Segregating Traffic

Discussion in 'Cisco' started by Bob Simon, Feb 14, 2007.

  1. Bob Simon

    Bob Simon Guest

    The 1711 at a remote site has a guest VLAN to isolate traffic there
    from the default VLAN1. When this traffic gets to the main network on
    its way out to the Internet, the boss wants to have it bypass the
    firewall.

    This simple network diagram lines up with fixed-pitch font.

    |------| |------| |------| |----------| |------| |------|
    | 1711 |--| 3745 |--| 4503 |--| firewall |--| 2950 |--| 3745 |--->
    |------| |------| |------| |----------| |------| |------|
    remote HQ to Internet

    At what point should I split the traffic out from the main stream and
    how can I make it take the secondary path?
     
    Bob Simon, Feb 14, 2007
    #1
    1. Advertising

  2. In article <>,
    Bob Simon <> wrote:
    >The 1711 at a remote site has a guest VLAN to isolate traffic there
    >from the default VLAN1. When this traffic gets to the main network on
    >its way out to the Internet, the boss wants to have it bypass the
    >firewall.


    Presumably the purpose of bypassing the firewall is to allow guests
    to get at their webmail and VPNs and mail servers and web servers,
    when inside access to those would normally be blocked... especially
    if the home sites have been configured on non-standard ports.

    Recall, though, that the main purpose of the firewall is [likely]
    not to prevent internal people from going out: the main purpose
    of the firewall is to protect the systems within it. Including the
    guests.

    If the guests are bypassing the firewall, then unless they happen
    to have good firewall software on their machines, they are going to
    be vulnerable to all the random exploits and script kiddies that
    hit most addresses in less than 3 minutes.

    I would thus suggest that the guests still be placed within the
    firewall, but possibly that the firewall be configured so that
    those IP addresses are allowed to -initiate- connections to the
    outside.

    If your boss wants other people to be able to initiate connections into
    the guests, then your boss will have to make a decision as to which
    makes for better relations: "Sorry, we block incoming connections in order
    to protect our honoured guests, but we can get our IT people to
    open a pinhole if you need it.", or "Sorry that your computer got
    hacked into while you were visiting us; next time you'll know to
    have your IT people protect your equipment before you leave, since you
    were so foolish as not to have done that yourself this time."
     
    Walter Roberson, Feb 14, 2007
    #2
    1. Advertising

  3. Bob Simon

    Bob Simon Guest

    On Wed, 14 Feb 2007 18:35:02 GMT, (Walter
    Roberson) wrote:

    >In article <>,
    >Bob Simon <> wrote:
    >>The 1711 at a remote site has a guest VLAN to isolate traffic there
    >>from the default VLAN1. When this traffic gets to the main network on
    >>its way out to the Internet, the boss wants to have it bypass the
    >>firewall.

    >
    >Presumably the purpose of bypassing the firewall is to allow guests
    >to get at their webmail and VPNs and mail servers and web servers,
    >when inside access to those would normally be blocked... especially
    >if the home sites have been configured on non-standard ports.
    >
    >Recall, though, that the main purpose of the firewall is [likely]
    >not to prevent internal people from going out: the main purpose
    >of the firewall is to protect the systems within it. Including the
    >guests.
    >
    >If the guests are bypassing the firewall, then unless they happen
    >to have good firewall software on their machines, they are going to
    >be vulnerable to all the random exploits and script kiddies that
    >hit most addresses in less than 3 minutes.
    >
    >I would thus suggest that the guests still be placed within the
    >firewall, but possibly that the firewall be configured so that
    >those IP addresses are allowed to -initiate- connections to the
    >outside.
    >
    >If your boss wants other people to be able to initiate connections into
    >the guests, then your boss will have to make a decision as to which
    >makes for better relations: "Sorry, we block incoming connections in order
    >to protect our honoured guests, but we can get our IT people to
    >open a pinhole if you need it.", or "Sorry that your computer got
    >hacked into while you were visiting us; next time you'll know to
    >have your IT people protect your equipment before you leave, since you
    >were so foolish as not to have done that yourself this time."


    Walter,
    Many of your guesses are pretty much right on. But these "guest" PCs
    should all have Windows Firewall enabled, which should dramatically
    reduce the exposure.

    There are several issues that I did not get into earlier for purposes
    of brevity. First of all, they're not really guests, they're actually
    business partners whose traffic will ride the physical network but
    should be segregated from normal traffic. Second, in addition to
    bypassing the firewall, this traffic will also bypass a Sonic Wall
    running web-filtering software. Third, firewall management is
    outsourced and requests to open up holes often meet resistance that
    usually has to be resolved by the boss telling them, "I'm aware this
    may be a bad idea but do it anyway."

    Assuming that I need to proceed as described earlier, I'd like to hear
    how you'd go about it. If you provide a few general pointers, I will
    look up the details. Here are some thoughts that I've had so far:

    I could extend the 802.1Q vlan from the 1711 through the 3745 into the
    4503 and 2950. This would keep the "guest" traffic isolated
    throughout the internal network. But if I add a separate link from
    the 4503 to the 2950, wouldn't STP put it in blocking mode? Also, how
    would I direct VLAN 3 traffic through the second link and keep other
    traffic off it?

    alternatively, if I ran second link between the two 3745s, I should be
    able to use the encapsulation vlan # on the subinterfaces to force
    VLAN 3 traffic on this link and keep VLAN 1 traffic out. Is this
    correct?
     
    Bob Simon, Feb 14, 2007
    #3
  4. In article <>,
    Bob Simon <> wrote:
    >I could extend the 802.1Q vlan from the 1711 through the 3745 into the
    >4503 and 2950. This would keep the "guest" traffic isolated
    >throughout the internal network. But if I add a separate link from
    >the 4503 to the 2950, wouldn't STP put it in blocking mode?


    Not if the second link is in a different vlan, and you have
    Per Vlan Spanning Tree (PVST+) configured. And possibly you
    can use Multiple Spanning Tree (MST)

    http://www.cisco.com/warp/public/473/147.html


    > Also, how
    >would I direct VLAN 3 traffic through the second link and keep other
    >traffic off it?


    In the outgoing direction, the only traffic on the link is that
    initiated by the guests, and you don't have to worry about keeping
    other traffic off. For incoming traffic, the destination hosts will
    have a relatively narrow IP range dedicated to guest services,
    and simple "longest prefix" routing should take care of getting the
    traffic to the right interface. At worst case, you could use
    Policy Based Routing (PBR), which I -think- is supported on all
    your devices except the 2950.
     
    Walter Roberson, Feb 14, 2007
    #4
  5. Bob Simon

    Thrill5 Guest

    What you are trying to do is very dangerous. If you want to keep the
    traffic segregated you need to put them on a completely different switch and
    keep the traffic off your "protected" internal network. Why, because if
    some hacks into one of the "guest" computers, its not difficult to get into
    the rest of the network because they have now bypassed your firewall. In
    addition there are many types of attacks that can compromise the layer 2
    network (such as spanning tree, DoS attacks targeting ARP and CAM entries on
    the switch) that can bring down you entire network, not just the "guest"
    VLAN.

    Scott


    "Bob Simon" <> wrote in message
    news:...
    > The 1711 at a remote site has a guest VLAN to isolate traffic there
    > from the default VLAN1. When this traffic gets to the main network on
    > its way out to the Internet, the boss wants to have it bypass the
    > firewall.
    >
    > This simple network diagram lines up with fixed-pitch font.
    >
    > |------| |------| |------| |----------| |------| |------|
    > | 1711 |--| 3745 |--| 4503 |--| firewall |--| 2950 |--| 3745 |--->
    > |------| |------| |------| |----------| |------| |------|
    > remote HQ to Internet
    >
    > At what point should I split the traffic out from the main stream and
    > how can I make it take the secondary path?
     
    Thrill5, Feb 15, 2007
    #5
  6. Bob Simon

    BernieM Guest

    "Bob Simon" <> wrote in message
    news:...
    > On Wed, 14 Feb 2007 18:35:02 GMT, (Walter
    > Roberson) wrote:
    >
    >>In article <>,
    >>Bob Simon <> wrote:
    >>>The 1711 at a remote site has a guest VLAN to isolate traffic there
    >>>from the default VLAN1. When this traffic gets to the main network on
    >>>its way out to the Internet, the boss wants to have it bypass the
    >>>firewall.

    >>
    >>Presumably the purpose of bypassing the firewall is to allow guests
    >>to get at their webmail and VPNs and mail servers and web servers,
    >>when inside access to those would normally be blocked... especially
    >>if the home sites have been configured on non-standard ports.
    >>
    >>Recall, though, that the main purpose of the firewall is [likely]
    >>not to prevent internal people from going out: the main purpose
    >>of the firewall is to protect the systems within it. Including the
    >>guests.
    >>
    >>If the guests are bypassing the firewall, then unless they happen
    >>to have good firewall software on their machines, they are going to
    >>be vulnerable to all the random exploits and script kiddies that
    >>hit most addresses in less than 3 minutes.
    >>
    >>I would thus suggest that the guests still be placed within the
    >>firewall, but possibly that the firewall be configured so that
    >>those IP addresses are allowed to -initiate- connections to the
    >>outside.
    >>
    >>If your boss wants other people to be able to initiate connections into
    >>the guests, then your boss will have to make a decision as to which
    >>makes for better relations: "Sorry, we block incoming connections in order
    >>to protect our honoured guests, but we can get our IT people to
    >>open a pinhole if you need it.", or "Sorry that your computer got
    >>hacked into while you were visiting us; next time you'll know to
    >>have your IT people protect your equipment before you leave, since you
    >>were so foolish as not to have done that yourself this time."

    >
    > Walter,
    > Many of your guesses are pretty much right on. But these "guest" PCs
    > should all have Windows Firewall enabled, which should dramatically
    > reduce the exposure.
    >
    > There are several issues that I did not get into earlier for purposes
    > of brevity. First of all, they're not really guests, they're actually
    > business partners whose traffic will ride the physical network but
    > should be segregated from normal traffic. Second, in addition to
    > bypassing the firewall, this traffic will also bypass a Sonic Wall
    > running web-filtering software. Third, firewall management is
    > outsourced and requests to open up holes often meet resistance that
    > usually has to be resolved by the boss telling them, "I'm aware this
    > may be a bad idea but do it anyway."
    >
    > Assuming that I need to proceed as described earlier, I'd like to hear
    > how you'd go about it. If you provide a few general pointers, I will
    > look up the details. Here are some thoughts that I've had so far:
    >
    > I could extend the 802.1Q vlan from the 1711 through the 3745 into the
    > 4503 and 2950. This would keep the "guest" traffic isolated
    > throughout the internal network. But if I add a separate link from
    > the 4503 to the 2950, wouldn't STP put it in blocking mode? Also, how
    > would I direct VLAN 3 traffic through the second link and keep other
    > traffic off it?
    >
    > alternatively, if I ran second link between the two 3745s, I should be
    > able to use the encapsulation vlan # on the subinterfaces to force
    > VLAN 3 traffic on this link and keep VLAN 1 traffic out. Is this
    > correct?
    >


    Essentially you're replacing your firewall with 'vlan separation" and PC's
    that "should" have a software firewall installed as a means of security from
    the Internet . You are seriously asking for trouble.

    The firewall is there for a reason. If you want to trunk a vlan through the
    internal network fine, but terminate it at the firewall. Your firewall does
    support trunking on its internal interface doesn't it? and have them use
    your Internet proxy like any other internal client.

    BernieM
     
    BernieM, Feb 15, 2007
    #6
  7. Bob Simon

    Bob Simon Guest

    On Wed, 14 Feb 2007 20:32:12 GMT, (Walter
    Roberson) wrote:

    >In article <>,
    >Bob Simon <> wrote:
    >>I could extend the 802.1Q vlan from the 1711 through the 3745 into the
    >>4503 and 2950. This would keep the "guest" traffic isolated
    >>throughout the internal network. But if I add a separate link from
    >>the 4503 to the 2950, wouldn't STP put it in blocking mode?

    >
    >Not if the second link is in a different vlan, and you have
    >Per Vlan Spanning Tree (PVST+) configured. And possibly you
    >can use Multiple Spanning Tree (MST)
    >
    >http://www.cisco.com/warp/public/473/147.html
    >
    >
    >> Also, how
    >>would I direct VLAN 3 traffic through the second link and keep other
    >>traffic off it?

    >
    >In the outgoing direction, the only traffic on the link is that
    >initiated by the guests, and you don't have to worry about keeping
    >other traffic off. For incoming traffic, the destination hosts will
    >have a relatively narrow IP range dedicated to guest services,
    >and simple "longest prefix" routing should take care of getting the
    >traffic to the right interface. At worst case, you could use
    >Policy Based Routing (PBR), which I -think- is supported on all
    >your devices except the 2950.


    Walter,
    I see that BernieM and Scott seconded your recommendation to avoid
    proceeding along the lines my boss desires, adding additional pitfalls
    that I will share with him. Thanks guys!

    I have thought some more about what you wrote above and I now see that
    I had some gaps in my understanding of how routers process VLANs.
    Here are the main issues I am not clear about:

    1) Will a router with sub-interfaces configured with dot1q
    encapsulation reject packets from other VLANs (other than native
    untagged packets)?

    2) Will the router strip off the encapsulation prior to processing the
    packet via it's normal routing process?

    3) If this router does not have sub-interfaces configured on the
    outgoing interface, will this packet lose it's VLAN identity?

    4) If I need to retain the VLAN identity for outbound packets, is the
    way to do it by configuring sub-interfaces with dot1q encapsulation on
    the outbound interface and use PBR to select which sub-interface to
    forward the packet to?

    Bob
     
    Bob Simon, Feb 15, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bert Roos
    Replies:
    1
    Views:
    466
    Bert Roos
    Feb 27, 2004
  2. Hypno999

    traffic-shaping limit ftp traffic

    Hypno999, Oct 7, 2005, in forum: Cisco
    Replies:
    5
    Views:
    3,675
  3. Skybuck Flying
    Replies:
    0
    Views:
    4,899
    Skybuck Flying
    Jan 19, 2006
  4. Replies:
    0
    Views:
    3,293
  5. Replies:
    1
    Views:
    1,169
    www.BradReese.Com
    Jun 18, 2006
Loading...

Share This Page