Solved

DMZ SERVERS access restriction

Posted on 2006-07-21
14
305 Views
Last Modified: 2010-04-17
Hi,

We have configued  a VLAN for our internal server in cisco 6509 switch and its fateway we have set in Cisco PIX. Can we restrict PCs communicating eachother with in a the VLAN ? cause virus spreading across this vlan .
========================


Please find the current config

6509-SW#sh int vlan 14
Vlan14 is up, line protocol is up
  Hardware is EtherSVI, address is 0011.5db4.b80a (bia 0011.5db4.b80a)
  Description: ***** DMZ Vlan *****
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 3w1d, output never, output hang never
  Last clearing of "show interface" counters 5w3d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 1173015079 pkt, 787125059174 bytes - mcast: 1823314 pkt, 1
28251445 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 1 pkt, 64 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes
     5 packets input, 320 bytes, 0 no buffer
     Received 5 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
6509-SW#
=====================================
6509-SW#sh run int vlan 14
Building configuration...

Current configuration : 73 bytes
!
interface Vlan14
 description ***** DMZ Vlan *****
 no ip address
end
6509-SW#

====================================

14   DMZ                              active    Gi3/2, Gi3/3, Gi3/4, Gi3/10

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
                                                Gi3/12, Gi3/29, Gi3/34, Gi3/45
                                                Gi3/48, Gi4/10, Gi4/31, Gi4/34
                                                Gi4/40, Gi4/41, Gi4/42, Gi4/43
                                                Gi4/44, Gi4/47, Gi5/8, Gi5/9
                                                Gi5/10, Gi5/15, Gi5/18, Gi5/28
                                                Gi5/29




Gateway we have set in Cisco PIX - 10.1.14.254

0
Comment
Question by:ssshibu
  • 8
  • 6
14 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17158848
Shibu,

  The concept of VLAN and ip addressing scheme used is such that all the machines in a particular VLAN will talk to each other and if it has to talk to another VLAN, it needs a router. So restricting Vlan to Vlan communication can be controlled since a router element is in between.

  So if you have a webserver and some client pcs in your network, the best way to go about it would be, create a Vlan - call it Vlan1 and put the server in it. Create another Vlan, call it Vlan2 and put all the client machines in it. Now if the client machines need to talk to webserver, you can control how based on the router which does the routing for them, in your case the MSFC on Cat6K. Windows XP clients can be configured with inbuilt firewall and it works fairly well.

  For the same Vlan, what you need to have is a firewall probably on each machines that allow only a limited set of traffic to go through it. Advanced technologies will include to have a HIPS (Host based Intrusion Prevention Systems).

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17158878
Rajeshji,


Ok thanks for the response...

Is there any provision to block Servers communicate eachother with in a VLAn using mac based access-lists?

Please get back to me



0
 

Author Comment

by:ssshibu
ID: 17158888
I have to do it in cisco 6509 switch
0
 

Author Comment

by:ssshibu
ID: 17158891
actually that Vlan contain different customer servers
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159067
Yeah, we can try that not a problem. Before I say anything, what is the OS version running on CAt6k ?

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159087
If you are not using native IOS for the switch, then the command syntax would be as below;

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


so;

set security acl mac <AclName> deny <FirstServerMacAddress> <SecondServerMacAddress>
commit security acl <AclName>

You'll have to add entries for all the servers. also you have to remember that if you change your NIC card on any server, you'll have to update these entries as well.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159089
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:ssshibu
ID: 17159095
I have the following IOS (cisco 6509 switch)


Cisco Internetwork Operating System Software
IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(22)E2, EARLY DEPLOYM
ENT RELEASE SOFTWARE (fc1)

System image file is "sup-bootflash:c6sup22-psv-mz.121-22.E2.bin"
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159111
Try the above and see if it is supported. Its been quite some time, I've touched those things.. I've picked it up from the Cisco site.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17163803
Shibu, any update ?

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17185177
Rajeshji,

Sorry for the late written reply.

I did not try cause i did not understand anything sir

Let me tell you what i want to try out. need to block servers communicating with in a vlan. how do i do other than individual servers firewall settings? can i block with in L3 switch itself?

Thanks for understanding me



 




0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17185400
Actually you know how to make access-lists with ip address right ?

Similarly, instead of ip you use mac addresses of machines there.

Look at this section;

Creating a Non-IP Version 4/Non-IPX VACL (MAC ACL) and Adding ACEs

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


set security acl mac <name> deny <macaddress of one server> <mac address of other server> ether-type

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17206615
Rajeshji,

Set command is not taking in cisco l3 6509
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 75 total points
ID: 17208204
So it is a hybrid IOS then you'll have use this following set;

Switch(config)# mac access-list extended ARP_Packet
Switch(config-ext-nacl)# permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
Switch(config-ext-nacl)# end
Switch(config)#

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Take a look at the above link.

Cheers,
Rajesh
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now