Hopefully this is the right forum to ask my question?
Here it goes,
I have a 3560 switch attached to a 1941 router. The router does not below to us but is used for another organization to have access to our network. There is a static internal IP address that we have provided to this organization to allow access to our network. Unfortunately we are seeing ip address that are internal to their network coming into our network. I know the first thing would be to talk to the organization and get the to fix this issue, unfortunately they don't see this as an issue. Do to the nature of the connection (must be connected) I cannot just pull the plug. So my next best idea was to put in place a ACL only allow access into our network from the specific ip address we gave them. That way they would be forced to NAT their ip's into our network. The acl I put in place is fairly simple.
access-list 101 permit ip 10.2.0.60 0.0.0.0 any log
The connection to the router is through G0/18, so I place the access-group 101 in on that port. I then have an IDS system that captures all traffic on the network through port spanning. I am still seeing the traffic from their internal network 192.168.4.0/24.
I'm not sure why the ACL isn't preventing other traffic from coming into our network through their router?
What I would suggest you to do is to configure port based ACL in your Cisco Catalyst 3560. In your interface GigabitEthernet 0/8, you can configure ACLs as shown below;
ip address 10.2.0.254 255.255.255.0
int GigabitEthernet 0/8
description ### Link to Cisco ISR 1941 Router FE0/1 ###
switchport mode access
switchport access vlan 20
ip access-group 100 in
access-list remark ### To allow only 10.2.0.60/32 to access into internal LAN ###
access-list 100 permit ip host 10.2.0.60 any
access-list 100 deny ip any any log
Even though my solution works for you, this really isn't good enough based on Cisco SAFE's best practises and guidelines. You'll need to enable other Cisco technologies in your Cisco Catalyst 3560 such as storm-control, QOS (Policing, NOT Shaping and NOT Prioritization) etc. as well. This is to ensure and limit the possibility of DOS/DDOS attack coming from devices that belongs to the "other" organization (NAT-ted as IP 10.2.0.60/32) to your internal servers/resources. After all, I bet you've no clue how secure is their LAN, am I right?
The above-mentioned solution is something that I would like to call merely, a workaround. The "best" solution here is to place a Cisco FW (running in transparent mode) sitting right smack in between both the Cisco ISR 1941 Router and the Cisco Catalyst 3560 Switch. In your Cisco FW, you could then include other service modules e.g. AIP-SSM, CSC-SSM to further protect your LAN from the "other" organization.
Last but not least, you might wanna capture a network performance benchmark between the LAN from the "other" organization to your LAN i.e. 10.2.0.0/24 using tools such a iPerf (Freeware), assuming you don’t have one. This is because, it will come a time, when LAN users from the "other" organization will complain that accessing the network resources situated in your LAN is “slow”. To troubleshoot this isn't gonna be easy as slowness could be due to many reasons e.g. their LAN, the WAN Link, your LAN, the servers itself etc. Get this network performance benchmark done immediately, so that you can rule out your LAN being the culprit should such complains come in, the near future. Mind you, it will come, I know :-)
P/S: If you think this comment is useful, please do rate it nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...