Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
1
Replies

6500 Series and Security--w/Secure & Non-secure segments

wfletcher
Level 1
Level 1

‎10-29-2001 09:17 AM - edited ‎03-01-2019 07:06 PM

Hi All,

This deals with placing both a secure and non-secure IP segment on a catalyst 6500 series switch.

From the back bone to the 6500 an IP address of 1.1.1.x (Private space). Firewall from there to 10.10.10.y (Public space). Firwewall comes from 6500 back to same 6500.

Security requirements:

The management will only be on the 10.10.10.y network. Turn off layer 2 functionality on the switch to stop arp poisoning.

In order to meet these requirements and to understand if I can do place both a secure and non-secure segment on the same 6500 Cat switch. The following configuration is needed:

1.) Connectivity from the internal backbone on the 1.1.1.x segment which is the private company space, to the management module card. If the switch can be compromised at the management level, security is an issue. Can I make the management module card only accessible on the 10.10.10.y segment, which is the public (non-routable) segment and behind the firewall on this same Cat 6500 series switch? And how?

2.) As all switches are vulnerable to arp poisoning, layer 2 functionality would have to be turned off, so as not to be able to get to the secure segment of the switch (10.10.10.y) from the non-secure segment (1.1.1.x), without firewall pass through. VLAN's are not considered secure (www.securityfocus.com). Can I turn off this functionality for these reasons? And how?

Thank you up front for all of this help.

Wayne

Labels:
0 Helpful
1 Reply 1

ciscomoderator
Community Manager
Community Manager

‎11-04-2001 10:18 PM

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents