Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

DMZ SERVERS access restriction

Posted on 2006-07-21
14
312 Views
Last Modified: 2010-04-17
Hi,

We have configued  a VLAN for our internal server in cisco 6509 switch and its fateway we have set in Cisco PIX. Can we restrict PCs communicating eachother with in a the VLAN ? cause virus spreading across this vlan .
========================


Please find the current config

6509-SW#sh int vlan 14
Vlan14 is up, line protocol is up
  Hardware is EtherSVI, address is 0011.5db4.b80a (bia 0011.5db4.b80a)
  Description: ***** DMZ Vlan *****
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 3w1d, output never, output hang never
  Last clearing of "show interface" counters 5w3d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 1173015079 pkt, 787125059174 bytes - mcast: 1823314 pkt, 1
28251445 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 1 pkt, 64 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes
     5 packets input, 320 bytes, 0 no buffer
     Received 5 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
6509-SW#
=====================================
6509-SW#sh run int vlan 14
Building configuration...

Current configuration : 73 bytes
!
interface Vlan14
 description ***** DMZ Vlan *****
 no ip address
end
6509-SW#

====================================

14   DMZ                              active    Gi3/2, Gi3/3, Gi3/4, Gi3/10

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
                                                Gi3/12, Gi3/29, Gi3/34, Gi3/45
                                                Gi3/48, Gi4/10, Gi4/31, Gi4/34
                                                Gi4/40, Gi4/41, Gi4/42, Gi4/43
                                                Gi4/44, Gi4/47, Gi5/8, Gi5/9
                                                Gi5/10, Gi5/15, Gi5/18, Gi5/28
                                                Gi5/29




Gateway we have set in Cisco PIX - 10.1.14.254

0
Comment
Question by:ssshibu
  • 8
  • 6
14 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17158848
Shibu,

  The concept of VLAN and ip addressing scheme used is such that all the machines in a particular VLAN will talk to each other and if it has to talk to another VLAN, it needs a router. So restricting Vlan to Vlan communication can be controlled since a router element is in between.

  So if you have a webserver and some client pcs in your network, the best way to go about it would be, create a Vlan - call it Vlan1 and put the server in it. Create another Vlan, call it Vlan2 and put all the client machines in it. Now if the client machines need to talk to webserver, you can control how based on the router which does the routing for them, in your case the MSFC on Cat6K. Windows XP clients can be configured with inbuilt firewall and it works fairly well.

  For the same Vlan, what you need to have is a firewall probably on each machines that allow only a limited set of traffic to go through it. Advanced technologies will include to have a HIPS (Host based Intrusion Prevention Systems).

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17158878
Rajeshji,


Ok thanks for the response...

Is there any provision to block Servers communicate eachother with in a VLAn using mac based access-lists?

Please get back to me



0
 

Author Comment

by:ssshibu
ID: 17158888
I have to do it in cisco 6509 switch
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:ssshibu
ID: 17158891
actually that Vlan contain different customer servers
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159067
Yeah, we can try that not a problem. Before I say anything, what is the OS version running on CAt6k ?

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159087
If you are not using native IOS for the switch, then the command syntax would be as below;

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


so;

set security acl mac <AclName> deny <FirstServerMacAddress> <SecondServerMacAddress>
commit security acl <AclName>

You'll have to add entries for all the servers. also you have to remember that if you change your NIC card on any server, you'll have to update these entries as well.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159089
0
 

Author Comment

by:ssshibu
ID: 17159095
I have the following IOS (cisco 6509 switch)


Cisco Internetwork Operating System Software
IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(22)E2, EARLY DEPLOYM
ENT RELEASE SOFTWARE (fc1)

System image file is "sup-bootflash:c6sup22-psv-mz.121-22.E2.bin"
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17159111
Try the above and see if it is supported. Its been quite some time, I've touched those things.. I've picked it up from the Cisco site.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17163803
Shibu, any update ?

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17185177
Rajeshji,

Sorry for the late written reply.

I did not try cause i did not understand anything sir

Let me tell you what i want to try out. need to block servers communicating with in a vlan. how do i do other than individual servers firewall settings? can i block with in L3 switch itself?

Thanks for understanding me



 




0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17185400
Actually you know how to make access-lists with ip address right ?

Similarly, instead of ip you use mac addresses of machines there.

Look at this section;

Creating a Non-IP Version 4/Non-IPX VACL (MAC ACL) and Adding ACEs

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec} {dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index | modify editbuffer_index]


set security acl mac <name> deny <macaddress of one server> <mac address of other server> ether-type

Cheers,
Rajesh
0
 

Author Comment

by:ssshibu
ID: 17206615
Rajeshji,

Set command is not taking in cisco l3 6509
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 75 total points
ID: 17208204
So it is a hybrid IOS then you'll have use this following set;

Switch(config)# mac access-list extended ARP_Packet
Switch(config-ext-nacl)# permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
Switch(config-ext-nacl)# end
Switch(config)#

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml 

Take a look at the above link.

Cheers,
Rajesh
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question