cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9171
Views
0
Helpful
6
Replies

Configuring Quarantine VLAN in an enterprise

vnirmal112
Level 1
Level 1

Hi,

can someone help me with sample configs on how we can implement quarantine vlan across the enterprise.

Regards,

Nirmal

6 Replies 6

mikegrous
Level 3
Level 3

What exactly do you mean a quarantine vlan. IE a vlan that can talk to no other ports?

I am guessing you want either private vlans or switchport proteced. If you could explain more in detail in exactly what you are looking for that would be helpful.

Hi,

Thanks for the immediate reply.

Whenever i identify a port with virus, i would be changing it to this vlan and this vlan should ideally access only symantec portals.

Regards,

Nirmal

ahh well the switchport protected may give you the Functionality you are looking for:

Depending on how much you want to filter, how big your network is, how many vlans etc. You may need additional ACLs to block only o a particualr host or website etc.

http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042446

http://www.ifm.net.nz/cookbooks/2950_virus.html

did you solve this issue - I am trying to do the same thing.

Maybe you can use a private vlan concept? Private vlan have isolated vlan and community vlan and isolated port and promiscuous port. As name suggest isolated vlan is isolated and does not talk to any other port even the other ports are in the same vlan. community vlan talks to other ports in the same community vlan only and to promiscuous ports. Promiscuous port talks to everyone. Private vlan is an isolation between ports in the same vlan routed traffic is not affected by private vlan. Having briefly explained that you can put the symantec ports in promiscuous port and create an isolated vlan for infected hosts.

Here is more info on private vlans and all the terms mentioned above:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/pvlans.html#wp1132305

Hello Nirmal,

the concept of quarantine vlan to be used for verification of devices is provided under the NAC (Network Access Control ) framework.

see

http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html

this requires to deploy an appliance that will be a policy server with switches acting as policy enforcement points.

To be noted current cisco solution requires one appliance for VTP domain.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: