Hi All,
This deals with placing both a secure and non-secure IP segment on a catalyst 6500 series switch.
From the back bone to the 6500 an IP address of 1.1.1.x (Private space). Firewall from there to 10.10.10.y (Public space). Firwewall comes from 6500 back to same 6500.
Security requirements:
The management will only be on the 10.10.10.y network. Turn off layer 2 functionality on the switch to stop arp poisoning.
In order to meet these requirements and to understand if I can do place both a secure and non-secure segment on the same 6500 Cat switch. The following configuration is needed:
1.) Connectivity from the internal backbone on the 1.1.1.x segment which is the private company space, to the management module card. If the switch can be compromised at the management level, security is an issue. Can I make the management module card only accessible on the 10.10.10.y segment, which is the public (non-routable) segment and behind the firewall on this same Cat 6500 series switch? And how?
2.) As all switches are vulnerable to arp poisoning, layer 2 functionality would have to be turned off, so as not to be able to get to the secure segment of the switch (10.10.10.y) from the non-secure segment (1.1.1.x), without firewall pass through. VLAN's are not considered secure (www.securityfocus.com). Can I turn off this functionality for these reasons? And how?
Thank you up front for all of this help.
Wayne