Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New at this

When it comes to the Cisco world, I am new at this. At our business, we have a number of Cisco switches, mostly 2950's, 24 & 48 port. Up to now, we've basically been using them as hubs. Is it my understanding that we can configure them so that we can isolate ceratin ports for certain computers? Case in point. I would like to isolate our accounting department so that only their server and the five computers in their department only have access to their computers. But, I want these computers to be able to talk to the rest of the world. And I want to be able to get to them if I need to perform any updates of upgrades to them. Can I configure the 2950 switch to do so? And if so, where do I start?

4 REPLIES
Green

Re: New at this

Sounds more like a homework assignment ;-)

Yes, you can configure independent groups of ports that are isolated from each other, the more common term these days is VLAN (i.e., "Virtual LAN").

A VLAN is a broadcast domain, like an independent switch or hub ... only the ports all reside in the same box. Treat each VLAN like a free-standing, independent switchor hub.

The bad news is, they (VLANs in a 2950)*are* independent groups of ports and, as such, do not talk to each other without some sort of connecting device. Most common would be a router.

Other choices, depending on your desired level of security would be a firewall (could permit the accounting folks access to the Internet or Corporate network but restrict inbound traffic to the accounting dept).

Another choice would be multiple interfaces to a common server. Many / most server-class OS (MS, Linux, Unix) would permit youto talk to one VLAN from another in the same fashion as a firewall (MS would likely be something like IAS, unix/linux would be some flavor of firewall process).

Another choice would be to add a "Layer 3 switch" which is, by function, a very fast (usually) LAN-only router. Something like a 3550 or 3750 with L3 firmware would allow you to connect your VLANs, offer some access control (similar to a router), and you can do it on one physical link in an 802.1q trunk (all VLANs on one link) or one physical link / cable per VLAN (802.1q would be the preferred method).

So, short story, the 2950 can do VLANs, you need a router, a firewall (either appliance or host acting as a router / firewall), or an L3 switch to permit communication between VLANs.

Good Luck

Scott

Blue

Re: New at this

it sounds like what you're really needing is access control lists. (aka ACLs or VACLs in your case)

what you would do is define multiple VLANs.

one for accounting, one for all others; (or however many vlans you need)

then you will assign specific ports to the accounting vlan, and all others to the other vlan.

the accounting vlan will contain the accounting server(s) and accounting PCs.

then you will need to define ACLs/VACLs to allow or deny specific or all traffic to or from the accounting vlan.

please see the following link for more info on VLAN configuration on the 2950:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84be.html

please see the following link for more info on ACL configuration for the 2950:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84c8.html

New Member

Re: New at this

Let's slow it down a bit. First of all, ScottMac is dead on. Good response. There are a number of ways this can be done and a simple router or L3 switch would take care of most of your concerns. There are some steps to be taken to accomplish what you want.

Step 1 is the VLANs. This separates the departmental traffic into individual "broadcast domains." When this is done then the systems in each VLAN can no longer communicate with systems in any other VLAN without a layer 3 device such as a router or L3 switch.

Step 2 is the L3 device. There are a number of ways to connect this device, depending on what it is, and some things that should be considered when choosing the device. If your environment requires access to the outside world (Internet) and does not need any communication between the VLANs then a router will suffice because those communications will be throttled by the Internet bandwidth. If you foresee any need for systems in each VLAN to communicate with each other, even if it is restricted, you might consider using a L3 switch depending on the number of users. It basically comes down to a tradeoff. Routers are generally more versatile in terms of their L3/routing/security functionality but smaller routers especially can bog down if traffic gets excessive. L3 switches on the other hand use Applications Specific Integrated Circuits (ASICs) to make forwarding decisions in hardware so they can typically handle as much traffic as you can throw at them but may be missing some L3 features in terms of routing protocols and security abilities.

Step 3 is security. In the router and L3 switch world this takes the form of Access Control Lists (ACLs). You basically create rules that permit or deny traffic based on certain criteria and then apply those rules to an interface. For many platforms those rules can only be applied in one direction, inbound or outbound, on an interface. For some of the newer platforms and software you can apply one ACL to the inbound direction of an interface and, most commonly, a mirror-image ACL to the outbound direction of the interface. This is a nice feature that adds a little more security than the unidirectional ACLs. Some of the routers, depending on software, support an advanced concept called Context-Based ACLs and you are welcome to do some reading on that. VACLs were mentioned as well but they are also a more advanced concept and are really more designed to restrict and control traffic within a VLAN as opposed to between VLANs. As ScottMac mentioned, firewalls are an option as well. Technically the ACLs are a type of firewall but normally when people mention firewall they are really talking about a "stateful" firewall. A stateful firewall operates by using a set of rules that apply to traffic in both directions. The trick is that your rule will typically specify one direction. For example it might be configured to only allow HTTP from certain IP addresses within your network to all addresses on the Internet. It will then only allow return HTTP traffic from the Internet that matches legitimate sessions initiated from within your network.

Another design option you might consider that will scale well over time is to separate your departmental clients into VLANs but also put ALL of your server resources into one VLAN together. We can talk more about how that could work and the security implications associated with it.

There are a number of other things that should be discussed as you make this transition. I would be happy to answer as many questions as I can but in reality my time will not scale well. I strongly suggest engaging a certified local Cisco partner that is focused on small/medium business environments and can help you with your design and implementation efforts. If you will tag me via e-mail (tylwest@cisco.com) I will be glad to help you find one.

Best of luck!

New Member

Re: New at this

Sorry to barge in on this. Such an interesting reading.

I have much the same issue but in my case we have L3 switches with many VLANs separating off different departments and servers/services.

We actually want to secure the personnel dept VLAN so that no other user VLAN can access their VLAN but they in the personnel VLAN can access servers and also the Internet just like any other VLAN.

I have had a look at VACL but it really seems complicated but if that is the way I have to go then I will have to use it.

Will you be able to help?

I have attached a Visio diagram depicting how we have structured the VLAN at our site.

For now, the personnel server is the normal server vlan but if I have to move it to a separate vlan for the purpose of security then this I will do.

122
Views
0
Helpful
4
Replies
CreatePlease login to create content