mikegrous Thu, 01/08/2009 - 10:01
User Badges:

What exactly do you mean a quarantine vlan. IE a vlan that can talk to no other ports?

I am guessing you want either private vlans or switchport proteced. If you could explain more in detail in exactly what you are looking for that would be helpful.

vnirmal112 Thu, 01/08/2009 - 10:06
User Badges:

Hi,


Thanks for the immediate reply.


Whenever i identify a port with virus, i would be changing it to this vlan and this vlan should ideally access only symantec portals.


Regards,

Nirmal

mikegrous Thu, 01/08/2009 - 10:20
User Badges:

ahh well the switchport protected may give you the Functionality you are looking for:

Depending on how much you want to filter, how big your network is, how many vlans etc. You may need additional ACLs to block only o a particualr host or website etc.


http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042446



http://www.ifm.net.nz/cookbooks/2950_virus.html


Roberto Salazar Thu, 01/08/2009 - 11:01
User Badges:
  • Gold, 750 points or more

Maybe you can use a private vlan concept? Private vlan have isolated vlan and community vlan and isolated port and promiscuous port. As name suggest isolated vlan is isolated and does not talk to any other port even the other ports are in the same vlan. community vlan talks to other ports in the same community vlan only and to promiscuous ports. Promiscuous port talks to everyone. Private vlan is an isolation between ports in the same vlan routed traffic is not affected by private vlan. Having briefly explained that you can put the symantec ports in promiscuous port and create an isolated vlan for infected hosts.


Here is more info on private vlans and all the terms mentioned above:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/pvlans.html#wp1132305

Giuseppe Larosa Thu, 01/08/2009 - 11:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Nirmal,

the concept of quarantine vlan to be used for verification of devices is provided under the NAC (Network Access Control ) framework.


see


http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html


this requires to deploy an appliance that will be a policy server with switches acting as policy enforcement points.

To be noted current cisco solution requires one appliance for VTP domain.


Hope to help

Giuseppe


Actions

This Discussion