Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How do I isolate one workstation on a LAN

The goal:

We have Windows XP workstation that we want to isolate from our entire LAN and our Internet gateway (outbound) with the exception of one server (inbound) This server simply needs to map a drive letter to a fileshare on the XP client, copy a flat file export from the XP client once a day, and close the fileshare back up when done.

The Environment

The Server side of the equation:

Cisco Catalyst 6509 in hybrid mode

CatOS v6.3(7)and

IOS 12.1(13)E on the MSFC2 (sup1a)

VTP v2 Server

802.1q is enabled on all trunks to our 2950's in edge closets.

HP Proliant G4 with HP nic teaming driver. This server has a static up of 10.10.5.35 and it's ports are members of our "VLAN 10" (10.10.x.x/16)

The Client Side of the equation:

Catalyst 2950C-24

running IOS 12.1(9)EA1

VTP v2 Client

Connected to the Catalyst 6509 above with one 100FX trunk 802.1q enabled

Intel P4 clone running Windows XP Pro SP2

Generic 10/100 NIC driver with no 802.1q support. It's connected to a switchport with static access to our "VLAN 70" (10.70.x.x/16)

What would be the best way to design this to meet the goal at the top?

14 REPLIES
Hall of Fame Super Blue

Re: How do I isolate one workstation on a LAN

Hi Paul

The simplest way to do this is just to create a new vlan purely for the XP client and then use L3 acls to lock down the traffic.

eg server address 192.168.5.1.

client address 192.168.10.1

access-list 101 permit ip host 192.168.5.1 host 192.168.10.1

access-list 101 deny ip any any

access-list 102 permit ip host 192.168.10.1 host 192.168.5.1

access-list 102 deny ip any any

int vlan 80 (new vlan fro XP client)

ip access-group 101 out

ip access-group 102 in

HTH

Jon

New Member

Re: How do I isolate one workstation on a LAN

Thanks for the reply Jon.

Unfortunately, I now seem to have a basic lack of understanding on how to route between those 2 vlans.

Keeping with my example, forgetting about ACL's for the moment since I can't seem to even establish basic IP connectivity between my 2 hosts, this is my setup so far.

2003 Server host

10.10.5.35 - host IP address

255.255.0.0 - subnet mask

10.10.4.1 - default gateway

Catalyst port(s) are members of VLAN 10 (10.10.0.0/16)

Server network ip routing environment:

Catalyst 6509 - CatOS side

core-switch> (enable) show ip route

Fragmentation Redirect Unreachable

------------- -------- -----------

enabled enabled enabled

The primary gateway: 10.30.1.1

Destination Gateway RouteMask Flags Use Interface

--------------- --------------- ---------- ----- -------- ---------

default 10.30.1.1 0x0 UG 122588 sc0

10.30.1.0 10.30.1.10 0xffffff00 U 160 sc0

default default 0xff000000 UH 0 sl0

Catalyst 6509 - IOS side

core-router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

C 10.10.0.0/16 is directly connected, Vlan10

S 10.15.0.0/16 [1/0] via 192.168.1.1

C 10.30.7.0/24 is directly connected, Vlan7

C 10.30.1.0/24 is directly connected, Vlan1

C 10.30.9.0/24 is directly connected, Vlan9

C 10.70.0.0/16 is directly connected, Vlan70

S 209.53.119.0/24 [1/0] via 192.168.1.1

C 192.168.1.0/24 is directly connected, Vlan99

S* 0.0.0.0/0 [1/0] via 192.168.1.1

XP client host

10.70.1.101 - host IP address

255.255.0.0 - subnet mask

10.70.1.1 - default gateway

Switchport access VLAN 70 (10.70.0.0/16)

Client network ip environment

Catalyst 2509C

The trunk interface to our Catalyst 6509 above:

interface FastEthernet0/25

switchport trunk allowed vlan 1,10,70,1002-1005

switchport mode trunk

no ip address

The switchport the XP client is connected to

interface FastEthernet0/1

switchport access vlan 70

switchport mode access

no ip address

spanning-tree portfast

From the XP client I can ping the default gateway for VLAN 70 @ 10.70.1.1 but I can NOT ping the server @ 10.10.5.35.

From the Server I can also ping the default gateway at 10.70.1.1 but not the host at 10.70.1.101.

I'm assuming this is a basic routing problem between VLAN 70 and VLAN 10 or vice versa.

From the "core router" on the 6509 (telneted into 10.30.1.1) I can also ping 10.70.1.1 but neither of the hosts 10.10.5.35 nor 10.70.1.101.

What am I doing wrong? What am I missing here?

Hall of Fame Super Blue

Re: How do I isolate one workstation on a LAN

Paul

Are you pinging from the MSFC to the client and the server ?

Can you check if you have any firewalls running on the client and the server that could be blocking incoming icmp requests.

Jon

New Member

Re: How do I isolate one workstation on a LAN

What I did was ping from the MSFC router (in a telnet session from another workstation in VLAN 10) to both server and client which fails.

I just tried this from the switch console and I can ping the client and it's net gateway but not the server?

I did disable the XP firewall on the client while testing both times. I also verified that ICS service and the Windows firewall were disabled on the 2003 server. There are no other 3rd party firewalls installed on either server or client.

New Member

Re: How do I isolate one workstation on a LAN

Routing problem resolved. I had been messing about with the HP network config utility on the 2003 server and inadvertantly ended up setting it upto use DHCP instead of it's normal static IP address of 10.10.5.35.

I can now ping both server and client from either direction and from both the 6509 console or the msfc. :)

Hall of Fame Super Blue

Re: How do I isolate one workstation on a LAN

No problem Paul.

Did you try to setup with new vlan after all this ?

Jon

New Member

Re: How do I isolate one workstation on a LAN

Yes - I ended up using your example.

Everything works fine now

(with the Windows XP ICF disabled - lol)

New Member

Re: How do I isolate one workstation on a LAN

I think I spoke to soon about this being resolved. It is true that I can ping in all directions from either the server, client, or MSFC now, HOWEVER, I cannot map a file share?

Keep in mind I'm using peer-to-peer networking principles as I've put this XP client workstation into a workgroup named "PTFC". "PTFC" is also the name of our AD domain that this 2003 server is a member of.

I've tried this from a command prompt on the 2003 server in VLAN 10 and got this error:

C:\>net use k: \\10.70.1.101\fileoutput pw6394!z /user:forteshare

System error 53 has occurred.

The network path was not found.

Then I tried it from the gui, i.e. right-clicked on the 'My Computer' icon selecting 'map network drive' and I get this error pop-up:

"The network path \\10.70.1.101\fileoutput cannot be found."

My thinking is that this might be Microsoft NBT name resolution issue with either WINS, NetBIOS, or DNS. If so, do I need to enable an 'IP Helper' on each switch and/or setup browsers, WINS, or DNS servers in VLAN 70?

New Member

Re: How do I isolate one workstation on a LAN

The really puzzling thing now is that I CAN map file shares from the other direction.

From the XP workstation in VLAN 70 I can map any file share in VLAN 10 just fine from the GUI or the command line (net use command).

Why doesn't this work from the other direction starting at the 2003 server?

New Member

Re: How do I isolate one workstation on a LAN

If I disable the Windows XP firewall drive mapping from the 2003 server to this workstation works just fine. I do have 'File and Printer Sharing' in the XP firewall exception list but apparently that doesn't open up all the right ports.

(I'm just putting all this down in case it helps someone else even more challenged than I - lol)

New Member

Re: How do I isolate one workstation on a LAN

Hi Paul, my solution is as follows;

Within your already configured VLAN you can apply a VACL without having to introduce another subnet or VLAN for a host device only.

VLAN 10 IP: 192.168.1.0 255.255.255.0

Host IP: 192.168.1.10 255.255.255.0

Server IP: 192.168.1.15 255.255.255.0

First define the ip traffic you want to have control over on the switch:

Switch(config)#ip access-list extented acl1

-acl)#permit ip host 192.168.1.10 host 192.168.1.15

#exit

Switch(config)#ip access-list extented acl2

-acl)#permit ip host 192.168.1.10 192.168.1.0 0.0.0.255

#exit

Then define the VLAN on which you need to filter traffic:

Switch(config)#vlan access-map vacl1 10

access-map)#match ip address acl1

#action forward

Switch(config)#vlan access-map vacl1 20

access-map)#match ip address acl2

#action drop

To allow any different traffic:

Switch(config)#vlan access-map vacl1 30

#action forward

#exit

Switch(config)#vlan filter vacl1 vlan-list 10

Kind regards.

New Member

Re: How do I isolate one workstation on a LAN

What does this workstation do?

Since you are initiating a file-share on a Windows server and that is all you want, why not limit it to a set of ports, or better yet create an sftp, ftp, or even webdav site and lock you ACLs down a bit more. By saying allow all IP between client and server, you are allowing ALL IP traffic, that includes TCP, and UDP. While it might meet your requirement of file sharing it also allows access to all open ports on that server.

So a typical 2003 install with HP would look something like this.

TCP 80 - ISS installed cause of HP management suite

135 MS RPC

139 Netbios

445 SMB

1045 fpitp

1067 Installation Bootstrap Service Installation Bootstrap protocol server

2301 Insight Web agents

2381 HP Management HTTPS

3389 Terminal Server Port

Some of these ports have widely know exploits, that could be leveraged against the server. BTW, if you gain access to the server, it really does not matter what restrictions I have on the PC, the server will be the step off point to the rest of your network.

So I would do these two things.

Vlan the xp box out, into a restricted IP range, keep it as tight a you can with only a small number of extra IP addresses. And not your current /24 subnet.

An in and out access list, but limit the ACL only to the port assignments you need to do the function. Yes it is a little harder todo, but in the long run you will get more sleep.

Depending on who initiates the file transfers - I would recommend the server. You can really tighten down the ACL on the PC side and the server side could end up with a two line ACL. First line permit second line deny IP any any.

Hall of Fame Super Blue

Re: How do I isolate one workstation on a LAN

Hi

yes you are right in that the acl should be tied down but then once you open up the file sharing ports it's debatable as to how secure you can really make it with an acl. That's why it's best to put the XP machine on it's own subnet.

Ideally, both the client and the server should only be running services that are actually needed.

Jon

New Member

Re: How do I isolate one workstation on a LAN

This workstation collects data from serial devices that monitor our production line.

It monitors quality control and keeps inventory of units produced. All of this data gets exported into a flat text file that we want to copy once a day to a common file share point which is mapped for our office users to a drive letter with a login script.

Your point about tightening up the ACL to needed ports is well taken.

802
Views
0
Helpful
14
Replies
CreatePlease to create content