?
Solved

vlans communication and security

Posted on 2005-03-02
9
Medium Priority
?
425 Views
Last Modified: 2010-04-10
i want to have the following setup
vlan1 - administrative
vlan2 - students
vlan3 - teacher workstations
vlan4 - servers (dns, dhcp, fileservers, db servers)
vlan5 - IT department

i want vlan2 and vlan3 to ONLY access the fileserver (and of course to get dns and dhcp)
       vlan1 to ONLY access fileserver and db servers (and of course to get dns and dhcp)
       vlan5 to be able to access all other vlans (vnc or terminal server into all other machines)

is this possible? or are there any other solutions?
as of now all devices are connected to switches which go into a layer 3 cisco 2948g.
i have a win2k domain with active directory.
i also want all vlans to connect to the internet
0
Comment
Question by:LCiaccio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 

Author Comment

by:LCiaccio
ID: 13443371
i also want all vlans to access the internet.
0
 
LVL 3

Expert Comment

by:neowolf219
ID: 13443591
Hi LCiaccio,


There is a lot to your question.  Basically what you are talking about is using ACLs to segment the routing taking place at Layer 3 on your switch.  

For instance, if I want to allow vlan 1(10.10.10.0/24) to only access a fileserver (1.1.1.1) and db servers (1.1.1.2 and 1.1.1.3).  I would do the following:

access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.1
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.2
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.3

Then apply this going outbound on your vlan interface

interface vlan 1
 ip access-group 101 out

Same concept for everything else you would want to do, concerning routing between your vlans.  

As far as accessing the internet, if you just have one connection to the internet set up a default route

ip route 0.0.0.0 0.0.0.0 <ip address of your internet router/pix box/etc.>

Also, remember that you will have to setup trunking on your switches to come back to your L3 switch, so the routing can take place there.  

Hope this helps some
0
 

Author Comment

by:LCiaccio
ID: 13443656
now, how about accessing every vlan from vlan5?
0
Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

 
LVL 32

Expert Comment

by:harbor235
ID: 13443820
this is possible, I would not say that by implementing ACLs you are secure. Ideally, if you are serious
about security, I would recommend deploying a firewall to segment this traffic. Looking at your proposed
VLAN configuration, I would want my IT assets and teachers workstations secure from the student VLAN.
A good stateful inspection enterprise class firewall like PIX, Checkpoint, or Netscreen would be excellent
choices.

harbor235
0
 
LVL 3

Expert Comment

by:neowolf219
ID: 13443827
I would use an IGP.  If your environment is relatively small, then your could use RIP

Vlan1 - 10.10.10.0/24
Vlan2 - 10.10.20.0/24
Vlan3 - 10.10.30.0/24
Vlan5 - 10.10.50.0/24

router rip
 version 2
 network 10.10.0.0

Without access-lists, this will allow routing between all your VLANs, but once you implement your access-lists you can manipulate what flows between your SVIs (i.e. your vlan interfaces).  

Remember that your access-lists have an implicit deny at the end of all they're statements. For example using the one above:

access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.1
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.2
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.3

we are saying anything sourced from 10.10.10.0 subnet destined for 1.1.1.1, 1.1.1.2, and 1.1.1.3 is permited, while everything else is denied.  Think of the above as really saying

access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.1
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.2
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.3
access-list 101 deny ip any any <---- except this isn't needed.
0
 

Author Comment

by:LCiaccio
ID: 13444327
what you said is great neowolf but what's the syntax in an ACL to allow workstations in vlan5 to access workstations in vlan1,2,3,4 ?Since vlan5 contains all IT admins i want them to be able to vnc or terminal server into every machine in the building.
0
 
LVL 3

Accepted Solution

by:
neowolf219 earned 1200 total points
ID: 13444582
No ACL is needed for vlan 5

Sorry, let me try to clear this up ...

In the config above:  

router rip
 version 2
 network 10.10.0.0

What this is doing is allowing EVERYTHING to route between each other.  The access lists, when applied to your vlan interface, will deny everything except what is in the ACL.  So if we enter in the the access-list for vlan one as specified above, it will limit the traffic that that specific VLAN traffic can access.  If we didn't use an access-list, and had the rip config in our switch, then vlan 1 would be able to access all vlans.  But since we are going to apply an access-list on vlan1, this will segment the traffic.  

By simply not applying an access-list to vlan 5, vlan 5 will have access to all of those VLANs using RIP.  

This is dynamic routing as opposed to static routing.  

Take the following (just an example):

access-list 110 permit ip 10.10.50.0 0.0.0.255 1.1.1.1

interface vlan 5
 ip access-group 110 out

This will only allow your vlan 5 to have access to only 1.1.1.1 (remember, implicit deny).


Now if I did the following

access-list 110 deny ip 10.10.50.0 0.0.0.255 1.1.1.1
access-list 110 permit ip any any <---- overrides the implicit deny

interface vlan 5
 ip access-group 110 out

This will deny vlan 5 from accessing 1.1.1.1, while allowing them to access everything else.  

Hopefully I haven't confused the issue any more.  




0
 

Author Comment

by:LCiaccio
ID: 13444682
thanx for your help neowolf
0
 
LVL 3

Expert Comment

by:neowolf219
ID: 13444762
No prob ... good luck!  If you run into any problems post again ... tons of awesome people here who can, worst case, at least get you pointed in the right direction.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question