VLANs on Layer 3 Switch

moses12315 · ‎06-19-2008

I have a department in my network called D department. This D want to be isolated from the network but wants to use some facilities of the network such as email , ftp etc. But D does not want anyone else to be able to enter its PCs. So i put a layer 3 switch in D directly connected with the core Layer 3 switch. Both are 3550 Cisco .

So i configured a special Vlan for D , and i also configured an access-list on its switch and permit in only those facilities that D wants .

The problem is that i cannot configure an access-list out on the layer 3 switch. Also i do not know if that is enought or i have to do something else for increasing the security.

Thanks a lot for your time

Moses

hennigan · ‎06-19-2008

The best solution for this problem is a firewall such as a PIX or ASA. Alternatively you could use a router with IOS firewall feature set and two ethernet interfaces.

j.beckner · ‎06-19-2008

I have a similar situation with a client's Cat4506. Have you any experience trunking VLAN's from the Cat4500 to an IOS firewall router and then use the router's firewall to segment between the VLAN's, as well as connect to the internet. If so, does it work ok?

glen.grant · ‎06-19-2008

Have never heard that , you can not config an acl out on a interface on a 3550 ? Haven't heard of that restriction on any L3 switch. If thats true you learn something new everyday.

challc2008 · ‎06-19-2008

We did something like that but on a Catalyst 4006 switch. Created 3 VLAN's. One of them is for visitors and then created an ACL so that no traffic can get to the other 2 VLAN's from the visitors VLAN.

rsvensson · ‎06-19-2008

Why would you not use Private VLANs over ACLs to keep the traffic from one VLAN from getting into the others? You would just make the other two community VLANs, and the visitor an isolated VLAN. It would seem to be a lot easier and faster to setup and maintain. This could work for the main topic as well.

moses12315 · ‎06-20-2008

I do not know about isolated or community VLANs since i am new in networks. What i know is one of the reasons you create VLANs is security . Since i have the D department in a different VLAN , and i configure an ACL on its link with the core Switch i think that i did well enought. However , i will study those comments you have written and i will be back .

Thanks all of you for your time. You can not imagine how much help you give me everytime i have a problem.

Moses

hobbe · ‎06-23-2008

The simplest thing you can do is to take a firewall and do NAT on it, depending on size (but since you tell us you only need one switch it cant be that many users) i would choosa a asa5505 to do the job, this will fix most of your problems right away.

put the ASA inbetween the two now different networks and have the Inside go towards the D section and then the Outside faces towards the rest of the network.

this makes it that the D section can use all the things they want on the "normal network" and the "normal network" cannot without beeing contacted first reach the D section computers.

It is possible to do some acl stuff with the switches, but it is a true pain in the *** to maintain and have it working the way you want it to.

This is so much easier faster and secure for you to do than the switch thing and in the long run it will save money (time) compared to looking after the ACLs in the switches.

good luck

Armegeden · ‎06-23-2008

hobbe,

I'm not in this situation, but was just browsing over posts and came across this. Very interesting.

While the ASA is the easy solution, what if buying another piece of hardware is not an option? Would you mind taking the time to elaborate on how an ACL for VLANs on a switch would look like/work?

I'm curious because I've dealt with VLANs a bit but have never tried ACL's between them. I would love to learn how to do so.

If you have the time, thanks!