Solved

DMZ SERVERS access restriction

Posted on 2006-07-21
14
313 Views
Last Modified: 2010-04-17
Hi,

We have configued  a VLAN for our internal server in cisco 6509 switch and its fateway we have set in Cisco PIX. Can we restrict PCs communicating eachother with in a the VLAN ? cause virus spreading across this vlan .
========================


Please find the current config

6509-SW#sh int vlan 14
Vlan14 is up, line protocol is up
  Hardware is EtherSVI, address is 0011.5db4.b80a (bia 0011.5db4.b80a)
  Description: ***** DMZ Vlan *****
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 3w1d, output never, output hang never
  Last clearing of "show interface" counters 5w3d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 1173015079 pkt, 787125059174 bytes - mcast: 1823314 pkt, 1
28251445 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 1 pkt, 64 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes
     5 packets input, 320 bytes, 0 no buffer
     Received 5 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
6509-SW#
=====================================
6509-SW#sh run int vlan 14
Building configuration...

Current configuration : 73 bytes
!
interface Vlan14
 description ***** DMZ Vlan *****
 no ip address
end
6509-SW#

====================================

14   DMZ                              active    Gi3/2, Gi3/3, Gi3/4, Gi3/10

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
                                                Gi3/12, Gi3/29, Gi3/34, Gi3/45
                                                Gi3/48, Gi4/10, Gi4/31, Gi4/34
                                                Gi4/40, Gi4/41, Gi4/42, Gi4/43
                                                Gi4/44, Gi4/47, Gi5/8, Gi5/9
                                                Gi5/10, Gi5/15, Gi5/18, Gi5/28
                                                Gi5/29




Gateway we have set in Cisco PIX - 10.1.14.254

0
Comment
Question by:ssshibu
  • 8
  • 6
14 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17158848
Shibu,

  The concept of VLAN and ip addressing scheme used is such that all the machines in a particular VLAN will talk to each other and if it has to talk to another VLAN, it needs a router. So restricting Vlan to Vlan communication can be controlled since a router element is in between.

  So if you have a webserver and some client pcs in your network, the best way to go about it would be, create a Vlan - call it Vlan1 and put the server in it. Create another Vlan, call it Vlan2 and put all the client machines in it. Now if the client machines need to talk to webserver, you can control how based on the router which does the routing for them, in your case the MSFC on Cat6K. Windows XP clients can be configured with inbuilt firewall and it works fairly well.

  For the same Vlan, what you need to have is a firewall probably on each machines that allow only a limited set of traffic to go through it. Advanced technologies will include to have a HIPS (Host based Intrusion Prevention Systems).

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17158878
Rajeshji,


Ok thanks for the response...

Is there any provision to block Servers communicate eachother with in a VLAn using mac based access-lists?

Please get back to me



0
 

Author Comment

by:ssshibu
ID: 17158888
I have to do it in cisco 6509 switch
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:ssshibu
ID: 17158891
actually that Vlan contain different customer servers
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159067
Yeah, we can try that not a problem. Before I say anything, what is the OS version running on CAt6k ?

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159087
If you are not using native IOS for the switch, then the command syntax would be as below;

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


so;

set security acl mac <AclName> deny <FirstServerMacAddress> <SecondServerMacAddress>
commit security acl <AclName>

You'll have to add entries for all the servers. also you have to remember that if you change your NIC card on any server, you'll have to update these entries as well.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159089
0
 

Author Comment

by:ssshibu
ID: 17159095
I have the following IOS (cisco 6509 switch)


Cisco Internetwork Operating System Software
IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(22)E2, EARLY DEPLOYM
ENT RELEASE SOFTWARE (fc1)

System image file is "sup-bootflash:c6sup22-psv-mz.121-22.E2.bin"
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159111
Try the above and see if it is supported. Its been quite some time, I've touched those things.. I've picked it up from the Cisco site.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17163803
Shibu, any update ?

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17185177
Rajeshji,

Sorry for the late written reply.

I did not try cause i did not understand anything sir

Let me tell you what i want to try out. need to block servers communicating with in a vlan. how do i do other than individual servers firewall settings? can i block with in L3 switch itself?

Thanks for understanding me



 




0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17185400
Actually you know how to make access-lists with ip address right ?

Similarly, instead of ip you use mac addresses of machines there.

Look at this section;

Creating a Non-IP Version 4/Non-IPX VACL (MAC ACL) and Adding ACEs

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


set security acl mac <name> deny <macaddress of one server> <mac address of other server> ether-type

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17206615
Rajeshji,

Set command is not taking in cisco l3 6509
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 75 total points
ID: 17208204
So it is a hybrid IOS then you'll have use this following set;

Switch(config)# mac access-list extended ARP_Packet
Switch(config-ext-nacl)# permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
Switch(config-ext-nacl)# end
Switch(config)#

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml 

Take a look at the above link.

Cheers,
Rajesh
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question