Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Sites w/VLANs and Security

Attached I have a high level overview visio of what I'm trying to accomplish. Basically, I need to setup VLANs for both company and public traffic at remote sites seperated by PTP T1's. Company VLANs need to access other Company VLANs and the Internet, and Public VLANs only need to access the internet out the CheckPoint firewall.

I'm assuming that ACL's would be needed to control what VLANs can see other VLANs, along with a routing protocol like EIGRP...but my main concern is ACL hell because I will be dealing with a lot of remote sites and a lot of company VLAN subnets.

Also, my boss is worried about security in regards to the public network and he doesn't think that you can easily prevent the public network from accessing all the other company networks and still letting them get to the internet without extending the VLANs accross the T1's and all the way up to the CheckPoint Firewall.

Any help and suggestions would be greatly appreciated.

Thanks in advance,

Scott

3 REPLIES

Re: Remote Sites w/VLANs and Security

I would suggest taking another look at your subnetting scheme. Instead of using 192.168.x.x for both the public and corporate networks, why not 192.168.x.x for the public networks and 10.x.x.x or 172.16.x.x for the corporate, or vice versa. It would make the creating/administration of ACLs and access policies a lot simpler.

New Member

Re: Remote Sites w/VLANs and Security

So essentially I could have one ACL that encompasses the entire public network like 10.0.0.0 0.255.255.255 on each router and do the same for the corporate network to minimize the configurations needed.

If I create ACLs denying anything with a source of the public network and destination of the corporate network, then allow all other traffic it should be sufficient correct? Also, I only need to put these ACLs on the interfaces closest to the source right? Not on every router on the network.

Thanks again for taking the time to respond.

Scott

Re: Remote Sites w/VLANs and Security

Yes, that is the general idea and yes you need to put the ACLs on the interfaces at the source and probably at key points on the network as a safeguard. You may need to consider how DNS and DHCP services will work also, and may want to consider only allowing http traffic on the public segments.

I have to add that your boss' concerns about security are not unfounded. This could work if properly administered, however it is not an optimum design. A missed ACL would indeed expose the network.

130
Views
0
Helpful
3
Replies
CreatePlease login to create content