I have a department in my network called D department. This D want to be isolated from the network but wants to use some facilities of the network such as email , ftp etc. But D does not want anyone else to be able to enter its PCs. So i put a layer 3 switch in D directly connected with the core Layer 3 switch. Both are 3550 Cisco .
So i configured a special Vlan for D , and i also configured an access-list on its switch and permit in only those facilities that D wants .
The problem is that i cannot configure an access-list out on the layer 3 switch. Also i do not know if that is enought or i have to do something else for increasing the security.
I have a similar situation with a client's Cat4506. Have you any experience trunking VLAN's from the Cat4500 to an IOS firewall router and then use the router's firewall to segment between the VLAN's, as well as connect to the internet. If so, does it work ok?
Why would you not use Private VLANs over ACLs to keep the traffic from one VLAN from getting into the others? You would just make the other two community VLANs, and the visitor an isolated VLAN. It would seem to be a lot easier and faster to setup and maintain. This could work for the main topic as well.
I do not know about isolated or community VLANs since i am new in networks. What i know is one of the reasons you create VLANs is security . Since i have the D department in a different VLAN , and i configure an ACL on its link with the core Switch i think that i did well enought. However , i will study those comments you have written and i will be back .
Thanks all of you for your time. You can not imagine how much help you give me everytime i have a problem.
The simplest thing you can do is to take a firewall and do NAT on it, depending on size (but since you tell us you only need one switch it cant be that many users) i would choosa a asa5505 to do the job, this will fix most of your problems right away.
put the ASA inbetween the two now different networks and have the Inside go towards the D section and then the Outside faces towards the rest of the network.
this makes it that the D section can use all the things they want on the "normal network" and the "normal network" cannot without beeing contacted first reach the D section computers.
It is possible to do some acl stuff with the switches, but it is a true pain in the *** to maintain and have it working the way you want it to.
This is so much easier faster and secure for you to do than the switch thing and in the long run it will save money (time) compared to looking after the ACLs in the switches.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...