Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Securing a connection through a 5509


I have a situation where a client who has a server (not currently on my network. .but in the same building) needs to be able to ftp files to me.

We have firewalls and a DMZ but for some reason on this task I have been told not to consider running the server through them...yet the requirement is that it must be secure...that really has not been defined either...

If we hook up the server to our network it will be on a 5509 we use as an access switch. This 5509 runs 3 or 4 vlans on several floors.

The only thing I can think of is to possibly use port security (basically filtering) by mac address that way if anything attached to that port other than that server the port would shut down. Doesn't seem so secure does it.

The other would be to set up an access list on the port the server is attached to and only allow ftp traffic from that ip address.

I have been told that neither of the above mentioned options are to be considered as well.

To me it would seem more appropriate to run it through our DMZ just like any other outside clients ftp would be done...this one is different because the client's server is already in the building with us.

So I'm coming here for some more enlightened suggestions.

I'd appreciate some....Thanks

New Member

Re: Securing a connection through a 5509

I sincerely sympathize with you :) I am not sure what you are trying to achieve to as meaning securing the device but you could use combination of things

a) Create an Isolated VLAN just for the server and filter the VLAN traffic appropriattealy at various points of the network

b) Filter and inspect traffic

c) Use port security at port level to block unauthorized devices.

New Member

Re: Securing a connection through a 5509

I had considered putting the device on its own vlan...while that segments the traffic (traffic volume shouldn't be an issue with just a little ftp going on)...I'm don't see how another vlan helps me security wise.

I'm just trying to learn of other options that may be available to me...other than what I've mentioned of course. Thanks for the reply

Re: Securing a connection through a 5509


the two question you should answer yourself is:

What are the security threats in your scenario?

What are you trying to protect?

Depending on the answers you might end up with nothing but different VLANs, a simple access-list or a PIX firewall controlling all the traffic.

In any case the security features of a pure LAN switch are fairly limited. To get some more protection you have to be able to at least look at Layer4. i.e. TCP/UDP port level. This requires a router/firewall functionality. In case you have a router/RSM a simple access-list would be probably the simplest yet effective approach given the vague requirements you are facing.

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: Securing a connection through a 5509

The only thing I'm "protecting" is a periodic ftp.

Actually, now that I've thought it over it may be a 5505

Is the RSM what allows an access list to be used?.... if so that may be a problem ...its connects several floors to some 6500s in our DataCenter..I'll have to check on this

New Member

Re: Securing a connection through a 5509

RSM allows access-lists to be applied to vlan routing interfaces. You just need to filter based on the IP of the new FTP server

access-list FTP_IN extended permit tcp any eq 21

and if you know the destination host for commucation you need to take care of the data connection as well or your could use inspect feature of IOS firewall feature set