minicuc
asked on
VLAN protection on a PC with 2 NICs
Hello,
I have a pc (say PcA) with 2 NICs;
each NIC is associated with a VLAN (say VLAN 1, e.g. 172.50.x.x and VLAN2,192.168.101.x );
another pc (say PcB) has 1 NIC, in VLAN2
Pc A=====(VLAN1 / VLAN2)====SWITCH----------
|__ROUTER(for trunking)
A user would typically enter the network thru the SWITCH which is connected with a firewall then a router (not shown in the above picture) and then the Internet.
A user coming from the Internet can access PcA thru VLAN1.
Questions:
1) Once a user has access to PcA (on VLAN1), how should PcA exactly be configured to allow him to reach PcB (I think i should add some command like: route add 192.168.101.0 255.255.255.0 <what gateway ??> ), is this correct ?
2) With this configuration, is there any way to prevent PcA from reaching PcB ?
3) Is there anyway to allow such an access as "Read-only", I don't think so actually...
Thanks a lot in advance
I have a pc (say PcA) with 2 NICs;
each NIC is associated with a VLAN (say VLAN 1, e.g. 172.50.x.x and VLAN2,192.168.101.x );
another pc (say PcB) has 1 NIC, in VLAN2
Pc A=====(VLAN1 / VLAN2)====SWITCH----------
|__ROUTER(for trunking)
A user would typically enter the network thru the SWITCH which is connected with a firewall then a router (not shown in the above picture) and then the Internet.
A user coming from the Internet can access PcA thru VLAN1.
Questions:
1) Once a user has access to PcA (on VLAN1), how should PcA exactly be configured to allow him to reach PcB (I think i should add some command like: route add 192.168.101.0 255.255.255.0 <what gateway ??> ), is this correct ?
2) With this configuration, is there any way to prevent PcA from reaching PcB ?
3) Is there anyway to allow such an access as "Read-only", I don't think so actually...
Thanks a lot in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So basically it does not matter what VLAN I am starting from, once I have connectivity with PcA I can reach PcB (if no other config on switch or other is done), right?
Access-list...you mean MAC address filtering, right ?
Where would it be better to place the Sw firewall, on PcB ?
Thanks
Access-list...you mean MAC address filtering, right ?
Where would it be better to place the Sw firewall, on PcB ?
Thanks
As long as they are in the same VLAN, you can communicate with one another.
No, I mean filtering based on IP address but you would need a layer 3 switch to do that. I suppose you could use MAC address filtering...
Sure, install it on PCB and have it drop all packets from PCA but allow all others.
No, I mean filtering based on IP address but you would need a layer 3 switch to do that. I suppose you could use MAC address filtering...
Sure, install it on PCB and have it drop all packets from PCA but allow all others.
ASKER
Sorry Jfrederick, I still am not clear about the first point:
if I reach PcA from another Pc which belongs to VLAN1, would I be able to communicate with PcB ?
if I reach PcA from another Pc which belongs to VLAN1, would I be able to communicate with PcB ?
No, if you want other PC's to be able to reach PCB, through PCA, PCA would need to be routing between the two subnets (VLAN's).
Since you have a router trunking, I assume it is providing routing between VLAN1 and VLAN2, PC's on VLAN1 will route through the router to reach PC's on VLAN2.
Since you have a router trunking, I assume it is providing routing between VLAN1 and VLAN2, PC's on VLAN1 will route through the router to reach PC's on VLAN2.
ASKER
You are right, in case the router were not providing trunking and I still had 2 NIcs on different subnets, the routing could be done by PCA itself (commands: route add etc...and which gateway ?).
thx
thx
Actually, depending on the operating system, you need to enable routing, either using RRAS in Server version or using a registry edit to enable routing in XP or 2000 professional.
http://www.wown.com/j_helmig/w2kprout.htm
http://www.wown.com/j_helmig/w2kprout.htm
2) If it has a physical attachment to each VLAN then the answer is no. If the system is only on VLAN1 and is routing to VLAN2 then you can use ACL's.
3) No. Read-Only would be setup on the OS level, not the switch.
Good Luck