Here is what I am trying to acomplish (simplified):
Three VLANs: VLAN 1, VLAN 100, and VLAN 101
VLAN 100 and 101 have sensitive material on them, VLAN 1 is not sensitive
VLAN 100 and VLAN 101 communications are trusted
VLAN 1 to VLAN 100 and VLAN 1 to VLAN 101 communications are largely blocked via ACLs. We are looking to allow select hosts to communicate with any devices on VLAN 100 and 101.
We have a Cisco 4900M that is serving as a L3 switch, serving as the exclusive router between these VLANs.
Before installing the 4900M between these VLANs (for performance reasons), this was done using a SonicWall router, which would allow selective forwarding of packets to the protected VLANs based upon source MAC addresses.
The traffic we care about is IP traffic, so using a VLAN map with MAC access-lists with won't work (because that is not supported by the platform, at least as far as I can tell) as the MAC ACLs only are relevant for non-IP ethertypes. Through some pain, I have found this to infact be the case.
For the time being, we have changed to using source IP addresses as the means to identify authorized clients, but this is obviously not very secure.
Given the capabilities of the 4900M (or lack therefore in this case), what are some of our options to achieve this?
A couple of ideas:
Create a PACL that permits all inbound traffic from the whitelisted MAC addresses, and merge with a router ACL that blocks all access from VLAN 1 to the private nets. I would imagine this would have the net effect of allowing whitelisted MACs anywhere on the network (which is OK), but would prevent other hosts on VLAN 1 from getting in. This assumes that the PACL is able to make the switch ignore the whitelisted host's IP address; is that possible?
Create a dedicated private VLAN that authorized hosts would be able to join. In this case, the MAC address auth would have to happen at the edge switches.
Similar to 2, but deploy 802.1x, which is not a simple task.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...