Solved

VLAN Creation ACL's  and Advice?

Posted on 2010-11-25
14
888 Views
Last Modified: 2012-05-10
Hi All

Sorry if this is a basic question but Im a bit of a newbie at this stuff, more of an AD admin guy.

I have a client who has a managed building, with an ADSL connection shared out throughout the buiilding.  The ADSL router is also a DHCP server.

A client in the office is now thinking of investing in a SBS box so needs a new ADSL line with fixed IP, but more importantly they require security from all of the other offices so that no other businesses can access their systems.

My initial thoughts are as follows, but if anyone has any better ideas then please let me know:-

1) Configure VLANS for each of the offices based on the ports on the switch that I will aquire.
2) Create ACLS which will deny access to the "SBS" companies network to anyone else in the building.
3) Use port forwarding on port 25 to froward emails to the SBS box to the internal IP address of the SBS box

So firslty, any pitfalls people can see, and also can anyone reeomend any particular hardware for the job.  I have used HP Procurve gear in the past and Netgear but any ideas will be welcomed.

Thanks in advance

Nick
0
Comment
Question by:fingwong
  • 7
  • 7
14 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
If you only want to separate that one client from the rest, VLAN's should be sufficient. Assuming there are no vlan's in place yet, you have a flat network. All ports are in vlan 1 (if nothing configured that's where they are).
So the simplest thing is to create a second vlan for that specific customer, assigning the ports the customer uses to that vlan and keep the rest as is. As long as you don't create intervlan routes, there should be no way to get from one vlan to the other.
It's a general description offcourse, because I don't know what networking hardware you have there.

And last, I'm not quite sure what you mean with your third question. If that customer puts their dsl in their own vlan, they would be the only ones to access it.
0
 

Author Comment

by:fingwong
Comment Utility
Hi thanks for the quick response.  So even though all offices would be on the same ip subnet as long as they are separated out by vlans with no intervlan routes, there could be no comms between different offices?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Not quite. The offices will be on the same physical network, but are on their own vlan complete with their own subnet, routing etc.

A bit more elaborate explanation you can find here: http://en.wikipedia.org/wiki/Virtual_LAN
0
 

Author Comment

by:fingwong
Comment Utility
So is there a way, on a particular hardware device to, create VLANS, then provide different DHCP scopes to each of the VLANS so that they are all separate entities, but still all use the same ADSL line for b/band access?

Is this going to be easier to use a router and create  ACLS between the VLANS to deny access for security?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I think it's easier to use a router (or firewall) for that.

Offcourse it depends on the hardware's capabilities.

I have several vlan's in place which come together at the firewall (which holds one internet connection). So through the firewall you can decide which vlan's can or cannot connect to eachother or the internet.
0
 

Author Comment

by:fingwong
Comment Utility
What kit are you using as I have a Netgear firewall that I could use with a netgear switch to create the VLANS.

Is it just a case of creating routing rules or something like that within the firewall then?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Mmmm. Not sure if that is going to work with netgears, but then I'm not a netgear expert.

I use cisco catalysts and an ASA firewall. 'Simply' put: I created subinterfaces on an interface on the ASA for each vlan (ASA knows how to handle vlan tags). The uplink from the switch to the firewall is a trunk so it carries all vlans in it.
So every vlan (subinterface) is a DMZ to which I can allow/deny traffic by using ACL's

Dunno if a netgear can do the same.....
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:fingwong
Comment Utility
Ok erniebeek

Just a quick update.

Over the weekend I found an old Netgear Smart Switch, which I used to set up 3 vlans.  One for management, and one each as a test for separation of "offices".

I also placed an ADSL router which is also a DHCP server into the switch as well.  I connected 2 pcs to the switch and tested comms, all worked fine, getting IPs from the ADSL router and having comms between both PCS.

I then created VLANS for a group of ports and placed one pc in one VLAN and the other in another.  The ADSL router's port was placed in both VLANS.  Both machines got IP's and connected to the internet, but couldnt communicate with each other at all now.

Would this suffice for my original problem or is it not secure etc for my purposes.  I think it stems back to a term you used earlier "Intervlan routes"??

Hope this makes sense

Cheers

Nick
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Hi Nick,

This should address your original challenge effectively. The only place where the vlan's can interconnect is through the router (assuming the netgear isn't layer-3). So as long as you don't permit traffic through the router from one vlan to the other it should be an effective separation.

You also gave each vlan it's own ip range?
0
 

Author Comment

by:fingwong
Comment Utility
No in my test environment, my router doesnt allow me to do that, so each vlan was getting IPs from the same IP scope?  Would this cause issues in production, I think if I copy this setup, then specifying permits and denys woulld not be possible, because from my limited understanding the allow and deny rules are based on IP ranges?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You're quite right, that's why I asked about the ip addresses. Allow and deny rules are ip based (host addresses or a contiguous range of addresse). So with this setup the ip addresses are randomely scattered over the two vlan's thus making it nearlye impossible to create allow and/or deny rules.
0
 

Author Comment

by:fingwong
Comment Utility
But you feel that because the ports are on separate VLANS, and there is no router intervention allowing routing between VLANS, it is effectivelt like having a implicit deny rule between the VLANS?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I do.

Furthermore I think the effect is that because the ip's are all in the same range, the clients don't try the default gateway (the router) to connect to each other, because they 'think' they are connected to the same network allready. But as vlans also are separate broadcast domains, there's no way the clients can find out where to find each other. If you would try to add a route to get to another client through the router, you would get an error because the destination would be on the same (connected) network.

So for that matter you effectively separated the two networks.

Perhaps (to create a little bit of structure) you could make reservations in DHCP for that separate client network so you can keep the addresses contiguous.
0
 

Author Closing Comment

by:fingwong
Comment Utility
Constantly updated and quick response and their solution worked
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now