Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
3
Replies

Remote Sites w/VLANs and Security

hixardt
Level 1
Level 1

‎08-11-2006 02:04 PM - edited ‎03-03-2019 04:28 AM

Attached I have a high level overview visio of what I'm trying to accomplish. Basically, I need to setup VLANs for both company and public traffic at remote sites seperated by PTP T1's. Company VLANs need to access other Company VLANs and the Internet, and Public VLANs only need to access the internet out the CheckPoint firewall.

I'm assuming that ACL's would be needed to control what VLANs can see other VLANs, along with a routing protocol like EIGRP...but my main concern is ACL hell because I will be dealing with a lot of remote sites and a lot of company VLAN subnets.

Also, my boss is worried about security in regards to the public network and he doesn't think that you can easily prevent the public network from accessing all the other company networks and still letting them get to the internet without extending the VLANs accross the T1's and all the way up to the CheckPoint Firewall.

Any help and suggestions would be greatly appreciated.

Thanks in advance,

Scott

Labels:
3456-RemoteSites_VLANs.vsd
0 Helpful
3 Replies 3

chrihussey
VIP Alumni
VIP Alumni

‎08-14-2006 03:49 AM

I would suggest taking another look at your subnetting scheme. Instead of using 192.168.x.x for both the public and corporate networks, why not 192.168.x.x for the public networks and 10.x.x.x or 172.16.x.x for the corporate, or vice versa. It would make the creating/administration of ACLs and access policies a lot simpler.

0 Helpful

hixardt
Level 1
Level 1
In response to chrihussey

‎08-14-2006 05:47 AM

So essentially I could have one ACL that encompasses the entire public network like 10.0.0.0 0.255.255.255 on each router and do the same for the corporate network to minimize the configurations needed.

If I create ACLs denying anything with a source of the public network and destination of the corporate network, then allow all other traffic it should be sufficient correct? Also, I only need to put these ACLs on the interfaces closest to the source right? Not on every router on the network.

Thanks again for taking the time to respond.

Scott

0 Helpful

chrihussey
VIP Alumni
VIP Alumni
In response to hixardt

‎08-14-2006 07:48 AM

Yes, that is the general idea and yes you need to put the ACLs on the interfaces at the source and probably at key points on the network as a safeguard. You may need to consider how DNS and DHCP services will work also, and may want to consider only allowing http traffic on the public segments.

I have to add that your boss' concerns about security are not unfounded. This could work if properly administered, however it is not an optimum design. A missed ACL would indeed expose the network.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents