DMZ SERVERS access restriction

Hi,

We have configued  a VLAN for our internal server in cisco 6509 switch and its fateway we have set in Cisco PIX. Can we restrict PCs communicating eachother with in a the VLAN ? cause virus spreading across this vlan .
========================


Please find the current config

6509-SW#sh int vlan 14
Vlan14 is up, line protocol is up
  Hardware is EtherSVI, address is 0011.5db4.b80a (bia 0011.5db4.b80a)
  Description: ***** DMZ Vlan *****
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 3w1d, output never, output hang never
  Last clearing of "show interface" counters 5w3d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 1173015079 pkt, 787125059174 bytes - mcast: 1823314 pkt, 1
28251445 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 1 pkt, 64 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes
     5 packets input, 320 bytes, 0 no buffer
     Received 5 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
6509-SW#
=====================================
6509-SW#sh run int vlan 14
Building configuration...

Current configuration : 73 bytes
!
interface Vlan14
 description ***** DMZ Vlan *****
 no ip address
end
6509-SW#

====================================

14   DMZ                              active    Gi3/2, Gi3/3, Gi3/4, Gi3/10

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
                                                Gi3/12, Gi3/29, Gi3/34, Gi3/45
                                                Gi3/48, Gi4/10, Gi4/31, Gi4/34
                                                Gi4/40, Gi4/41, Gi4/42, Gi4/43
                                                Gi4/44, Gi4/47, Gi5/8, Gi5/9
                                                Gi5/10, Gi5/15, Gi5/18, Gi5/28
                                                Gi5/29




Gateway we have set in Cisco PIX - 10.1.14.254

ssshibuAsked:
Who is Participating?
 
rsivanandanConnect With a Mentor Commented:
So it is a hybrid IOS then you'll have use this following set;

Switch(config)# mac access-list extended ARP_Packet
Switch(config-ext-nacl)# permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
Switch(config-ext-nacl)# end
Switch(config)#

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml 

Take a look at the above link.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Shibu,

  The concept of VLAN and ip addressing scheme used is such that all the machines in a particular VLAN will talk to each other and if it has to talk to another VLAN, it needs a router. So restricting Vlan to Vlan communication can be controlled since a router element is in between.

  So if you have a webserver and some client pcs in your network, the best way to go about it would be, create a Vlan - call it Vlan1 and put the server in it. Create another Vlan, call it Vlan2 and put all the client machines in it. Now if the client machines need to talk to webserver, you can control how based on the router which does the routing for them, in your case the MSFC on Cat6K. Windows XP clients can be configured with inbuilt firewall and it works fairly well.

  For the same Vlan, what you need to have is a firewall probably on each machines that allow only a limited set of traffic to go through it. Advanced technologies will include to have a HIPS (Host based Intrusion Prevention Systems).

Cheers,
Rajesh
0
 
ssshibuAuthor Commented:
Rajeshji,


Ok thanks for the response...

Is there any provision to block Servers communicate eachother with in a VLAn using mac based access-lists?

Please get back to me



0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
ssshibuAuthor Commented:
I have to do it in cisco 6509 switch
0
 
ssshibuAuthor Commented:
actually that Vlan contain different customer servers
0
 
rsivanandanCommented:
Yeah, we can try that not a problem. Before I say anything, what is the OS version running on CAt6k ?

Cheers,
Rajesh
0
 
rsivanandanCommented:
If you are not using native IOS for the switch, then the command syntax would be as below;

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


so;

set security acl mac <AclName> deny <FirstServerMacAddress> <SecondServerMacAddress>
commit security acl <AclName>

You'll have to add entries for all the servers. also you have to remember that if you change your NIC card on any server, you'll have to update these entries as well.

Cheers,
Rajesh
0
 
ssshibuAuthor Commented:
I have the following IOS (cisco 6509 switch)


Cisco Internetwork Operating System Software
IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(22)E2, EARLY DEPLOYM
ENT RELEASE SOFTWARE (fc1)

System image file is "sup-bootflash:c6sup22-psv-mz.121-22.E2.bin"
0
 
rsivanandanCommented:
Try the above and see if it is supported. Its been quite some time, I've touched those things.. I've picked it up from the Cisco site.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Shibu, any update ?

Cheers,
Rajesh
0
 
ssshibuAuthor Commented:
Rajeshji,

Sorry for the late written reply.

I did not try cause i did not understand anything sir

Let me tell you what i want to try out. need to block servers communicating with in a vlan. how do i do other than individual servers firewall settings? can i block with in L3 switch itself?

Thanks for understanding me



 




0
 
rsivanandanCommented:
Actually you know how to make access-lists with ip address right ?

Similarly, instead of ip you use mac addresses of machines there.

Look at this section;

Creating a Non-IP Version 4/Non-IPX VACL (MAC ACL) and Adding ACEs

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


set security acl mac <name> deny <macaddress of one server> <mac address of other server> ether-type

Cheers,
Rajesh
0
 
ssshibuAuthor Commented:
Rajeshji,

Set command is not taking in cisco l3 6509
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.