cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3579
Views
0
Helpful
14
Replies

Isolate host connected to a switch

aptgetmoo
Level 1
Level 1

Hi.

I am setting up a simulated network environment using gns3, with cisco 3640 router (with 16port switch module, so I can simulate a switch, as gns3 does not support switch emulation). I have 4 PCs and 2 servers connected to the switch:

PC1 192.168.1.1

PC2 192.168.1.2

PC3 192.168.1.3

PC4 192.168.1.4

SVR1 192.168.1.5

SVR2 192.168.1.6

Is there a way to set a gateway for specific PCs connected to a switch? eg:

SVR1 for PC1,PC2,PC3

SVR2 for PC4

I know a switch is not supposed to behave like this, but I want to isolate PC4 from any other hosts, and set its gateway to SVR2.

Can I do this?

What about VLAN, can I set a gateway for each VLAN?

14 Replies 14

Ganesh Hariharan
VIP Alumni
VIP Alumni

As you are trying this setup in GNS3 and having switch module in cisco 3640 router.Create separate vlans and assign them ip which will be acting as gateways for the host residing in that vlans.

Hope this helps out your query !!

Regards

Ganesh.H

Thanks for the reply. I had created 2 vlans to separate them, but how to assign a gateway to each vlan?

Can I run like "ip route" on each VLAN?

Jon Marshall
Hall of Fame
Hall of Fame

aptgetmoo wrote:

Hi.

I am setting up a simulated network environment using gns3, with cisco 3640 router (with 16port switch module, so I can simulate a switch, as gns3 does not support switch emulation). I have 4 PCs and 2 servers connected to the switch:

PC1 192.168.1.1

PC2 192.168.1.2

PC3 192.168.1.3

PC4 192.168.1.4

SVR1 192.168.1.5

SVR2 192.168.1.6

Is there a way to set a gateway for specific PCs connected to a switch? eg:

SVR1 for PC1,PC2,PC3

SVR2 for PC4

I know a switch is not supposed to behave like this, but I want to isolate PC4 from any other hosts, and set its gateway to SVR2.

Can I do this?

What about VLAN, can I set a gateway for each VLAN?

Setting the gateway for the PC is nothing to do with the switch, you do this either via DHCP or if you are manually assigning the IP address when you configure the client.

Jon

Yes, I know I can set gateway to each host, but I want to isolate a host (say, it is infected with virus) without configuring anything on the host itself. But I want that host to be able to communicate with SVR2, not any other hosts.Is there a way to this with a switch?

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

If you want to isolate a PC within a VLAN from other stations, changing its gateway will not help, as the station still remains in the same broadcast domain with other stations and is able to talk to them directly (and thereby possibly attack them).

On Catalyst 3560 and higher with recent IOSes, there is a feature called Private VLANs. Private VLANs allows you to partition an existing VLAN (called also the primary VLAN) into an arbitrary number of so-called secondary VLANs that have additional restrictions placed on them. There can be arbitrary many community secondary VLANs under a particular primary VLAN whose stations may freely communicate with themselves in a single community VLAN but they cannot talk to any other seconday VLAN members under the same primary VLAN. Additionally, there can be at most one isolated secondary VLAN for each primary VLAN whose members cannot talk to each other, nor can they talk to members of any other secondary VLAN under the same primary VLAN. All secondary VLANs are still allowed to access common shared resources like servers, gateways etc. that are placed on so-called promiscuous ports (it has nothing to do with promiscuous mode of NICs).

From outside, the partitioning of the VLAN into secondary VLANs is not visible, and the entire system is visible as a single VLAN with a single, unpartitioned IP address space.

I think that this is what you are seeking for - placing offending clients into an secondary isolated VLAN so that they cannot attack themselves or any other stations in other secondary (community) VLANs. This feature is unfortunately not available under GNS - a 3560 or higher switch is required.

You may want to read more here:

http://cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swpvlan.html

Best regards,

Peter

Thanks for your suggestion. But I don't think I would get access to such a switch. Using the regular VLAN, I can still separate infected hosts on its own LAN, with a server (for disinfecting purpose). But infected hosts may still attack one another. Can I add any policy to only allow them to access the server?

aptgetmoo wrote:

Thanks for your suggestion. But I don't think I would get access to such a switch. Using the regular VLAN, I can still separate infected hosts on its own LAN, with a server (for disinfecting purpose). But infected hosts may still attack one another. Can I add any policy to only allow them to access the server?

vlan access-lists control traffic within the same vlan but i don't know whether your switch supports that. Alternatively you can try an acl on the physical interface although again not sure whether it will work on your switch -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_20_ea2/configuration/guide/swacl.html#wp1082939

Jon

Hi,

Ok as per your requirement check out the below document on ACL's try configuring VACL in same vlan for traffic permit and deny.

Hope this helps out your query !!

Regards

Ganesh.H

Thanks.

I couldn't add a VACL, the 3640 doesn't seem to support that. I also couldn't apply the ACL to the interface. I have problem using "ip access-group" command to apply the ACL to the interface. It seems that I can only use that command to ports(NM-1FE-TX) other than on 16-port switch module(NM-16ESW). Is that because they have been configured as access port?

Gentlemen,

Traffic filtering on switches is a cumbersome issue, as the individual support for traffic filtering differs considerably among various switch platforms. Advanced filtering tools like Private VLANs or VACLs are available only on 3560 and higher platforms. IP or MAC ACLs can be applied onto individual access ports since 2950 series platforms (at least as far as I know) but only in the inbound direction, and also the style of evaluating the IP and MAC ACLs differs strongly, for example, between 2950 and 2960 switches. Reading the documentation thoroughly that pertains to the particular switching platform and IOS version is a must here.

Regarding the ACLs on NM/HWIC switching modules, their support may be even more limited than on standalone switches. Such a module may not support traffic filtering at all. For example, on HWIC-4ESW, it appears that no MAC nor IP access lists are supported on the individual switchports (confirmed using the HWIC-4ESW module in a 2801 router running the c2801-advipservicesk9-mz.124-4.XC2 IOS).

I am afraid that trying to simulate the situation using GNS3 and 3640 series + NM-16ESW switching module will not be helpful here. As I indicated earlier, each switch differs in its support of traffic filtering, and its capabilities would be determining the way the filtering would be done (if possible at all).

Best regards,

Peter

Thanks for that explanation, Peter. I think the best I can do for the time being is to just move them into another VLAN, although they may still communicate with each other.

Hello,

What you perhaps could do even with a switching module (and also with any recent switch) is this:

  1. Have a carantene VLAN prepared. This VLAN would be very strongly restricted on its gateway, disallowing almost any communication with other VLANs or other networks except the communication with the absolutely necessary services. This can be done on the router by usual ACLs placed either on the physical interface/subinterface, or on the SVI if a switching module (or a multilayer switch) is used.
  2. Have all access ports that are currently placed into the carantene VLAN configured with the switchport protected command. A port configured with this command is called a protected port. A protected port is prevented from communicating with any other protected port in the same VLAN. If all access ports placed into carantene VLAN are configured as protected ports, they will not be allowed to communicate mutually. A protected port can communicate only with an unprotected port, and vice versa - such an unprotected port would be an uplink from the switch towards the router.

This link contains further information:

http://cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_52_se/configuration/guide/swtrafc.html#wp1175133

Best regards,

Peter

Thanks a lot Peter. I'm very new to router/switch configuration. In fact, I never configured a real one, just trying in gns3 and packettracer.

The switch module in 3640 does not support that. I guess I'll have to get a real switch.

Hi,

Check out with Cisco 3725 router series for acl implementation in GNS3 it will be helpful for switching commands also.Download the 3725 series ios and try to implement.

Regards

Ganesh.H

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco