When it comes to the Cisco world, I am new at this. At our business, we have a number of Cisco switches, mostly 2950's, 24 & 48 port. Up to now, we've basically been using them as hubs. Is it my understanding that we can configure them so that we can isolate ceratin ports for certain computers? Case in point. I would like to isolate our accounting department so that only their server and the five computers in their department only have access to their computers. But, I want these computers to be able to talk to the rest of the world. And I want to be able to get to them if I need to perform any updates of upgrades to them. Can I configure the 2950 switch to do so? And if so, where do I start?
Yes, you can configure independent groups of ports that are isolated from each other, the more common term these days is VLAN (i.e., "Virtual LAN").
A VLAN is a broadcast domain, like an independent switch or hub ... only the ports all reside in the same box. Treat each VLAN like a free-standing, independent switchor hub.
The bad news is, they (VLANs in a 2950)*are* independent groups of ports and, as such, do not talk to each other without some sort of connecting device. Most common would be a router.
Other choices, depending on your desired level of security would be a firewall (could permit the accounting folks access to the Internet or Corporate network but restrict inbound traffic to the accounting dept).
Another choice would be multiple interfaces to a common server. Many / most server-class OS (MS, Linux, Unix) would permit youto talk to one VLAN from another in the same fashion as a firewall (MS would likely be something like IAS, unix/linux would be some flavor of firewall process).
Another choice would be to add a "Layer 3 switch" which is, by function, a very fast (usually) LAN-only router. Something like a 3550 or 3750 with L3 firmware would allow you to connect your VLANs, offer some access control (similar to a router), and you can do it on one physical link in an 802.1q trunk (all VLANs on one link) or one physical link / cable per VLAN (802.1q would be the preferred method).
So, short story, the 2950 can do VLANs, you need a router, a firewall (either appliance or host acting as a router / firewall), or an L3 switch to permit communication between VLANs.
Let's slow it down a bit. First of all, ScottMac is dead on. Good response. There are a number of ways this can be done and a simple router or L3 switch would take care of most of your concerns. There are some steps to be taken to accomplish what you want.
Step 1 is the VLANs. This separates the departmental traffic into individual "broadcast domains." When this is done then the systems in each VLAN can no longer communicate with systems in any other VLAN without a layer 3 device such as a router or L3 switch.
Step 2 is the L3 device. There are a number of ways to connect this device, depending on what it is, and some things that should be considered when choosing the device. If your environment requires access to the outside world (Internet) and does not need any communication between the VLANs then a router will suffice because those communications will be throttled by the Internet bandwidth. If you foresee any need for systems in each VLAN to communicate with each other, even if it is restricted, you might consider using a L3 switch depending on the number of users. It basically comes down to a tradeoff. Routers are generally more versatile in terms of their L3/routing/security functionality but smaller routers especially can bog down if traffic gets excessive. L3 switches on the other hand use Applications Specific Integrated Circuits (ASICs) to make forwarding decisions in hardware so they can typically handle as much traffic as you can throw at them but may be missing some L3 features in terms of routing protocols and security abilities.
Step 3 is security. In the router and L3 switch world this takes the form of Access Control Lists (ACLs). You basically create rules that permit or deny traffic based on certain criteria and then apply those rules to an interface. For many platforms those rules can only be applied in one direction, inbound or outbound, on an interface. For some of the newer platforms and software you can apply one ACL to the inbound direction of an interface and, most commonly, a mirror-image ACL to the outbound direction of the interface. This is a nice feature that adds a little more security than the unidirectional ACLs. Some of the routers, depending on software, support an advanced concept called Context-Based ACLs and you are welcome to do some reading on that. VACLs were mentioned as well but they are also a more advanced concept and are really more designed to restrict and control traffic within a VLAN as opposed to between VLANs. As ScottMac mentioned, firewalls are an option as well. Technically the ACLs are a type of firewall but normally when people mention firewall they are really talking about a "stateful" firewall. A stateful firewall operates by using a set of rules that apply to traffic in both directions. The trick is that your rule will typically specify one direction. For example it might be configured to only allow HTTP from certain IP addresses within your network to all addresses on the Internet. It will then only allow return HTTP traffic from the Internet that matches legitimate sessions initiated from within your network.
Another design option you might consider that will scale well over time is to separate your departmental clients into VLANs but also put ALL of your server resources into one VLAN together. We can talk more about how that could work and the security implications associated with it.
There are a number of other things that should be discussed as you make this transition. I would be happy to answer as many questions as I can but in reality my time will not scale well. I strongly suggest engaging a certified local Cisco partner that is focused on small/medium business environments and can help you with your design and implementation efforts. If you will tag me via e-mail (firstname.lastname@example.org) I will be glad to help you find one.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...