Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Need help controlling access between vlans

Reply
Thread Tools

Need help controlling access between vlans

 
 
1crazyrican@gmail.com
Guest
Posts: n/a
 
      09-27-2007
The new IT manager wants to bring in a third party to check our Cisco
network for problems. I want to do whatever I can to get a get a good
report. I have students and teacher on the same vlans and I think this
is something the consultant may point out. Students and teachers
access some of the same servers, printers, etc. Also, teacher
workstations use software that allows them to view the screens of
students and any VLAN can get to anything on any other VLAN. We have
eight buildings with 3750's at each building and a 4507 at the core.
We have 3560G's at each IDF with older 3com's daisy chained to them.
All IDF's, including other schools are trunked to the core. Can anyone
recommend best practice in this situation? I think I'd like to start
with blocking traffic from some vlans to other vlans. What approach do
I take when there are shared resources? Do I put those things on a
special vlan? What happens to my DHCP scopes?
What are the commands to prevent some vlans from being routed?
thanks

 
Reply With Quote
 
 
 
 
thort thort is offline
Member
Join Date: Sep 2007
Posts: 35
 
      09-27-2007
If you have students and teachers on the same VLAN than you have no protection between them. You will get a bad report card!

1. Create separate VLANs for the different user groups/resources.
2. This means you need to do routing to move between the VLANs
3. This means you need different DHCP Scopes (1 IP subnet only per VLAN).
4. This means you also need to filter what happens between these VLANs.
5. You can do Filtering via ACLs (complex) or use a Stateful Firewall (simpler).

This means re-thinking your network, migrating IP addresses and PC/Printers/Servers/Users, doing routing, and doing Firewalling. This means ATLEAST 1 solid week of work, some user outages and down-time. But the end result will be a scalable and secure network.
You could use a Linux/FreeBSD/etc. machine to do the routing and firewalling if your Cisco's don't do routing or firewalling, or you don't have the money to buy the equipement/memory/IOS upgrades.

In any event you need to really think this through before redoing your whole network.

Or you could install personal Firewalls on every machine and do individual configurations on every machine (in any event lots of work and not scalable).
 
Reply With Quote
 
 
 
 
Trendkill
Guest
Posts: n/a
 
      09-27-2007
On Sep 27, 7:10 am, (E-Mail Removed) wrote:
> The new IT manager wants to bring in a third party to check our Cisco
> network for problems. I want to do whatever I can to get a get a good
> report. I have students and teacher on the same vlans and I think this
> is something the consultant may point out. Students and teachers
> access some of the same servers, printers, etc. Also, teacher
> workstations use software that allows them to view the screens of
> students and any VLAN can get to anything on any other VLAN. We have
> eight buildings with 3750's at each building and a 4507 at the core.
> We have 3560G's at each IDF with older 3com's daisy chained to them.
> All IDF's, including other schools are trunked to the core. Can anyone
> recommend best practice in this situation? I think I'd like to start
> with blocking traffic from some vlans to other vlans. What approach do
> I take when there are shared resources? Do I put those things on a
> special vlan? What happens to my DHCP scopes?
> What are the commands to prevent some vlans from being routed?
> thanks


Provided you must separate the networks, create a new network/vlan
with a new dhcp scope for faculty, and assign ports as needed. I
would hope that none of your servers are DHCP, and that hostnames are
being used instead of IPs. With that being said, move those to a
third vlan that you can control via access-lists. Truthfully, rather
than pegging down the server vlan, I would peg down the student vlan
since that is probably your biggest security risk. Use ACLs to allow
what you want and block anything else. Depending on how loose or
strict the ACLs are on the student vlan, you may also want some ACLs
on the server network to only allow specific connection types from the
student vlan. It just depends what all you are trying to prevent/lock
down and how to best do that with ACLs.

If you can't move the servers due to IP address usage, then create two
new vlans for your dhcp clients. Your users shouldn't care provided
you do it during a specific time, and at worst, they may require a
reboot if they don't have access to the command prompt and ipconfig.

If you want vlans that are completely non-routed, just don't put a
router interface in the network, just create it on layer 2. Or just
put an ACL on the VLAN to deny any any.

 
Reply With Quote
 
1crazyrican@gmail.com
Guest
Posts: n/a
 
      09-27-2007
On Sep 27, 10:17 am, Trendkill <(E-Mail Removed)> wrote:
> On Sep 27, 7:10 am, (E-Mail Removed) wrote:
>
>
>
>
>
> > The new IT manager wants to bring in a third party to check our Cisco
> > network for problems. I want to do whatever I can to get a get a good
> > report. I have students and teacher on the same vlans and I think this
> > is something the consultant may point out. Students and teachers
> > access some of the same servers, printers, etc. Also, teacher
> > workstations use software that allows them to view the screens of
> > students and any VLAN can get to anything on any other VLAN. We have
> > eight buildings with 3750's at each building and a 4507 at the core.
> > We have 3560G's at each IDF with older 3com's daisy chained to them.
> > All IDF's, including other schools are trunked to the core. Can anyone
> > recommend best practice in this situation? I think I'd like to start
> > with blocking traffic from some vlans to other vlans. What approach do
> > I take when there are shared resources? Do I put those things on a
> > special vlan? What happens to my DHCP scopes?
> > What are the commands to prevent some vlans from being routed?
> > thanks

>
> Provided you must separate the networks, create a new network/vlan
> with a new dhcp scope for faculty, and assign ports as needed. I
> would hope that none of your servers are DHCP, and that hostnames are
> being used instead of IPs. With that being said, move those to a
> third vlan that you can control via access-lists. Truthfully, rather
> than pegging down the server vlan, I would peg down the student vlan
> since that is probably your biggest security risk. Use ACLs to allow
> what you want and block anything else. Depending on how loose or
> strict the ACLs are on the student vlan, you may also want some ACLs
> on the server network to only allow specific connection types from the
> student vlan. It just depends what all you are trying to prevent/lock
> down and how to best do that with ACLs.
>
> If you can't move the servers due to IP address usage, then create two
> new vlans for your dhcp clients. Your users shouldn't care provided
> you do it during a specific time, and at worst, they may require a
> reboot if they don't have access to the command prompt and ipconfig.
>
> If you want vlans that are completely non-routed, just don't put a
> router interface in the network, just create it on layer 2. Or just
> put an ACL on the VLAN to deny any any.- Hide quoted text -
>
> - Show quoted text -



Thanks for responding. Your suggestion to work on the student vlan is
a good one.

Here is my plan:
1. move students to their own vlan. Each of our 8 schools has a
separate vlan, so I will need to create 8 student vlans. I will need
to keep them separate because of scripts that run based on Active
Directory sites which uses subnets. **Will this create a lot of extra
work with ACL's?

2. create ACL on the student vlan to only allow traffic to specific
servers on the server vlan.

3. Allow staff vlans to connect to the student vlan (teachers run apps
to monitor student workstations)

4. Don't allow any vlan to talk to another vlan unless there is a
reason. In other words, currently no schools need to directly access
anything in any other school. They all access servers at our core.

Am I on the right track here?
Now all I need is some free open source software to monitor my
network.

thanks

 
Reply With Quote
 
Trendkill
Guest
Posts: n/a
 
      09-27-2007
On Sep 27, 12:25 pm, (E-Mail Removed) wrote:
> On Sep 27, 10:17 am, Trendkill <(E-Mail Removed)> wrote:
>
>
>
> > On Sep 27, 7:10 am, (E-Mail Removed) wrote:

>
> > > The new IT manager wants to bring in a third party to check our Cisco
> > > network for problems. I want to do whatever I can to get a get a good
> > > report. I have students and teacher on the same vlans and I think this
> > > is something the consultant may point out. Students and teachers
> > > access some of the same servers, printers, etc. Also, teacher
> > > workstations use software that allows them to view the screens of
> > > students and any VLAN can get to anything on any other VLAN. We have
> > > eight buildings with 3750's at each building and a 4507 at the core.
> > > We have 3560G's at each IDF with older 3com's daisy chained to them.
> > > All IDF's, including other schools are trunked to the core. Can anyone
> > > recommend best practice in this situation? I think I'd like to start
> > > with blocking traffic from some vlans to other vlans. What approach do
> > > I take when there are shared resources? Do I put those things on a
> > > special vlan? What happens to my DHCP scopes?
> > > What are the commands to prevent some vlans from being routed?
> > > thanks

>
> > Provided you must separate the networks, create a new network/vlan
> > with a new dhcp scope for faculty, and assign ports as needed. I
> > would hope that none of your servers are DHCP, and that hostnames are
> > being used instead of IPs. With that being said, move those to a
> > third vlan that you can control via access-lists. Truthfully, rather
> > than pegging down the server vlan, I would peg down the student vlan
> > since that is probably your biggest security risk. Use ACLs to allow
> > what you want and block anything else. Depending on how loose or
> > strict the ACLs are on the student vlan, you may also want some ACLs
> > on the server network to only allow specific connection types from the
> > student vlan. It just depends what all you are trying to prevent/lock
> > down and how to best do that with ACLs.

>
> > If you can't move the servers due to IP address usage, then create two
> > new vlans for your dhcp clients. Your users shouldn't care provided
> > you do it during a specific time, and at worst, they may require a
> > reboot if they don't have access to the command prompt and ipconfig.

>
> > If you want vlans that are completely non-routed, just don't put a
> > router interface in the network, just create it on layer 2. Or just
> > put an ACL on the VLAN to deny any any.- Hide quoted text -

>
> > - Show quoted text -

>
> Thanks for responding. Your suggestion to work on the student vlan is
> a good one.
>
> Here is my plan:
> 1. move students to their own vlan. Each of our 8 schools has a
> separate vlan, so I will need to create 8 student vlans. I will need
> to keep them separate because of scripts that run based on Active
> Directory sites which uses subnets. **Will this create a lot of extra
> work with ACL's?
>
> 2. create ACL on the student vlan to only allow traffic to specific
> servers on the server vlan.
>
> 3. Allow staff vlans to connect to the student vlan (teachers run apps
> to monitor student workstations)
>
> 4. Don't allow any vlan to talk to another vlan unless there is a
> reason. In other words, currently no schools need to directly access
> anything in any other school. They all access servers at our core.
>
> Am I on the right track here?
> Now all I need is some free open source software to monitor my
> network.
>
> thanks


Couple of caveats:

First, you can't really allow teachers full access to students without
also doing the other way around due to traffic being bi-directional.
You'll want to know exactly which ports to allow through and punch
them as holes into your ACLs. Some recommend putting the ACL closest
to the source, while others recommend putting them closest to the
destination, particularly if you have a situation like yours where
instead of putting 8 ACLS on 8 VLANs, you can put one on the server or
teacher vlan to only allow certain ports from those source. In short,
its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination
network with 8 or more statements to cover the 8 network ranges.

Also be careful with ACLs as they all have an implicit deny at the
end, If you aren't careful, you will block transit traffic to the
internet or to other parts of the network that you may not want to
impact. For this reason, you have to be very careful whether or not
you use ACLs with deny and a permit ip any any on the end, or permits
on the front and remember the implicit deny. If there is internet
access here, and you use a proxy, you may be able to get around this
by permiting port 80 (or whatever port you use) to the IP of the
proxy. Else you'll have to use a permit ip any any.

Bottom line is draw it out, and look at your common points and decide
where you want to put your ACLs, and how you want to apply them.
Think through ALL scenarios, and test it out on a single vlan which
you put yourself in to see what is working and what is not. You also
want to be careful with non-routed vlans in this same scenario, this
means that DHCP would not work (unless you route the network and only
allow DHCP through), and all other inter-vlan communications would be
null and void.

Overall, just make sure you think through ingress and egress traffic
(if you apply ACLs in and out, be careful), and I would definitely
recommend a template that you apply to all 8 vlans if you go down that
path. Truthfully, if all your networks are centrally routed from a
MSFC or core router, you can just use one ACL (based on destinations)
and apply it to all vlans. Else you will need to create 8 different
ones (Based on source) and do it that way.

 
Reply With Quote
 
1crazyrican@gmail.com
Guest
Posts: n/a
 
      10-01-2007
On Sep 27, 1:03 pm, Trendkill <(E-Mail Removed)> wrote:
> On Sep 27, 12:25 pm, (E-Mail Removed) wrote:
>
>
>
>
>
> > On Sep 27, 10:17 am, Trendkill <(E-Mail Removed)> wrote:

>
> > > On Sep 27, 7:10 am, (E-Mail Removed) wrote:

>
> > > > The new IT manager wants to bring in a third party to check our Cisco
> > > > network for problems. I want to do whatever I can to get a get a good
> > > > report. I have students and teacher on the same vlans and I think this
> > > > is something the consultant may point out. Students and teachers
> > > > access some of the same servers, printers, etc. Also, teacher
> > > > workstations use software that allows them to view the screens of
> > > > students and any VLAN can get to anything on any other VLAN. We have
> > > > eight buildings with 3750's at each building and a 4507 at the core.
> > > > We have 3560G's at each IDF with older 3com's daisy chained to them.
> > > > All IDF's, including other schools are trunked to the core. Can anyone
> > > > recommend best practice in this situation? I think I'd like to start
> > > > with blocking traffic from some vlans to other vlans. What approach do
> > > > I take when there are shared resources? Do I put those things on a
> > > > special vlan? What happens to my DHCP scopes?
> > > > What are the commands to prevent some vlans from being routed?
> > > > thanks

>
> > > Provided you must separate the networks, create a new network/vlan
> > > with a new dhcp scope for faculty, and assign ports as needed. I
> > > would hope that none of your servers are DHCP, and that hostnames are
> > > being used instead of IPs. With that being said, move those to a
> > > third vlan that you can control via access-lists. Truthfully, rather
> > > than pegging down the server vlan, I would peg down the student vlan
> > > since that is probably your biggest security risk. Use ACLs to allow
> > > what you want and block anything else. Depending on how loose or
> > > strict the ACLs are on the student vlan, you may also want some ACLs
> > > on the server network to only allow specific connection types from the
> > > student vlan. It just depends what all you are trying to prevent/lock
> > > down and how to best do that with ACLs.

>
> > > If you can't move the servers due to IP address usage, then create two
> > > new vlans for your dhcp clients. Your users shouldn't care provided
> > > you do it during a specific time, and at worst, they may require a
> > > reboot if they don't have access to the command prompt and ipconfig.

>
> > > If you want vlans that are completely non-routed, just don't put a
> > > router interface in the network, just create it on layer 2. Or just
> > > put an ACL on the VLAN to deny any any.- Hide quoted text -

>
> > > - Show quoted text -

>
> > Thanks for responding. Your suggestion to work on the student vlan is
> > a good one.

>
> > Here is my plan:
> > 1. move students to their own vlan. Each of our 8 schools has a
> > separate vlan, so I will need to create 8 student vlans. I will need
> > to keep them separate because of scripts that run based on Active
> > Directory sites which uses subnets. **Will this create a lot of extra
> > work with ACL's?

>
> > 2. create ACL on the student vlan to only allow traffic to specific
> > servers on the server vlan.

>
> > 3. Allow staff vlans to connect to the student vlan (teachers run apps
> > to monitor student workstations)

>
> > 4. Don't allow any vlan to talk to another vlan unless there is a
> > reason. In other words, currently no schools need to directly access
> > anything in any other school. They all access servers at our core.

>
> > Am I on the right track here?
> > Now all I need is some free open source software to monitor my
> > network.

>
> > thanks

>
> Couple of caveats:
>
> First, you can't really allow teachers full access to students without
> also doing the other way around due to traffic being bi-directional.
> You'll want to know exactly which ports to allow through and punch
> them as holes into your ACLs. Some recommend putting the ACL closest
> to the source, while others recommend putting them closest to the
> destination, particularly if you have a situation like yours where
> instead of putting 8 ACLS on 8 VLANs, you can put one on the server or
> teacher vlan to only allow certain ports from those source. In short,
> its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination
> network with 8 or more statements to cover the 8 network ranges.
>
> Also be careful with ACLs as they all have an implicit deny at the
> end, If you aren't careful, you will block transit traffic to the
> internet or to other parts of the network that you may not want to
> impact. For this reason, you have to be very careful whether or not
> you use ACLs with deny and a permit ip any any on the end, or permits
> on the front and remember the implicit deny. If there is internet
> access here, and you use a proxy, you may be able to get around this
> by permiting port 80 (or whatever port you use) to the IP of the
> proxy. Else you'll have to use a permit ip any any.
>
> Bottom line is draw it out, and look at your common points and decide
> where you want to put your ACLs, and how you want to apply them.
> Think through ALL scenarios, and test it out on a single vlan which
> you put yourself in to see what is working and what is not. You also
> want to be careful with non-routed vlans in this same scenario, this
> means that DHCP would not work (unless you route the network and only
> allow DHCP through), and all other inter-vlan communications would be
> null and void.
>
> Overall, just make sure you think through ingress and egress traffic
> (if you apply ACLs in and out, be careful), and I would definitely
> recommend a template that you apply to all 8 vlans if you go down that
> path. Truthfully, if all your networks are centrally routed from a
> MSFC or core router, you can just use one ACL (based on destinations)
> and apply it to all vlans. Else you will need to create 8 different
> ones (Based on source) and do it that way.- Hide quoted text -
>
> - Show quoted text -


As always, thank you for sharing what you know.
You've helped me out a lot on a number of my posts.


 
Reply With Quote
 
geekazoid
Guest
Posts: n/a
 
      10-01-2007
On Sep 30, 10:34 pm, (E-Mail Removed) wrote:
> On Sep 27, 1:03 pm, Trendkill <(E-Mail Removed)> wrote:
>
>
>
> > On Sep 27, 12:25 pm, (E-Mail Removed) wrote:

>
> > > On Sep 27, 10:17 am, Trendkill <(E-Mail Removed)> wrote:

>
> > > > On Sep 27, 7:10 am, (E-Mail Removed) wrote:

>
> > > > > The new IT manager wants to bring in a third party to check our Cisco
> > > > > network for problems. I want to do whatever I can to get a get a good
> > > > > report. I have students and teacher on the same vlans and I think this
> > > > > is something the consultant may point out. Students and teachers
> > > > > access some of the same servers, printers, etc. Also, teacher
> > > > > workstations use software that allows them to view the screens of
> > > > > students and any VLAN can get to anything on any other VLAN. We have
> > > > > eight buildings with 3750's at each building and a 4507 at the core.
> > > > > We have 3560G's at each IDF with older 3com's daisy chained to them.
> > > > > All IDF's, including other schools are trunked to the core. Can anyone
> > > > > recommend best practice in this situation? I think I'd like to start
> > > > > with blocking traffic from some vlans to other vlans. What approach do
> > > > > I take when there are shared resources? Do I put those things on a
> > > > > special vlan? What happens to my DHCP scopes?
> > > > > What are the commands to prevent some vlans from being routed?
> > > > > thanks

>
> > > > Provided you must separate the networks, create a new network/vlan
> > > > with a new dhcp scope for faculty, and assign ports as needed. I
> > > > would hope that none of your servers are DHCP, and that hostnames are
> > > > being used instead of IPs. With that being said, move those to a
> > > > third vlan that you can control via access-lists. Truthfully, rather
> > > > than pegging down the server vlan, I would peg down the student vlan
> > > > since that is probably your biggest security risk. Use ACLs to allow
> > > > what you want and block anything else. Depending on how loose or
> > > > strict the ACLs are on the student vlan, you may also want some ACLs
> > > > on the server network to only allow specific connection types from the
> > > > student vlan. It just depends what all you are trying to prevent/lock
> > > > down and how to best do that with ACLs.

>
> > > > If you can't move the servers due to IP address usage, then create two
> > > > new vlans for your dhcp clients. Your users shouldn't care provided
> > > > you do it during a specific time, and at worst, they may require a
> > > > reboot if they don't have access to the command prompt and ipconfig.

>
> > > > If you want vlans that are completely non-routed, just don't put a
> > > > router interface in the network, just create it on layer 2. Or just
> > > > put an ACL on the VLAN to deny any any.- Hide quoted text -

>
> > > > - Show quoted text -

>
> > > Thanks for responding. Your suggestion to work on the student vlan is
> > > a good one.

>
> > > Here is my plan:
> > > 1. move students to their own vlan. Each of our 8 schools has a
> > > separate vlan, so I will need to create 8 student vlans. I will need
> > > to keep them separate because of scripts that run based on Active
> > > Directory sites which uses subnets. **Will this create a lot of extra
> > > work with ACL's?

>
> > > 2. create ACL on the student vlan to only allow traffic to specific
> > > servers on the server vlan.

>
> > > 3. Allow staff vlans to connect to the student vlan (teachers run apps
> > > to monitor student workstations)

>
> > > 4. Don't allow any vlan to talk to another vlan unless there is a
> > > reason. In other words, currently no schools need to directly access
> > > anything in any other school. They all access servers at our core.

>
> > > Am I on the right track here?
> > > Now all I need is some free open source software to monitor my
> > > network.

>
> > > thanks

>
> > Couple of caveats:

>
> > First, you can't really allow teachers full access to students without
> > also doing the other way around due to traffic being bi-directional.
> > You'll want to know exactly which ports to allow through and punch
> > them as holes into your ACLs. Some recommend putting the ACL closest
> > to the source, while others recommend putting them closest to the
> > destination, particularly if you have a situation like yours where
> > instead of putting 8 ACLS on 8 VLANs, you can put one on the server or
> > teacher vlan to only allow certain ports from those source. In short,
> > its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination
> > network with 8 or more statements to cover the 8 network ranges.

>
> > Also be careful with ACLs as they all have an implicit deny at the
> > end, If you aren't careful, you will block transit traffic to the
> > internet or to other parts of the network that you may not want to
> > impact. For this reason, you have to be very careful whether or not
> > you use ACLs with deny and a permit ip any any on the end, or permits
> > on the front and remember the implicit deny. If there is internet
> > access here, and you use a proxy, you may be able to get around this
> > by permiting port 80 (or whatever port you use) to the IP of the
> > proxy. Else you'll have to use a permit ip any any.

>
> > Bottom line is draw it out, and look at your common points and decide
> > where you want to put your ACLs, and how you want to apply them.
> > Think through ALL scenarios, and test it out on a single vlan which
> > you put yourself in to see what is working and what is not. You also
> > want to be careful with non-routed vlans in this same scenario, this
> > means that DHCP would not work (unless you route the network and only
> > allow DHCP through), and all other inter-vlan communications would be
> > null and void.

>
> > Overall, just make sure you think through ingress and egress traffic
> > (if you apply ACLs in and out, be careful), and I would definitely
> > recommend a template that you apply to all 8 vlans if you go down that
> > path. Truthfully, if all your networks are centrally routed from a
> > MSFC or core router, you can just use one ACL (based on destinations)
> > and apply it to all vlans. Else you will need to create 8 different
> > ones (Based on source) and do it that way.- Hide quoted text -

>
> > - Show quoted text -

>
> As always, thank you for sharing what you know.
> You've helped me out a lot on a number of my posts.


Trenkill sure is one awesome dude

GNY

 
Reply With Quote
 
Trendkill
Guest
Posts: n/a
 
      10-01-2007
On Oct 1, 6:55 am, geekazoid <(E-Mail Removed)> wrote:
> On Sep 30, 10:34 pm, (E-Mail Removed) wrote:
>
>
>
> > On Sep 27, 1:03 pm, Trendkill <(E-Mail Removed)> wrote:

>
> > > On Sep 27, 12:25 pm, (E-Mail Removed) wrote:

>
> > > > On Sep 27, 10:17 am, Trendkill <(E-Mail Removed)> wrote:

>
> > > > > On Sep 27, 7:10 am, (E-Mail Removed) wrote:

>
> > > > > > The new IT manager wants to bring in a third party to check our Cisco
> > > > > > network for problems. I want to do whatever I can to get a get a good
> > > > > > report. I have students and teacher on the same vlans and I think this
> > > > > > is something the consultant may point out. Students and teachers
> > > > > > access some of the same servers, printers, etc. Also, teacher
> > > > > > workstations use software that allows them to view the screens of
> > > > > > students and any VLAN can get to anything on any other VLAN. We have
> > > > > > eight buildings with 3750's at each building and a 4507 at the core.
> > > > > > We have 3560G's at each IDF with older 3com's daisy chained to them.
> > > > > > All IDF's, including other schools are trunked to the core. Can anyone
> > > > > > recommend best practice in this situation? I think I'd like to start
> > > > > > with blocking traffic from some vlans to other vlans. What approach do
> > > > > > I take when there are shared resources? Do I put those things on a
> > > > > > special vlan? What happens to my DHCP scopes?
> > > > > > What are the commands to prevent some vlans from being routed?
> > > > > > thanks

>
> > > > > Provided you must separate the networks, create a new network/vlan
> > > > > with a new dhcp scope for faculty, and assign ports as needed. I
> > > > > would hope that none of your servers are DHCP, and that hostnames are
> > > > > being used instead of IPs. With that being said, move those to a
> > > > > third vlan that you can control via access-lists. Truthfully, rather
> > > > > than pegging down the server vlan, I would peg down the student vlan
> > > > > since that is probably your biggest security risk. Use ACLs to allow
> > > > > what you want and block anything else. Depending on how loose or
> > > > > strict the ACLs are on the student vlan, you may also want some ACLs
> > > > > on the server network to only allow specific connection types from the
> > > > > student vlan. It just depends what all you are trying to prevent/lock
> > > > > down and how to best do that with ACLs.

>
> > > > > If you can't move the servers due to IP address usage, then create two
> > > > > new vlans for your dhcp clients. Your users shouldn't care provided
> > > > > you do it during a specific time, and at worst, they may require a
> > > > > reboot if they don't have access to the command prompt and ipconfig.

>
> > > > > If you want vlans that are completely non-routed, just don't put a
> > > > > router interface in the network, just create it on layer 2. Or just
> > > > > put an ACL on the VLAN to deny any any.- Hide quoted text -

>
> > > > > - Show quoted text -

>
> > > > Thanks for responding. Your suggestion to work on the student vlan is
> > > > a good one.

>
> > > > Here is my plan:
> > > > 1. move students to their own vlan. Each of our 8 schools has a
> > > > separate vlan, so I will need to create 8 student vlans. I will need
> > > > to keep them separate because of scripts that run based on Active
> > > > Directory sites which uses subnets. **Will this create a lot of extra
> > > > work with ACL's?

>
> > > > 2. create ACL on the student vlan to only allow traffic to specific
> > > > servers on the server vlan.

>
> > > > 3. Allow staff vlans to connect to the student vlan (teachers run apps
> > > > to monitor student workstations)

>
> > > > 4. Don't allow any vlan to talk to another vlan unless there is a
> > > > reason. In other words, currently no schools need to directly access
> > > > anything in any other school. They all access servers at our core.

>
> > > > Am I on the right track here?
> > > > Now all I need is some free open source software to monitor my
> > > > network.

>
> > > > thanks

>
> > > Couple of caveats:

>
> > > First, you can't really allow teachers full access to students without
> > > also doing the other way around due to traffic being bi-directional.
> > > You'll want to know exactly which ports to allow through and punch
> > > them as holes into your ACLs. Some recommend putting the ACL closest
> > > to the source, while others recommend putting them closest to the
> > > destination, particularly if you have a situation like yours where
> > > instead of putting 8 ACLS on 8 VLANs, you can put one on the server or
> > > teacher vlan to only allow certain ports from those source. In short,
> > > its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination
> > > network with 8 or more statements to cover the 8 network ranges.

>
> > > Also be careful with ACLs as they all have an implicit deny at the
> > > end, If you aren't careful, you will block transit traffic to the
> > > internet or to other parts of the network that you may not want to
> > > impact. For this reason, you have to be very careful whether or not
> > > you use ACLs with deny and a permit ip any any on the end, or permits
> > > on the front and remember the implicit deny. If there is internet
> > > access here, and you use a proxy, you may be able to get around this
> > > by permiting port 80 (or whatever port you use) to the IP of the
> > > proxy. Else you'll have to use a permit ip any any.

>
> > > Bottom line is draw it out, and look at your common points and decide
> > > where you want to put your ACLs, and how you want to apply them.
> > > Think through ALL scenarios, and test it out on a single vlan which
> > > you put yourself in to see what is working and what is not. You also
> > > want to be careful with non-routed vlans in this same scenario, this
> > > means that DHCP would not work (unless you route the network and only
> > > allow DHCP through), and all other inter-vlan communications would be
> > > null and void.

>
> > > Overall, just make sure you think through ingress and egress traffic
> > > (if you apply ACLs in and out, be careful), and I would definitely
> > > recommend a template that you apply to all 8 vlans if you go down that
> > > path. Truthfully, if all your networks are centrally routed from a
> > > MSFC or core router, you can just use one ACL (based on destinations)
> > > and apply it to all vlans. Else you will need to create 8 different
> > > ones (Based on source) and do it that way.- Hide quoted text -

>
> > > - Show quoted text -

>
> > As always, thank you for sharing what you know.
> > You've helped me out a lot on a number of my posts.

>
> Trenkill sure is one awesome dude
>
> GNY


My pleasure, always happy to assist where I can. Good luck OP.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Access control between VLANs on Cisco 3750 switch bavien@gmail.com Cisco 6 08-07-2007 08:04 PM
Access List Qs: Filter Traffic Between VLANs Bob Simon Cisco 0 02-11-2007 11:03 PM
Windows - Browsing across vlans and also DC's on separate vlans punisher Cisco 2 11-17-2005 03:41 PM
question about Mapping 802.1Q VLANs to ISL VLANs ilya@3ka.mipt.ru Cisco 0 01-11-2005 02:42 PM
How to create access between VLANs on Cisco PIX Firewall 6.3(3)? =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?= Cisco 3 11-27-2003 12:54 PM



Advertisments