Configuring Quarantine VLAN in an enterprise

Unanswered Question
Jan 8th, 2009

Hi,

can someone help me with sample configs on how we can implement quarantine vlan across the enterprise.

Regards,

Nirmal

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mikegrous Thu, 01/08/2009 - 10:01

What exactly do you mean a quarantine vlan. IE a vlan that can talk to no other ports?

I am guessing you want either private vlans or switchport proteced. If you could explain more in detail in exactly what you are looking for that would be helpful.

vnirmal112 Thu, 01/08/2009 - 10:06

Hi,

Thanks for the immediate reply.

Whenever i identify a port with virus, i would be changing it to this vlan and this vlan should ideally access only symantec portals.

Regards,

Nirmal

mikegrous Thu, 01/08/2009 - 10:20

ahh well the switchport protected may give you the Functionality you are looking for:

Depending on how much you want to filter, how big your network is, how many vlans etc. You may need additional ACLs to block only o a particualr host or website etc.

http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042446

http://www.ifm.net.nz/cookbooks/2950_virus.html

Roberto Salazar Thu, 01/08/2009 - 11:01

Maybe you can use a private vlan concept? Private vlan have isolated vlan and community vlan and isolated port and promiscuous port. As name suggest isolated vlan is isolated and does not talk to any other port even the other ports are in the same vlan. community vlan talks to other ports in the same community vlan only and to promiscuous ports. Promiscuous port talks to everyone. Private vlan is an isolation between ports in the same vlan routed traffic is not affected by private vlan. Having briefly explained that you can put the symantec ports in promiscuous port and create an isolated vlan for infected hosts.

Here is more info on private vlans and all the terms mentioned above:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/pvlans.html#wp1132305

Giuseppe Larosa Thu, 01/08/2009 - 11:45

Hello Nirmal,

the concept of quarantine vlan to be used for verification of devices is provided under the NAC (Network Access Control ) framework.

see

http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html

this requires to deploy an appliance that will be a policy server with switches acting as policy enforcement points.

To be noted current cisco solution requires one appliance for VTP domain.

Hope to help

Giuseppe

Actions

This Discussion