I'm having a tough time finding best-practices information on the use of
PBR and was wondering what cisco-nsp thought of this setup.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list