cat 3550 vlan/trunk a LAN to a backup server

Discussion in 'Cisco' started by Jeroen, Dec 28, 2003.

  1. Jeroen

    Jeroen Guest

    List,

    I've a backup-server, with which i like to backup my servers(obvious, isn't
    it??)
    But all the servers (172.16.10.x/24) are not allowed to connect to each
    other, except when I want it.

    Right now I have a dedicated 100Mbps Lan (3 cat2900) for it, but the can
    'talk' to each other, broadcasts etc. etc. and I don;t want that.
    I can not put them in different /30 and give my e.g. backupserver a lot of
    ip adresses..

    My plan is to put them all in different VLAN's on, let's say on 3 cat 2950
    (or 2920).
    Trunk them to a cat 3550 and make a special backup-server port on the 3550

    You'll notice the ip adressen of the servers are in 172.16.10.0/24 and my
    backup-server is 172.16.10.0/30.
    But I will fix that with proxy-arp, beacuse i can not change all the ip
    adresses....

    - How will I disallow all the traffic through my 3500-switch from my servers
    to my servers, because the cat3500 will acct as an router, isn't it?
    In other words how do I disallow traffic from trunk 1 to be ROUTED to trunk
    2 (and vice versa) by my cat 3500?, or won't it be routed?

    For example, should i make a loopbackup interfaces for giving each trunk
    it's on IP-adress/'gateway and make access-lists for it?

    I need to know for sure if it is poosible, before I'm allowed to buy an (for
    us) expensive cat 3500


    (i hope) simplefied drawing::::::::::

    -------------cat2900--1--------
    Server1 ---vlan11
    server2 ---vlan12
    --------------------------------trunk to cat3500

    -------------cat2900--1--------
    server3 --- vlan 31
    -------------------------------trunk to cat3500


    ---------cat3500---------------
    -----------------------172.16.10.1/30 no switchport to backup-server
    172.16.10.2/30
    -------------trunk to cat2900-1 - vlan11-12
    -------------trunk to cat2900-2 - vlan 31


    The config I've in mind:

    --The config is probaly not syntaxly-correct, but I need to know for sure,
    before I'm allowed to buy a expensive cat 3500

    fastethernet 0/1
    desc to backup-server 172.16.10.1 - Vlan 1
    no switchport
    ip address 172.16.10.2 255.255.255.252
    ip access-list everyone-in in
    ip access-list everyone-out out

    fa0/21
    desc to switch 2900-1 172.16.10.0/24
    switchport mode trunk dot1q

    fa0/22
    desc to switch 2900-2 172.16.10.0/24
    switchport mode trunk dot1q

    fa0/23
    desc to switch 2900-3 172.16.10.0/24
    switchport mode trunk
     
    Jeroen, Dec 28, 2003
    #1
    1. Advertisements

  2. Jeroen

    chris Guest

    I've a backup-server, with which i like to backup my servers(obvious, isn't it??)
    [snip]

    I think you need to look into protected ports. Essentially protected
    ports cannot talk to each other, but traffic can flow to/from
    non-protected ports. This applies to a single switch, and can't be
    extended across multiple switches.

    Very easy to configure, you simply issue 'switchport protected' for
    each interface you wish to protect in this manner.

    I did a quick search on Cisco (link may be wrapped):
    http://www.cisco.com/en/US/products...tion_guide_chapter09186a008007e707.html#56161

    A good example of protected ports would be a hotel where the ports for
    each room should not be able to talk to each other, but they all need
    to talk to a gateway.

    Just curious, but is this to isolate different customers servers from
    each other, or is this a damage control method in case a server is
    hacked (an excellent idea for a dmz, btw)?

    -Chris
     
    chris, Dec 28, 2003
    #2
    1. Advertisements

  3. Jeroen

    chris Guest

    I think you need to look into protected ports.

    Also, I believe your 2900 can do this. The syntax is slightly
    different, eg 'port protected' instead of 'switchport protected'.

    -Chris
     
    chris, Dec 28, 2003
    #3
  4. Jeroen

    Jeroen Guest

    I've proteced ports right now, but the servers on one switch can talk to the
    servers on an other switch.
    I need it both for protecting if a server is hacked (or someone nasty buys a
    server a can get access to our LAN)
    And if customers do not diables file-sharing , other server see that,
    master-browser election etc. etc. etc. MS-stuff-junk

    But to be more detailed. I've not 1 but 2 backup-servers and a snmp-server
    that must reach and must be reachable by all servers, and they're on
    different switches... so VLAN should be the solution
     
    Jeroen, Dec 28, 2003
    #4
  5. Jeroen

    chris Guest


    Gotcha. So protected ports would work except you need to cross
    switches.

    A quick fix for this is having the two switches uplinked to a third
    switch that has the two uplink ports protected. Or, grouping all of
    the protected ports on each switch into a vlan per switch would cut
    down the number of vlans you'd need to create.

    For either case, if you go with multiple vlans and routing between
    them, you need to ensure that whatever is routing between vlans has an
    acl to prevent someone from 'bouncing' off the router (eg altering
    their subnet mask) onto the same vlan to get around the port
    protection.

    Otherwise, the brute-force and possibly simplest solution would be a
    vlan per port/server. The 3550 could handle the routing, but you
    need to setup an ACL for each vlan to only allow the traffic you want
    routed. This would have the advantage of being able to customize the
    ACL per server (eg one server should not have smtp access).

    Good luck.

    -Chris
     
    chris, Dec 28, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.