Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
5
Replies

Cisco 3550 SMI switch for security setup ?

Go to solution
susanng90
Level 1
Level 1

‎10-14-2014 11:37 AM - edited ‎03-11-2019 09:55 PM

I have a 3550 SMI IOS 12.2 switch, I want to setup http, https, dns services for internet. I do not need to set up any mail or web server.

 The connection as follows:

Internet ---------Modem----------3550-----------Computer

Modem has no security function, all the security setting will be on 3550 switch. So what is the best approach ?

Is it layer 2 or layer 3 security ? and can I run VPN for the internet surf ? Please kindly advise.

Thanks,

Susan

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
michael o'nan
Level 4
Level 4
In response to susanng90

‎10-14-2014 12:29 PM

I'd recommend the config guide http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/swtrafc.html

Not sure how secure or what you are trying to secure so it is hard to make any recommendation. I'd recommend a firewall if you are looking for security features.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎10-14-2014 12:43 PM

A 3550 is a switch which is by definition the wrong device for your setup. You won't find any security-functions in it that will be useful for this setup.

You need either a router (for example one of the 870s with Advanced Security Image) or a firewall (like the ASA 5505).

View solution in original post

0 Helpful
5 Replies 5

Go to solution
michael o'nan
Level 4
Level 4

‎10-14-2014 12:17 PM

Are you planning on using NAT? 3550 is not able to do NAT which may cause you some issues if you are planning to go from public to private IP. The 3550 won't be able to do a IPSEC VPN either. Sounds like you should consider getting an ISR to terminate the internet connection.

0 Helpful

Go to solution
susanng90
Level 1
Level 1
In response to michael o'nan

‎10-14-2014 12:24 PM

Thanks for the reply, Modem will run PPPoE and NAT. In my case what is the best layer 2 or layer 3 security ? 

0 Helpful

Go to solution
michael o'nan
Level 4
Level 4
In response to susanng90

‎10-14-2014 12:29 PM

I'd recommend the config guide http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/swtrafc.html

Not sure how secure or what you are trying to secure so it is hard to make any recommendation. I'd recommend a firewall if you are looking for security features.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎10-14-2014 12:43 PM

A 3550 is a switch which is by definition the wrong device for your setup. You won't find any security-functions in it that will be useful for this setup.

You need either a router (for example one of the 870s with Advanced Security Image) or a firewall (like the ASA 5505).

0 Helpful

Go to solution
susanng90
Level 1
Level 1
In response to Karsten Iwen

‎10-14-2014 01:10 PM

Thanks for the Reply.

When I config the switch I find out some interesting things, I am no sure if the

configuration is correct or I miss something ? Please help take a look.

----------------------------------------------------------------------------------

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   tcp any any eq bgp
access-list 101 deny   eigrp any any
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq www log
access-list 101 permit tcp any any eq 443 log
access-list 101 deny   ip any any log
!!
!
int fa0/1
switchport
switchport access v 10
switchport mode access
access group 101 in
!
int vlan 1
no ip add
!!!!

That work normal
-----------------------------------------------------------------------------------------------------------------------------------
But if when I put access list 101 to vlan interface 10, my computer can access the internet. ???

!!!
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   tcp any any eq bgp
access-list 101 deny   eigrp any any
access-list 101 deny   ip any any log
!!
int vlan 10
ip add 192.168.1.1 255.255.255.0
access group 101 in
!
!
int fa0/1
switchport
switchport access v 10
switchport mode access
!!!
int vlan 1
no ip add
!!!!
-----------------------------------
For both case, Vlan 1 is down, I connect nothing and assign nothing to vlan 1.

So is the configuration has problem ? or
Something to do with vlan 1 ?
or something I miss ? 

Thanks

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card