Re: Need help controlling access between vlans
- From: 1crazyrican@xxxxxxxxx
- Date: Thu, 27 Sep 2007 09:25:09 -0700
On Sep 27, 10:17 am, Trendkill <jpma...@xxxxxxxxx> wrote:
On Sep 27, 7:10 am, 1crazyri...@xxxxxxxxx wrote:
The new IT manager wants to bring in a third party to check our Cisco
network for problems. I want to do whatever I can to get a get a good
report. I have students and teacher on the same vlans and I think this
is something the consultant may point out. Students and teachers
access some of the same servers, printers, etc. Also, teacher
workstations use software that allows them to view the screens of
students and any VLAN can get to anything on any other VLAN. We have
eight buildings with 3750's at each building and a 4507 at the core.
We have 3560G's at each IDF with older 3com's daisy chained to them.
All IDF's, including other schools are trunked to the core. Can anyone
recommend best practice in this situation? I think I'd like to start
with blocking traffic from some vlans to other vlans. What approach do
I take when there are shared resources? Do I put those things on a
special vlan? What happens to my DHCP scopes?
What are the commands to prevent some vlans from being routed?
thanks
Provided you must separate the networks, create a new network/vlan
with a new dhcp scope for faculty, and assign ports as needed. I
would hope that none of your servers are DHCP, and that hostnames are
being used instead of IPs. With that being said, move those to a
third vlan that you can control via access-lists. Truthfully, rather
than pegging down the server vlan, I would peg down the student vlan
since that is probably your biggest security risk. Use ACLs to allow
what you want and block anything else. Depending on how loose or
strict the ACLs are on the student vlan, you may also want some ACLs
on the server network to only allow specific connection types from the
student vlan. It just depends what all you are trying to prevent/lock
down and how to best do that with ACLs.
If you can't move the servers due to IP address usage, then create two
new vlans for your dhcp clients. Your users shouldn't care provided
you do it during a specific time, and at worst, they may require a
reboot if they don't have access to the command prompt and ipconfig.
If you want vlans that are completely non-routed, just don't put a
router interface in the network, just create it on layer 2. Or just
put an ACL on the VLAN to deny any any.- Hide quoted text -
- Show quoted text -
Thanks for responding. Your suggestion to work on the student vlan is
a good one.
Here is my plan:
1. move students to their own vlan. Each of our 8 schools has a
separate vlan, so I will need to create 8 student vlans. I will need
to keep them separate because of scripts that run based on Active
Directory sites which uses subnets. **Will this create a lot of extra
work with ACL's?
2. create ACL on the student vlan to only allow traffic to specific
servers on the server vlan.
3. Allow staff vlans to connect to the student vlan (teachers run apps
to monitor student workstations)
4. Don't allow any vlan to talk to another vlan unless there is a
reason. In other words, currently no schools need to directly access
anything in any other school. They all access servers at our core.
Am I on the right track here?
Now all I need is some free open source software to monitor my
network.
thanks
.
- Follow-Ups:
- Re: Need help controlling access between vlans
- From: Trendkill
- Re: Need help controlling access between vlans
- References:
- Need help controlling access between vlans
- From: 1crazyrican
- Re: Need help controlling access between vlans
- From: Trendkill
- Need help controlling access between vlans
- Prev by Date: SIP incoming calls in CCM
- Next by Date: Cisco 877 - Stealth Port Scan
- Previous by thread: Re: Need help controlling access between vlans
- Next by thread: Re: Need help controlling access between vlans
- Index(es):
Relevant Pages
|
