Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VLAN protection on a PC with 2 NICs

Posted on 2004-09-14
8
Medium Priority
?
443 Views
Last Modified: 2008-03-17
Hello,
I have a pc (say PcA) with 2 NICs;
each NIC is associated with a VLAN (say VLAN 1, e.g. 172.50.x.x and VLAN2,192.168.101.x );
another pc (say PcB) has 1 NIC, in VLAN2



Pc A=====(VLAN1 / VLAN2)====SWITCH----------------(VLAN2)------PcB
                                                      |__ROUTER(for trunking)

A user would typically enter the network thru the SWITCH which is connected with a firewall then a router (not shown in the above picture) and then the Internet.

A user coming from the Internet can access PcA thru VLAN1.

Questions:

1) Once a user has access to PcA (on VLAN1), how should PcA exactly be configured to allow him to reach PcB (I think i should add some command like: route add 192.168.101.0 255.255.255.0 <what gateway ??> ), is this correct ?

2) With this configuration, is there any way to prevent PcA from reaching PcB  ?

3) Is there anyway to allow such an access as "Read-only", I don't think so actually...


Thanks a lot in advance
0
Comment
Question by:minicuc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 4

Expert Comment

by:syn_ack_fin
ID: 12056323
1) Nothing. If PcA has a NIC on each VLAN then there will aready be routes created for each segment it is attached to. If PcA was ONLY attached to VLAN1, then he would need the gateway set to whatever router is routing IP traffic across VLAN's in your network.
2) If it has a physical attachment to each VLAN then the answer is no. If the system is only on VLAN1 and is routing to VLAN2 then you can use ACL's.
3) No. Read-Only would be setup on the OS level, not the switch.

Good Luck
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 12056329
1. If I understand correctly, PCA has a NIC in VLAN 1 and a second NIC in VLAN2.  PCB has a NIC in VLAN2.  If so, you do not need additional routing information as they are both directly connected to the same network.

2. Remove PCA's NIC into VLAN2 :) or you could use an access-list if the switch is manageable.  You could use a software firewall to block PCA's access as well.

3. You would need to use file system permissions to restrict read/write access.
0
 

Author Comment

by:minicuc
ID: 12058158
So basically it does not matter what VLAN I am starting from, once I have connectivity with PcA I can reach PcB (if no other config on switch or other is done), right?

Access-list...you mean MAC address filtering, right ?

Where would it be better to place the Sw firewall, on PcB ?

Thanks
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 12058993
As long as they are in the same VLAN, you can communicate with one another.

No, I mean filtering based on IP address but you would need a layer 3 switch to do that.  I suppose you could use MAC address filtering...

Sure, install it on PCB and have it drop all packets from PCA but allow all others.
0
 

Author Comment

by:minicuc
ID: 12062221
Sorry Jfrederick, I still am not clear about the first point:

if I reach PcA from another Pc which belongs to VLAN1, would I be able to communicate with PcB ?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12063325
No, if you want other PC's to be able to reach PCB, through PCA, PCA would need to be routing between the two subnets (VLAN's).

Since you have a router trunking, I assume it is providing routing between VLAN1 and VLAN2, PC's on VLAN1 will route through the router to reach PC's on VLAN2.
0
 

Author Comment

by:minicuc
ID: 12065021
You are right, in case the router were not providing trunking and I still had 2 NIcs on different subnets, the routing could be done by PCA itself (commands: route add etc...and which gateway ?).
thx
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12065604
Actually, depending on the operating system, you need to enable routing, either using RRAS in Server version or using a registry edit to enable routing in XP or 2000 professional.

http://www.wown.com/j_helmig/w2kprout.htm
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question