10-14-2014 11:37 AM - edited 03-11-2019 09:55 PM
I have a 3550 SMI IOS 12.2 switch, I want to setup http, https, dns services for internet. I do not need to set up any mail or web server.
The connection as follows:
Internet ---------Modem----------3550-----------Computer
Modem has no security function, all the security setting will be on 3550 switch. So what is the best approach ?
Is it layer 2 or layer 3 security ? and can I run VPN for the internet surf ? Please kindly advise.
Thanks,
Susan
Solved! Go to Solution.
10-14-2014 12:29 PM
I'd recommend the config guide http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/swtrafc.html
Not sure how secure or what you are trying to secure so it is hard to make any recommendation. I'd recommend a firewall if you are looking for security features.
10-14-2014 12:43 PM
A 3550 is a switch which is by definition the wrong device for your setup. You won't find any security-functions in it that will be useful for this setup.
You need either a router (for example one of the 870s with Advanced Security Image) or a firewall (like the ASA 5505).
10-14-2014 12:17 PM
Are you planning on using NAT? 3550 is not able to do NAT which may cause you some issues if you are planning to go from public to private IP. The 3550 won't be able to do a IPSEC VPN either. Sounds like you should consider getting an ISR to terminate the internet connection.
10-14-2014 12:24 PM
Thanks for the reply, Modem will run PPPoE and NAT. In my case what is the best layer 2 or layer 3 security ?
10-14-2014 12:29 PM
I'd recommend the config guide http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/swtrafc.html
Not sure how secure or what you are trying to secure so it is hard to make any recommendation. I'd recommend a firewall if you are looking for security features.
10-14-2014 12:43 PM
A 3550 is a switch which is by definition the wrong device for your setup. You won't find any security-functions in it that will be useful for this setup.
You need either a router (for example one of the 870s with Advanced Security Image) or a firewall (like the ASA 5505).
10-14-2014 01:10 PM
Thanks for the Reply.
When I config the switch I find out some interesting things, I am no sure if the
configuration is correct or I miss something ? Please help take a look.
----------------------------------------------------------------------------------
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny tcp any any eq bgp
access-list 101 deny eigrp any any
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq www log
access-list 101 permit tcp any any eq 443 log
access-list 101 deny ip any any log
!!
!
int fa0/1
switchport
switchport access v 10
switchport mode access
access group 101 in
!
int vlan 1
no ip add
!!!!
That work normal
-----------------------------------------------------------------------------------------------------------------------------------
But if when I put access list 101 to vlan interface 10, my computer can access the internet. ???
!!!
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny tcp any any eq bgp
access-list 101 deny eigrp any any
access-list 101 deny ip any any log
!!
int vlan 10
ip add 192.168.1.1 255.255.255.0
access group 101 in
!
!
int fa0/1
switchport
switchport access v 10
switchport mode access
!!!
int vlan 1
no ip add
!!!!
-----------------------------------
For both case, Vlan 1 is down, I connect nothing and assign nothing to vlan 1.
So is the configuration has problem ? or
Something to do with vlan 1 ?
or something I miss ?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: