Solved: SECURING VLANS/NETWORKS

ppellettiere · ‎11-11-2010

We have a hospital network consisting of a class C ip addresses per

floor. We are running layer 3 to the access switches 3750's and 6500's.

I recently cut up a separate class C network to /27 addresses and am using five

of the /27 networks on different floors of the hospital. Problem now is I found that

these networks for security reasons should not be able to see any other networks.

They only need to see each other.

I am just looking for suggestions on the best and easiest way to do this...

PVLANS or Access list or anything else????

Jon Marshall · ‎11-11-2010

ppellettiere wrote:

All the devices on all 5 /27 networks need to be able to see each other. They cannot

see any other networks.

Okay then using acls on the vL3 vlan interfaces would be the way to go eg.

vlan 10 = 192.168.5.0 255.255.255.224 ie. /27

vthe other 4 vlans go up from where vlan 10 left off eg. vlan 11 = 192.168.5.32/27, vlan 12 = 192.168.5.64/27

access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.32 0.0.0.31

access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.64 0.0.0.31

access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.96 0.0.0.31

access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.128 0.0.0.31

int vlan 10

ip access-group 101 in

and then repeat for each subnet eg.

access-list 102 permit ip 192.168.5.32 0.0.0.31 192.168.5.0 0.0.0.31

access-list 102 permit ip 192.168.5.32 0.0.0.31 192.168.5.64 0.0.0.31

etc..

int vlan 11

ip access-group 102 in

Also there is an implict deny at the end of each access-list so you don't need to add the line "access-list 101 deny ip 192.168.5.0 0.0.0.31 any". However you can if you want to see how many hits are being denied.

Jon

View solution in original post

Jon Marshall · ‎11-11-2010

ppellettiere wrote:
We have a hospital network consisting of a class C ip addresses per
floor. We are running layer 3 to the access switches 3750's and 6500's.
I recently cut up a separate class C network to /27 addresses and am using five
of the /27 networks on different floors of the hospital.  Problem now is I found that
these networks for security reasons should not be able to see any other networks.
They only need to see each other.
I am just looking for suggestions on the best and easiest way to do this...
PVLANS or Access list or anything else????

No sure exactly what you mean.

If you mean the new /27 networks should only see themselves ie. a device in a /27 network should only be able to see other devices in the same /27 network then simply don't create a L3 SVI for this vlan on your switch. That way they cannot route to any other vlan.

If you mean you want to restrict access between vlans then L3 acl's applied to the vlan interfaces is the way to go.

If you mean you want to restrict traffic within a vlan then VACLs (vlan access-lists) are what you should use.

Could you clarify exactly what you want ?

Jon

ppellettiere · ‎11-11-2010

All the devices on all 5 /27 networks need to be able to see each other. They cannot

see any other networks.

Jon Marshall · ‎11-11-2010

ppellettiere wrote:

All the devices on all 5 /27 networks need to be able to see each other. They cannot

see any other networks.

Okay then using acls on the vL3 vlan interfaces would be the way to go eg.

vlan 10 = 192.168.5.0 255.255.255.224 ie. /27

vthe other 4 vlans go up from where vlan 10 left off eg. vlan 11 = 192.168.5.32/27, vlan 12 = 192.168.5.64/27

access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.32 0.0.0.31

access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.64 0.0.0.31

access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.96 0.0.0.31

access-list 101 permit ip 192.168.5.0 0.0.0.31 192.168.5.128 0.0.0.31

int vlan 10

ip access-group 101 in

and then repeat for each subnet eg.

access-list 102 permit ip 192.168.5.32 0.0.0.31 192.168.5.0 0.0.0.31

access-list 102 permit ip 192.168.5.32 0.0.0.31 192.168.5.64 0.0.0.31

etc..

int vlan 11

ip access-group 102 in

Also there is an implict deny at the end of each access-list so you don't need to add the line "access-list 101 deny ip 192.168.5.0 0.0.0.31 any". However you can if you want to see how many hits are being denied.

Jon

ppellettiere · ‎11-11-2010

WOW you went above and beyond ...Thank You.