Adding switch in to production network and seprate traffic on sw

svaishya20 · ‎11-15-2011

Hi all,

I have to add a switch in production network through VTP domain. I need to seprate the traffic from each clients.

So scenario is like this -

I have to connect two server on this switch and other ports on this switch is connected to client end.

So my concern is what we need to do when we are adding a new switch in network and second how can we seprate the traffic for each client so that they can not access each other traffic.

Thanks

Saurabh

Reza Sharifi · ‎11-15-2011

HI,

Before adding a VTP client switch to a VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number. If you add a switch that has a revision number higher than the revision number in the VTP domain, it can erase all VLAN information from the VTP server and VTP domain.

have a look at the config guide for example:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swvtp.html

As how to separate traffic. You can put each customer in a separate vlan and use ACL to deny traffic between them. You can also put each customer in a different VRF (if your IOS support it).

HTH

svaishya20 · ‎11-15-2011

Hi Reza,

thanks for replying.

Suppose my server is on 10.200.x.x network and client end is 192.168.1.0/ 24.

So for each client i will assing the vlan and create a svi for each vlan on switch.

in order to not access each other traffic what will be format of ACL we need to use and on which interface e.g SVI.

and do we need to also take care of routing on switch ?

thanks
Saurabh

Leo Laohoo · ‎11-15-2011

Set up VLAN Trunking and only allow the VLANs you want to traverse the VLAN Trunk.

Set your VTP to Transparent Mode.

svaishya20 · ‎11-15-2011

Any one can shed light on it.

Thanks

Reza Sharifi · ‎11-15-2011

Hi,

Correct, for each vlan you need to create an SVI

in order to not access each other traffic what will be format of ACL we need to use and on which interface e.g SVI

Correct see example below

and do we need to also take care of routing on switch ?

If you are creating the SVIs on the same switch, then the SVIs will be routed. All you need is to make sure routing is enabled on your switch

have a look at this example:

In this scenario you are denying traffic between the server and client vlan,

vlan 200 is server vlan

vlan 210 is client vlan

vlan 200 = 192.168.200.0/24

vlan 210= 192.168.210.0/24

access-list 111 deny ip 192.168.200.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 111 permit ip 192.168.200.0 0.0.0.255 any

access-list 112 deny ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 112 permit ip 192.168.210.0 0.0.0.255 any

int vlan 200

ip access-group 111 in

int vlan 210

ip access-group 112 in

svaishya20 · ‎11-15-2011

Thanks Reza,

I want to deny traffic between each client not to server.

So each clients must have access to server but clients do not have access to each other.

Vlan seprate the traffic and can provide solution for this thing but I think we need to apply access list on each SVI for safer side.

vlan 210 is client 1 vlan

vlan 220 is client 2 vlan

For vlan 210

access-list 112 permit ip 192.168.210.0 0.0.0.255 192.168.200.0 0.0.0.255

deny ip any any

and for 220 is client 2

access-list 112 permit ip 192.168.220.0 0.0.0.255 192.168.200.0 0.0.0.255

deny ip any any

and apply on SVI.

So in this case we can access data from server and seprate each client from accessing traffic.

Please share your idea.

and second thing can we achieve by using private vlan ?

Thanks

Saurabh

CSCO11508096 · ‎11-15-2011

Hi,

While adding the switch in the live network takje care of the VTP revision no. It should be lower.

For securing the network at layer 2 the best way is to............

Configure the Switch interface connected to Server as a promiscous port.

And rest of the ports that are connected to client as a isolate port.

Promiscuous port communicates with all other PVLAN ports. The promiscuous port is the port that you typically use to communicate with external routers, LocalDirectors, network management devices, backup servers, administrative workstations, and other devices. On some switches, the port to the route module

An isolated port has complete Layer 2 separation from other ports within the same PVLAN. This separation includes broadcasts, and the only exception is the promiscuous port. A privacy grant at the Layer 2 level occurs with the block of outgoing traffic to all isolated ports. Traffic that comes from an isolated port forwards to all promiscuous ports only.

svaishya20 · ‎11-15-2011

Thanks for explaining the PVLAN.

If i am configuring by using PVLAN - Do i need to configure the ACL to seprate traffic between clients.

or Pvlan are able to do it ?

CSCO11508096 · ‎11-15-2011

Hi,

No need to configure ACL in your scenario....... If you want to seprate traffic flow based on the port no. than only you need to configure VACL.

Private VLAN will work fine in your case...

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.sh

svaishya20 · ‎11-16-2011

Hi,

I would like to ask how does it differentiate traffics flow from different clients because only one subnet will use as default gateway.

so all the client devices will point to that SVI ip address. do we need to ask client to configure static routes because at client end it can be switch, router or linux device.

thanks

Saurabh

Adding switch in to production network and seprate traffic on switch