Need help controlling access between vlans

Discussion in 'Cisco' started by 1crazyrican@gmail.com, Sep 27, 2007.

  1. Guest

    The new IT manager wants to bring in a third party to check our Cisco
    network for problems. I want to do whatever I can to get a get a good
    report. I have students and teacher on the same vlans and I think this
    is something the consultant may point out. Students and teachers
    access some of the same servers, printers, etc. Also, teacher
    workstations use software that allows them to view the screens of
    students and any VLAN can get to anything on any other VLAN. We have
    eight buildings with 3750's at each building and a 4507 at the core.
    We have 3560G's at each IDF with older 3com's daisy chained to them.
    All IDF's, including other schools are trunked to the core. Can anyone
    recommend best practice in this situation? I think I'd like to start
    with blocking traffic from some vlans to other vlans. What approach do
    I take when there are shared resources? Do I put those things on a
    special vlan? What happens to my DHCP scopes?
    What are the commands to prevent some vlans from being routed?
    thanks
     
    , Sep 27, 2007
    #1
    1. Advertising

  2. thort

    Joined:
    Sep 26, 2007
    Messages:
    35
    If you have students and teachers on the same VLAN than you have no protection between them. You will get a bad report card!

    1. Create separate VLANs for the different user groups/resources.
    2. This means you need to do routing to move between the VLANs
    3. This means you need different DHCP Scopes (1 IP subnet only per VLAN).
    4. This means you also need to filter what happens between these VLANs.
    5. You can do Filtering via ACLs (complex) or use a Stateful Firewall (simpler).

    This means re-thinking your network, migrating IP addresses and PC/Printers/Servers/Users, doing routing, and doing Firewalling. This means ATLEAST 1 solid week of work, some user outages and down-time. But the end result will be a scalable and secure network.
    You could use a Linux/FreeBSD/etc. machine to do the routing and firewalling if your Cisco's don't do routing or firewalling, or you don't have the money to buy the equipement/memory/IOS upgrades.

    In any event you need to really think this through before redoing your whole network.

    Or you could install personal Firewalls on every machine and do individual configurations on every machine (in any event lots of work and not scalable).
     
    thort, Sep 27, 2007
    #2
    1. Advertising

  3. Trendkill Guest

    On Sep 27, 7:10 am, wrote:
    > The new IT manager wants to bring in a third party to check our Cisco
    > network for problems. I want to do whatever I can to get a get a good
    > report. I have students and teacher on the same vlans and I think this
    > is something the consultant may point out. Students and teachers
    > access some of the same servers, printers, etc. Also, teacher
    > workstations use software that allows them to view the screens of
    > students and any VLAN can get to anything on any other VLAN. We have
    > eight buildings with 3750's at each building and a 4507 at the core.
    > We have 3560G's at each IDF with older 3com's daisy chained to them.
    > All IDF's, including other schools are trunked to the core. Can anyone
    > recommend best practice in this situation? I think I'd like to start
    > with blocking traffic from some vlans to other vlans. What approach do
    > I take when there are shared resources? Do I put those things on a
    > special vlan? What happens to my DHCP scopes?
    > What are the commands to prevent some vlans from being routed?
    > thanks


    Provided you must separate the networks, create a new network/vlan
    with a new dhcp scope for faculty, and assign ports as needed. I
    would hope that none of your servers are DHCP, and that hostnames are
    being used instead of IPs. With that being said, move those to a
    third vlan that you can control via access-lists. Truthfully, rather
    than pegging down the server vlan, I would peg down the student vlan
    since that is probably your biggest security risk. Use ACLs to allow
    what you want and block anything else. Depending on how loose or
    strict the ACLs are on the student vlan, you may also want some ACLs
    on the server network to only allow specific connection types from the
    student vlan. It just depends what all you are trying to prevent/lock
    down and how to best do that with ACLs.

    If you can't move the servers due to IP address usage, then create two
    new vlans for your dhcp clients. Your users shouldn't care provided
    you do it during a specific time, and at worst, they may require a
    reboot if they don't have access to the command prompt and ipconfig.

    If you want vlans that are completely non-routed, just don't put a
    router interface in the network, just create it on layer 2. Or just
    put an ACL on the VLAN to deny any any.
     
    Trendkill, Sep 27, 2007
    #3
  4. Guest

    On Sep 27, 10:17 am, Trendkill <> wrote:
    > On Sep 27, 7:10 am, wrote:
    >
    >
    >
    >
    >
    > > The new IT manager wants to bring in a third party to check our Cisco
    > > network for problems. I want to do whatever I can to get a get a good
    > > report. I have students and teacher on the same vlans and I think this
    > > is something the consultant may point out. Students and teachers
    > > access some of the same servers, printers, etc. Also, teacher
    > > workstations use software that allows them to view the screens of
    > > students and any VLAN can get to anything on any other VLAN. We have
    > > eight buildings with 3750's at each building and a 4507 at the core.
    > > We have 3560G's at each IDF with older 3com's daisy chained to them.
    > > All IDF's, including other schools are trunked to the core. Can anyone
    > > recommend best practice in this situation? I think I'd like to start
    > > with blocking traffic from some vlans to other vlans. What approach do
    > > I take when there are shared resources? Do I put those things on a
    > > special vlan? What happens to my DHCP scopes?
    > > What are the commands to prevent some vlans from being routed?
    > > thanks

    >
    > Provided you must separate the networks, create a new network/vlan
    > with a new dhcp scope for faculty, and assign ports as needed. I
    > would hope that none of your servers are DHCP, and that hostnames are
    > being used instead of IPs. With that being said, move those to a
    > third vlan that you can control via access-lists. Truthfully, rather
    > than pegging down the server vlan, I would peg down the student vlan
    > since that is probably your biggest security risk. Use ACLs to allow
    > what you want and block anything else. Depending on how loose or
    > strict the ACLs are on the student vlan, you may also want some ACLs
    > on the server network to only allow specific connection types from the
    > student vlan. It just depends what all you are trying to prevent/lock
    > down and how to best do that with ACLs.
    >
    > If you can't move the servers due to IP address usage, then create two
    > new vlans for your dhcp clients. Your users shouldn't care provided
    > you do it during a specific time, and at worst, they may require a
    > reboot if they don't have access to the command prompt and ipconfig.
    >
    > If you want vlans that are completely non-routed, just don't put a
    > router interface in the network, just create it on layer 2. Or just
    > put an ACL on the VLAN to deny any any.- Hide quoted text -
    >
    > - Show quoted text -



    Thanks for responding. Your suggestion to work on the student vlan is
    a good one.

    Here is my plan:
    1. move students to their own vlan. Each of our 8 schools has a
    separate vlan, so I will need to create 8 student vlans. I will need
    to keep them separate because of scripts that run based on Active
    Directory sites which uses subnets. **Will this create a lot of extra
    work with ACL's?

    2. create ACL on the student vlan to only allow traffic to specific
    servers on the server vlan.

    3. Allow staff vlans to connect to the student vlan (teachers run apps
    to monitor student workstations)

    4. Don't allow any vlan to talk to another vlan unless there is a
    reason. In other words, currently no schools need to directly access
    anything in any other school. They all access servers at our core.

    Am I on the right track here?
    Now all I need is some free open source software to monitor my
    network.

    thanks
     
    , Sep 27, 2007
    #4
  5. Trendkill Guest

    On Sep 27, 12:25 pm, wrote:
    > On Sep 27, 10:17 am, Trendkill <> wrote:
    >
    >
    >
    > > On Sep 27, 7:10 am, wrote:

    >
    > > > The new IT manager wants to bring in a third party to check our Cisco
    > > > network for problems. I want to do whatever I can to get a get a good
    > > > report. I have students and teacher on the same vlans and I think this
    > > > is something the consultant may point out. Students and teachers
    > > > access some of the same servers, printers, etc. Also, teacher
    > > > workstations use software that allows them to view the screens of
    > > > students and any VLAN can get to anything on any other VLAN. We have
    > > > eight buildings with 3750's at each building and a 4507 at the core.
    > > > We have 3560G's at each IDF with older 3com's daisy chained to them.
    > > > All IDF's, including other schools are trunked to the core. Can anyone
    > > > recommend best practice in this situation? I think I'd like to start
    > > > with blocking traffic from some vlans to other vlans. What approach do
    > > > I take when there are shared resources? Do I put those things on a
    > > > special vlan? What happens to my DHCP scopes?
    > > > What are the commands to prevent some vlans from being routed?
    > > > thanks

    >
    > > Provided you must separate the networks, create a new network/vlan
    > > with a new dhcp scope for faculty, and assign ports as needed. I
    > > would hope that none of your servers are DHCP, and that hostnames are
    > > being used instead of IPs. With that being said, move those to a
    > > third vlan that you can control via access-lists. Truthfully, rather
    > > than pegging down the server vlan, I would peg down the student vlan
    > > since that is probably your biggest security risk. Use ACLs to allow
    > > what you want and block anything else. Depending on how loose or
    > > strict the ACLs are on the student vlan, you may also want some ACLs
    > > on the server network to only allow specific connection types from the
    > > student vlan. It just depends what all you are trying to prevent/lock
    > > down and how to best do that with ACLs.

    >
    > > If you can't move the servers due to IP address usage, then create two
    > > new vlans for your dhcp clients. Your users shouldn't care provided
    > > you do it during a specific time, and at worst, they may require a
    > > reboot if they don't have access to the command prompt and ipconfig.

    >
    > > If you want vlans that are completely non-routed, just don't put a
    > > router interface in the network, just create it on layer 2. Or just
    > > put an ACL on the VLAN to deny any any.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Thanks for responding. Your suggestion to work on the student vlan is
    > a good one.
    >
    > Here is my plan:
    > 1. move students to their own vlan. Each of our 8 schools has a
    > separate vlan, so I will need to create 8 student vlans. I will need
    > to keep them separate because of scripts that run based on Active
    > Directory sites which uses subnets. **Will this create a lot of extra
    > work with ACL's?
    >
    > 2. create ACL on the student vlan to only allow traffic to specific
    > servers on the server vlan.
    >
    > 3. Allow staff vlans to connect to the student vlan (teachers run apps
    > to monitor student workstations)
    >
    > 4. Don't allow any vlan to talk to another vlan unless there is a
    > reason. In other words, currently no schools need to directly access
    > anything in any other school. They all access servers at our core.
    >
    > Am I on the right track here?
    > Now all I need is some free open source software to monitor my
    > network.
    >
    > thanks


    Couple of caveats:

    First, you can't really allow teachers full access to students without
    also doing the other way around due to traffic being bi-directional.
    You'll want to know exactly which ports to allow through and punch
    them as holes into your ACLs. Some recommend putting the ACL closest
    to the source, while others recommend putting them closest to the
    destination, particularly if you have a situation like yours where
    instead of putting 8 ACLS on 8 VLANs, you can put one on the server or
    teacher vlan to only allow certain ports from those source. In short,
    its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination
    network with 8 or more statements to cover the 8 network ranges.

    Also be careful with ACLs as they all have an implicit deny at the
    end, If you aren't careful, you will block transit traffic to the
    internet or to other parts of the network that you may not want to
    impact. For this reason, you have to be very careful whether or not
    you use ACLs with deny and a permit ip any any on the end, or permits
    on the front and remember the implicit deny. If there is internet
    access here, and you use a proxy, you may be able to get around this
    by permiting port 80 (or whatever port you use) to the IP of the
    proxy. Else you'll have to use a permit ip any any.

    Bottom line is draw it out, and look at your common points and decide
    where you want to put your ACLs, and how you want to apply them.
    Think through ALL scenarios, and test it out on a single vlan which
    you put yourself in to see what is working and what is not. You also
    want to be careful with non-routed vlans in this same scenario, this
    means that DHCP would not work (unless you route the network and only
    allow DHCP through), and all other inter-vlan communications would be
    null and void.

    Overall, just make sure you think through ingress and egress traffic
    (if you apply ACLs in and out, be careful), and I would definitely
    recommend a template that you apply to all 8 vlans if you go down that
    path. Truthfully, if all your networks are centrally routed from a
    MSFC or core router, you can just use one ACL (based on destinations)
    and apply it to all vlans. Else you will need to create 8 different
    ones (Based on source) and do it that way.
     
    Trendkill, Sep 27, 2007
    #5
  6. Guest

    On Sep 27, 1:03 pm, Trendkill <> wrote:
    > On Sep 27, 12:25 pm, wrote:
    >
    >
    >
    >
    >
    > > On Sep 27, 10:17 am, Trendkill <> wrote:

    >
    > > > On Sep 27, 7:10 am, wrote:

    >
    > > > > The new IT manager wants to bring in a third party to check our Cisco
    > > > > network for problems. I want to do whatever I can to get a get a good
    > > > > report. I have students and teacher on the same vlans and I think this
    > > > > is something the consultant may point out. Students and teachers
    > > > > access some of the same servers, printers, etc. Also, teacher
    > > > > workstations use software that allows them to view the screens of
    > > > > students and any VLAN can get to anything on any other VLAN. We have
    > > > > eight buildings with 3750's at each building and a 4507 at the core.
    > > > > We have 3560G's at each IDF with older 3com's daisy chained to them.
    > > > > All IDF's, including other schools are trunked to the core. Can anyone
    > > > > recommend best practice in this situation? I think I'd like to start
    > > > > with blocking traffic from some vlans to other vlans. What approach do
    > > > > I take when there are shared resources? Do I put those things on a
    > > > > special vlan? What happens to my DHCP scopes?
    > > > > What are the commands to prevent some vlans from being routed?
    > > > > thanks

    >
    > > > Provided you must separate the networks, create a new network/vlan
    > > > with a new dhcp scope for faculty, and assign ports as needed. I
    > > > would hope that none of your servers are DHCP, and that hostnames are
    > > > being used instead of IPs. With that being said, move those to a
    > > > third vlan that you can control via access-lists. Truthfully, rather
    > > > than pegging down the server vlan, I would peg down the student vlan
    > > > since that is probably your biggest security risk. Use ACLs to allow
    > > > what you want and block anything else. Depending on how loose or
    > > > strict the ACLs are on the student vlan, you may also want some ACLs
    > > > on the server network to only allow specific connection types from the
    > > > student vlan. It just depends what all you are trying to prevent/lock
    > > > down and how to best do that with ACLs.

    >
    > > > If you can't move the servers due to IP address usage, then create two
    > > > new vlans for your dhcp clients. Your users shouldn't care provided
    > > > you do it during a specific time, and at worst, they may require a
    > > > reboot if they don't have access to the command prompt and ipconfig.

    >
    > > > If you want vlans that are completely non-routed, just don't put a
    > > > router interface in the network, just create it on layer 2. Or just
    > > > put an ACL on the VLAN to deny any any.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > Thanks for responding. Your suggestion to work on the student vlan is
    > > a good one.

    >
    > > Here is my plan:
    > > 1. move students to their own vlan. Each of our 8 schools has a
    > > separate vlan, so I will need to create 8 student vlans. I will need
    > > to keep them separate because of scripts that run based on Active
    > > Directory sites which uses subnets. **Will this create a lot of extra
    > > work with ACL's?

    >
    > > 2. create ACL on the student vlan to only allow traffic to specific
    > > servers on the server vlan.

    >
    > > 3. Allow staff vlans to connect to the student vlan (teachers run apps
    > > to monitor student workstations)

    >
    > > 4. Don't allow any vlan to talk to another vlan unless there is a
    > > reason. In other words, currently no schools need to directly access
    > > anything in any other school. They all access servers at our core.

    >
    > > Am I on the right track here?
    > > Now all I need is some free open source software to monitor my
    > > network.

    >
    > > thanks

    >
    > Couple of caveats:
    >
    > First, you can't really allow teachers full access to students without
    > also doing the other way around due to traffic being bi-directional.
    > You'll want to know exactly which ports to allow through and punch
    > them as holes into your ACLs. Some recommend putting the ACL closest
    > to the source, while others recommend putting them closest to the
    > destination, particularly if you have a situation like yours where
    > instead of putting 8 ACLS on 8 VLANs, you can put one on the server or
    > teacher vlan to only allow certain ports from those source. In short,
    > its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination
    > network with 8 or more statements to cover the 8 network ranges.
    >
    > Also be careful with ACLs as they all have an implicit deny at the
    > end, If you aren't careful, you will block transit traffic to the
    > internet or to other parts of the network that you may not want to
    > impact. For this reason, you have to be very careful whether or not
    > you use ACLs with deny and a permit ip any any on the end, or permits
    > on the front and remember the implicit deny. If there is internet
    > access here, and you use a proxy, you may be able to get around this
    > by permiting port 80 (or whatever port you use) to the IP of the
    > proxy. Else you'll have to use a permit ip any any.
    >
    > Bottom line is draw it out, and look at your common points and decide
    > where you want to put your ACLs, and how you want to apply them.
    > Think through ALL scenarios, and test it out on a single vlan which
    > you put yourself in to see what is working and what is not. You also
    > want to be careful with non-routed vlans in this same scenario, this
    > means that DHCP would not work (unless you route the network and only
    > allow DHCP through), and all other inter-vlan communications would be
    > null and void.
    >
    > Overall, just make sure you think through ingress and egress traffic
    > (if you apply ACLs in and out, be careful), and I would definitely
    > recommend a template that you apply to all 8 vlans if you go down that
    > path. Truthfully, if all your networks are centrally routed from a
    > MSFC or core router, you can just use one ACL (based on destinations)
    > and apply it to all vlans. Else you will need to create 8 different
    > ones (Based on source) and do it that way.- Hide quoted text -
    >
    > - Show quoted text -


    As always, thank you for sharing what you know.
    You've helped me out a lot on a number of my posts.
     
    , Oct 1, 2007
    #6
  7. geekazoid Guest

    On Sep 30, 10:34 pm, wrote:
    > On Sep 27, 1:03 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Sep 27, 12:25 pm, wrote:

    >
    > > > On Sep 27, 10:17 am, Trendkill <> wrote:

    >
    > > > > On Sep 27, 7:10 am, wrote:

    >
    > > > > > The new IT manager wants to bring in a third party to check our Cisco
    > > > > > network for problems. I want to do whatever I can to get a get a good
    > > > > > report. I have students and teacher on the same vlans and I think this
    > > > > > is something the consultant may point out. Students and teachers
    > > > > > access some of the same servers, printers, etc. Also, teacher
    > > > > > workstations use software that allows them to view the screens of
    > > > > > students and any VLAN can get to anything on any other VLAN. We have
    > > > > > eight buildings with 3750's at each building and a 4507 at the core.
    > > > > > We have 3560G's at each IDF with older 3com's daisy chained to them.
    > > > > > All IDF's, including other schools are trunked to the core. Can anyone
    > > > > > recommend best practice in this situation? I think I'd like to start
    > > > > > with blocking traffic from some vlans to other vlans. What approach do
    > > > > > I take when there are shared resources? Do I put those things on a
    > > > > > special vlan? What happens to my DHCP scopes?
    > > > > > What are the commands to prevent some vlans from being routed?
    > > > > > thanks

    >
    > > > > Provided you must separate the networks, create a new network/vlan
    > > > > with a new dhcp scope for faculty, and assign ports as needed. I
    > > > > would hope that none of your servers are DHCP, and that hostnames are
    > > > > being used instead of IPs. With that being said, move those to a
    > > > > third vlan that you can control via access-lists. Truthfully, rather
    > > > > than pegging down the server vlan, I would peg down the student vlan
    > > > > since that is probably your biggest security risk. Use ACLs to allow
    > > > > what you want and block anything else. Depending on how loose or
    > > > > strict the ACLs are on the student vlan, you may also want some ACLs
    > > > > on the server network to only allow specific connection types from the
    > > > > student vlan. It just depends what all you are trying to prevent/lock
    > > > > down and how to best do that with ACLs.

    >
    > > > > If you can't move the servers due to IP address usage, then create two
    > > > > new vlans for your dhcp clients. Your users shouldn't care provided
    > > > > you do it during a specific time, and at worst, they may require a
    > > > > reboot if they don't have access to the command prompt and ipconfig.

    >
    > > > > If you want vlans that are completely non-routed, just don't put a
    > > > > router interface in the network, just create it on layer 2. Or just
    > > > > put an ACL on the VLAN to deny any any.- Hide quoted text -

    >
    > > > > - Show quoted text -

    >
    > > > Thanks for responding. Your suggestion to work on the student vlan is
    > > > a good one.

    >
    > > > Here is my plan:
    > > > 1. move students to their own vlan. Each of our 8 schools has a
    > > > separate vlan, so I will need to create 8 student vlans. I will need
    > > > to keep them separate because of scripts that run based on Active
    > > > Directory sites which uses subnets. **Will this create a lot of extra
    > > > work with ACL's?

    >
    > > > 2. create ACL on the student vlan to only allow traffic to specific
    > > > servers on the server vlan.

    >
    > > > 3. Allow staff vlans to connect to the student vlan (teachers run apps
    > > > to monitor student workstations)

    >
    > > > 4. Don't allow any vlan to talk to another vlan unless there is a
    > > > reason. In other words, currently no schools need to directly access
    > > > anything in any other school. They all access servers at our core.

    >
    > > > Am I on the right track here?
    > > > Now all I need is some free open source software to monitor my
    > > > network.

    >
    > > > thanks

    >
    > > Couple of caveats:

    >
    > > First, you can't really allow teachers full access to students without
    > > also doing the other way around due to traffic being bi-directional.
    > > You'll want to know exactly which ports to allow through and punch
    > > them as holes into your ACLs. Some recommend putting the ACL closest
    > > to the source, while others recommend putting them closest to the
    > > destination, particularly if you have a situation like yours where
    > > instead of putting 8 ACLS on 8 VLANs, you can put one on the server or
    > > teacher vlan to only allow certain ports from those source. In short,
    > > its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination
    > > network with 8 or more statements to cover the 8 network ranges.

    >
    > > Also be careful with ACLs as they all have an implicit deny at the
    > > end, If you aren't careful, you will block transit traffic to the
    > > internet or to other parts of the network that you may not want to
    > > impact. For this reason, you have to be very careful whether or not
    > > you use ACLs with deny and a permit ip any any on the end, or permits
    > > on the front and remember the implicit deny. If there is internet
    > > access here, and you use a proxy, you may be able to get around this
    > > by permiting port 80 (or whatever port you use) to the IP of the
    > > proxy. Else you'll have to use a permit ip any any.

    >
    > > Bottom line is draw it out, and look at your common points and decide
    > > where you want to put your ACLs, and how you want to apply them.
    > > Think through ALL scenarios, and test it out on a single vlan which
    > > you put yourself in to see what is working and what is not. You also
    > > want to be careful with non-routed vlans in this same scenario, this
    > > means that DHCP would not work (unless you route the network and only
    > > allow DHCP through), and all other inter-vlan communications would be
    > > null and void.

    >
    > > Overall, just make sure you think through ingress and egress traffic
    > > (if you apply ACLs in and out, be careful), and I would definitely
    > > recommend a template that you apply to all 8 vlans if you go down that
    > > path. Truthfully, if all your networks are centrally routed from a
    > > MSFC or core router, you can just use one ACL (based on destinations)
    > > and apply it to all vlans. Else you will need to create 8 different
    > > ones (Based on source) and do it that way.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > As always, thank you for sharing what you know.
    > You've helped me out a lot on a number of my posts.


    Trenkill sure is one awesome dude :)

    GNY
     
    geekazoid, Oct 1, 2007
    #7
  8. Trendkill Guest

    On Oct 1, 6:55 am, geekazoid <> wrote:
    > On Sep 30, 10:34 pm, wrote:
    >
    >
    >
    > > On Sep 27, 1:03 pm, Trendkill <> wrote:

    >
    > > > On Sep 27, 12:25 pm, wrote:

    >
    > > > > On Sep 27, 10:17 am, Trendkill <> wrote:

    >
    > > > > > On Sep 27, 7:10 am, wrote:

    >
    > > > > > > The new IT manager wants to bring in a third party to check our Cisco
    > > > > > > network for problems. I want to do whatever I can to get a get a good
    > > > > > > report. I have students and teacher on the same vlans and I think this
    > > > > > > is something the consultant may point out. Students and teachers
    > > > > > > access some of the same servers, printers, etc. Also, teacher
    > > > > > > workstations use software that allows them to view the screens of
    > > > > > > students and any VLAN can get to anything on any other VLAN. We have
    > > > > > > eight buildings with 3750's at each building and a 4507 at the core.
    > > > > > > We have 3560G's at each IDF with older 3com's daisy chained to them.
    > > > > > > All IDF's, including other schools are trunked to the core. Can anyone
    > > > > > > recommend best practice in this situation? I think I'd like to start
    > > > > > > with blocking traffic from some vlans to other vlans. What approach do
    > > > > > > I take when there are shared resources? Do I put those things on a
    > > > > > > special vlan? What happens to my DHCP scopes?
    > > > > > > What are the commands to prevent some vlans from being routed?
    > > > > > > thanks

    >
    > > > > > Provided you must separate the networks, create a new network/vlan
    > > > > > with a new dhcp scope for faculty, and assign ports as needed. I
    > > > > > would hope that none of your servers are DHCP, and that hostnames are
    > > > > > being used instead of IPs. With that being said, move those to a
    > > > > > third vlan that you can control via access-lists. Truthfully, rather
    > > > > > than pegging down the server vlan, I would peg down the student vlan
    > > > > > since that is probably your biggest security risk. Use ACLs to allow
    > > > > > what you want and block anything else. Depending on how loose or
    > > > > > strict the ACLs are on the student vlan, you may also want some ACLs
    > > > > > on the server network to only allow specific connection types from the
    > > > > > student vlan. It just depends what all you are trying to prevent/lock
    > > > > > down and how to best do that with ACLs.

    >
    > > > > > If you can't move the servers due to IP address usage, then create two
    > > > > > new vlans for your dhcp clients. Your users shouldn't care provided
    > > > > > you do it during a specific time, and at worst, they may require a
    > > > > > reboot if they don't have access to the command prompt and ipconfig.

    >
    > > > > > If you want vlans that are completely non-routed, just don't put a
    > > > > > router interface in the network, just create it on layer 2. Or just
    > > > > > put an ACL on the VLAN to deny any any.- Hide quoted text -

    >
    > > > > > - Show quoted text -

    >
    > > > > Thanks for responding. Your suggestion to work on the student vlan is
    > > > > a good one.

    >
    > > > > Here is my plan:
    > > > > 1. move students to their own vlan. Each of our 8 schools has a
    > > > > separate vlan, so I will need to create 8 student vlans. I will need
    > > > > to keep them separate because of scripts that run based on Active
    > > > > Directory sites which uses subnets. **Will this create a lot of extra
    > > > > work with ACL's?

    >
    > > > > 2. create ACL on the student vlan to only allow traffic to specific
    > > > > servers on the server vlan.

    >
    > > > > 3. Allow staff vlans to connect to the student vlan (teachers run apps
    > > > > to monitor student workstations)

    >
    > > > > 4. Don't allow any vlan to talk to another vlan unless there is a
    > > > > reason. In other words, currently no schools need to directly access
    > > > > anything in any other school. They all access servers at our core.

    >
    > > > > Am I on the right track here?
    > > > > Now all I need is some free open source software to monitor my
    > > > > network.

    >
    > > > > thanks

    >
    > > > Couple of caveats:

    >
    > > > First, you can't really allow teachers full access to students without
    > > > also doing the other way around due to traffic being bi-directional.
    > > > You'll want to know exactly which ports to allow through and punch
    > > > them as holes into your ACLs. Some recommend putting the ACL closest
    > > > to the source, while others recommend putting them closest to the
    > > > destination, particularly if you have a situation like yours where
    > > > instead of putting 8 ACLS on 8 VLANs, you can put one on the server or
    > > > teacher vlan to only allow certain ports from those source. In short,
    > > > its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination
    > > > network with 8 or more statements to cover the 8 network ranges.

    >
    > > > Also be careful with ACLs as they all have an implicit deny at the
    > > > end, If you aren't careful, you will block transit traffic to the
    > > > internet or to other parts of the network that you may not want to
    > > > impact. For this reason, you have to be very careful whether or not
    > > > you use ACLs with deny and a permit ip any any on the end, or permits
    > > > on the front and remember the implicit deny. If there is internet
    > > > access here, and you use a proxy, you may be able to get around this
    > > > by permiting port 80 (or whatever port you use) to the IP of the
    > > > proxy. Else you'll have to use a permit ip any any.

    >
    > > > Bottom line is draw it out, and look at your common points and decide
    > > > where you want to put your ACLs, and how you want to apply them.
    > > > Think through ALL scenarios, and test it out on a single vlan which
    > > > you put yourself in to see what is working and what is not. You also
    > > > want to be careful with non-routed vlans in this same scenario, this
    > > > means that DHCP would not work (unless you route the network and only
    > > > allow DHCP through), and all other inter-vlan communications would be
    > > > null and void.

    >
    > > > Overall, just make sure you think through ingress and egress traffic
    > > > (if you apply ACLs in and out, be careful), and I would definitely
    > > > recommend a template that you apply to all 8 vlans if you go down that
    > > > path. Truthfully, if all your networks are centrally routed from a
    > > > MSFC or core router, you can just use one ACL (based on destinations)
    > > > and apply it to all vlans. Else you will need to create 8 different
    > > > ones (Based on source) and do it that way.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > As always, thank you for sharing what you know.
    > > You've helped me out a lot on a number of my posts.

    >
    > Trenkill sure is one awesome dude :)
    >
    > GNY


    My pleasure, always happy to assist where I can. Good luck OP.
     
    Trendkill, Oct 1, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?d2lyZWxlc3NiZWdpbm5lcg==?=

    Controlling Internet Access on a Home Network

    =?Utf-8?B?d2lyZWxlc3NiZWdpbm5lcg==?=, Feb 23, 2005, in forum: Wireless Networking
    Replies:
    5
    Views:
    652
    merlec
    Mar 5, 2005
  2. Sam
    Replies:
    0
    Views:
    420
  3. =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=

    How to create access between VLANs on Cisco PIX Firewall 6.3(3)?

    =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=, Nov 25, 2003, in forum: Cisco
    Replies:
    3
    Views:
    5,431
    =?ISO-8859-1?Q?=22Joachim_S=2E_M=FCller=22?=
    Nov 27, 2003
  4. Bob Simon
    Replies:
    0
    Views:
    527
    Bob Simon
    Feb 11, 2007
  5. Replies:
    6
    Views:
    30,202
Loading...

Share This Page