Protecting the LAN

Answered Question
Jan 3rd, 2008

Hello all,

This is my first post here and I hope this place turns out to be a good resource. Heres the situation, my ISP provides me with a modem. The modem allows for Ethernet connection and is ran to my Cisco 3700 series router. The second port on the router runs to a Cisco 3524XL switch and then provides a connection to all my computers. One of these computers happens to be a server that I use for file hosting. I forwarded the port on my router to be able to access it from a remote location, no problem.

I have a few issues, but I think the answer to this one question can solve them. My fear is that if my server is compromised, then anyone can jump from there to any of my other computers. To make it even more complicated, I also have a Cisco 1130 Aironet wireless router hanging off this switch which allows for the same problem.

I thought about it and VLANS would be nice, but if my server is in a separate VLAN then the gateway, well then thats a no go. I also thought I could maybe trunk the connection from the router to the switch (w/ router on a stick), now my different VLANs can all talk to a gateway, but also too each other, so no go there. Sadly my switch does not support PVLANs, but it does support a port-protected mode. After reading the description of what it does, I am not sure if it will work. It states that ports are isolated as long as their protected, but a layer-3 device is needed to forward traffic.

I will continue researching, but if anyone knows of a good way to help out comments will be much appreciated. Thanks in advance!

I have this problem too.
0 votes
Correct Answer by Juan Carlos Ari... about 8 years 11 months ago

That is another easy option, using port protected isolates Layer 2 unicast, multicast, and broadcast traffic from other protected ports on the same switch.

When enable, communication between protected ports on the same switch is possible only through a Layer 3 device. To prevent communication between protected ports on different switches, you must configure the protected ports for unique VLANs on each switch and configure a trunk link between the switches.

Hope this help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Juan Carlos Ari... Thu, 01/03/2008 - 17:02

Create a switchport trunk between router and switch creating VLANs in switch and router to route them (router on a stick as you said), and if you don't want to talk each other on the different VLANs, create ACLs on the interface to control wich traffic can access wich VLAN.

Hope this help.

Regards,

Juan Carlos Arias

rebrokenglass Thu, 01/03/2008 - 17:17

That is one option, but more specific and leaves room for errors and tedious configuration. Correct me if I am wrong, but I think this would work...

I would have my ROAS configuration going from fa0/0 on the router to fa0/1 on the switch. That will be a trunk line. I want to have 5 VLANs all of which will have 5 sub-int gateways (192.168.X.1). Couldn't I put all the ports EXCEPT fa0/1 in "port-protected" mode that way none of the ports will talk to each other, but will in fact forward information out the fa0/1 interface to the router and therefore still be able to reach the gateway..

Correct Answer
Juan Carlos Ari... Thu, 01/03/2008 - 17:24

That is another easy option, using port protected isolates Layer 2 unicast, multicast, and broadcast traffic from other protected ports on the same switch.

When enable, communication between protected ports on the same switch is possible only through a Layer 3 device. To prevent communication between protected ports on different switches, you must configure the protected ports for unique VLANs on each switch and configure a trunk link between the switches.

Hope this help.

AJAZ NAWAZ Wed, 04/22/2009 - 07:54

We have the following scenario:

host---65Kswitch---dot1qTrunk----65Kswitch---host

Which flavour of pvlan modes are required in this scenario?

The requirement is simply for hostA to comminicate with hostB. No other communication should be allowed.

thank you in advance

Ajaz

The protection is layer 2 only. You still need the ACLs on the router for real protection. Example: Host A and host B on that switch - and same VLAN - can still talk to each other, all you have to do to A is route the B traffic to the router (e.g. a host route or a static ARP entry) and the router will hairpin the traffic back to B. Inter-vlan traffic has the same issue and doesn't require any changes to the host. Basic routing allows the communication.

rebrokenglass Fri, 01/04/2008 - 07:58

Alright, well lets say each host is seperated by a seperate VLAN. Port protected would be enabled and then all traffic would flow out fa0/1 and to the router where the VLANs would be identified. I am not sure if my NIC cards will support trunking so that may not be an option.

Actions

This Discussion