Multi-Tenant security on Cisco 3750

ciscobigcat · ‎05-22-2012

Hi guys,

I have a 3750 switch with IP routing enabled and have lots of VLANs configured on this switch.

What is the best way to prevent VLANs from talking to each other?

At the same time, hosts inside their respective VLANs should not be blocked from reaching any private networks as they could be doing some L2L with another site.

Blocking the VLANs from accessing/telnetting the switch was very simple as I was able to do this in the VTY line section. However blocking VLANs from accessing the other VLANs on the switch seem to be hard and I think there has to be a recommended way of doing this. For example, if hosts in one of my VLANs, in this case VLAN-204 (10.10.10.0/24) want to hack or scan hosts on one of my other VLANs, in this case VLAN-330 (10.20.20.0/24), how can I accomplish this without blocking VLAN-204 hosts from accessing another network they have a site to site tunnel with with the same destination address of 10.20.20.0????

thanks

bigcat

Sebastian Helmer · ‎06-01-2012

Hey bigcat,

I see an ACL, source routing, VRF (but only in software possible on 3750) to archives your goals. In the moment I have no other idea, it would be much helpful to get a complete overview about the situation and which should be allowed and which traffic has to be blocked.

regards,

Sebastian

pls. rate if that help.

Amit Singh · ‎06-02-2012

Please use private vlans. This will be you best bet in addition to what Seb has mentioned above.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swpvlan.html

Hope this helps.

Cheers,

-amit singh