• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

vlans communication and security

i want to have the following setup
vlan1 - administrative
vlan2 - students
vlan3 - teacher workstations
vlan4 - servers (dns, dhcp, fileservers, db servers)
vlan5 - IT department

i want vlan2 and vlan3 to ONLY access the fileserver (and of course to get dns and dhcp)
       vlan1 to ONLY access fileserver and db servers (and of course to get dns and dhcp)
       vlan5 to be able to access all other vlans (vnc or terminal server into all other machines)

is this possible? or are there any other solutions?
as of now all devices are connected to switches which go into a layer 3 cisco 2948g.
i have a win2k domain with active directory.
i also want all vlans to connect to the internet
0
LCiaccio
Asked:
LCiaccio
  • 4
  • 4
1 Solution
 
LCiaccioAuthor Commented:
i also want all vlans to access the internet.
0
 
neowolf219Commented:
Hi LCiaccio,


There is a lot to your question.  Basically what you are talking about is using ACLs to segment the routing taking place at Layer 3 on your switch.  

For instance, if I want to allow vlan 1(10.10.10.0/24) to only access a fileserver (1.1.1.1) and db servers (1.1.1.2 and 1.1.1.3).  I would do the following:

access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.1
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.2
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.3

Then apply this going outbound on your vlan interface

interface vlan 1
 ip access-group 101 out

Same concept for everything else you would want to do, concerning routing between your vlans.  

As far as accessing the internet, if you just have one connection to the internet set up a default route

ip route 0.0.0.0 0.0.0.0 <ip address of your internet router/pix box/etc.>

Also, remember that you will have to setup trunking on your switches to come back to your L3 switch, so the routing can take place there.  

Hope this helps some
0
 
LCiaccioAuthor Commented:
now, how about accessing every vlan from vlan5?
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
harbor235Commented:
this is possible, I would not say that by implementing ACLs you are secure. Ideally, if you are serious
about security, I would recommend deploying a firewall to segment this traffic. Looking at your proposed
VLAN configuration, I would want my IT assets and teachers workstations secure from the student VLAN.
A good stateful inspection enterprise class firewall like PIX, Checkpoint, or Netscreen would be excellent
choices.

harbor235
0
 
neowolf219Commented:
I would use an IGP.  If your environment is relatively small, then your could use RIP

Vlan1 - 10.10.10.0/24
Vlan2 - 10.10.20.0/24
Vlan3 - 10.10.30.0/24
Vlan5 - 10.10.50.0/24

router rip
 version 2
 network 10.10.0.0

Without access-lists, this will allow routing between all your VLANs, but once you implement your access-lists you can manipulate what flows between your SVIs (i.e. your vlan interfaces).  

Remember that your access-lists have an implicit deny at the end of all they're statements. For example using the one above:

access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.1
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.2
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.3

we are saying anything sourced from 10.10.10.0 subnet destined for 1.1.1.1, 1.1.1.2, and 1.1.1.3 is permited, while everything else is denied.  Think of the above as really saying

access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.1
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.2
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.3
access-list 101 deny ip any any <---- except this isn't needed.
0
 
LCiaccioAuthor Commented:
what you said is great neowolf but what's the syntax in an ACL to allow workstations in vlan5 to access workstations in vlan1,2,3,4 ?Since vlan5 contains all IT admins i want them to be able to vnc or terminal server into every machine in the building.
0
 
neowolf219Commented:
No ACL is needed for vlan 5

Sorry, let me try to clear this up ...

In the config above:  

router rip
 version 2
 network 10.10.0.0

What this is doing is allowing EVERYTHING to route between each other.  The access lists, when applied to your vlan interface, will deny everything except what is in the ACL.  So if we enter in the the access-list for vlan one as specified above, it will limit the traffic that that specific VLAN traffic can access.  If we didn't use an access-list, and had the rip config in our switch, then vlan 1 would be able to access all vlans.  But since we are going to apply an access-list on vlan1, this will segment the traffic.  

By simply not applying an access-list to vlan 5, vlan 5 will have access to all of those VLANs using RIP.  

This is dynamic routing as opposed to static routing.  

Take the following (just an example):

access-list 110 permit ip 10.10.50.0 0.0.0.255 1.1.1.1

interface vlan 5
 ip access-group 110 out

This will only allow your vlan 5 to have access to only 1.1.1.1 (remember, implicit deny).


Now if I did the following

access-list 110 deny ip 10.10.50.0 0.0.0.255 1.1.1.1
access-list 110 permit ip any any <---- overrides the implicit deny

interface vlan 5
 ip access-group 110 out

This will deny vlan 5 from accessing 1.1.1.1, while allowing them to access everything else.  

Hopefully I haven't confused the issue any more.  




0
 
LCiaccioAuthor Commented:
thanx for your help neowolf
0
 
neowolf219Commented:
No prob ... good luck!  If you run into any problems post again ... tons of awesome people here who can, worst case, at least get you pointed in the right direction.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now