cat 3550 vlan/trunk a LAN to a backup server

List,

I've a backup-server, with which i like to backup my servers(obvious, isn't
it??)
But all the servers (172.16.10.x/24) are not allowed to connect to each
other, except when I want it.

Right now I have a dedicated 100Mbps Lan (3 cat2900) for it, but the can
'talk' to each other, broadcasts etc. etc. and I don;t want that.
I can not put them in different /30 and give my e.g. backupserver a lot of
ip adresses..

My plan is to put them all in different VLAN's on, let's say on 3 cat 2950
(or 2920).
Trunk them to a cat 3550 and make a special backup-server port on the 3550

You'll notice the ip adressen of the servers are in 172.16.10.0/24 and my
backup-server is 172.16.10.0/30.
But I will fix that with proxy-arp, beacuse i can not change all the ip
adresses....

- How will I disallow all the traffic through my 3500-switch from my servers
to my servers, because the cat3500 will acct as an router, isn't it?
In other words how do I disallow traffic from trunk 1 to be ROUTED to trunk
2 (and vice versa) by my cat 3500?, or won't it be routed?

For example, should i make a loopbackup interfaces for giving each trunk
it's on IP-adress/'gateway and make access-lists for it?

I need to know for sure if it is poosible, before I'm allowed to buy an (for
us) expensive cat 3500


(i hope) simplefied drawing::::::::::

-------------cat2900--1--------
Server1 ---vlan11
server2 ---vlan12
--------------------------------trunk to cat3500

-------------cat2900--1--------
server3 --- vlan 31
-------------------------------trunk to cat3500


---------cat3500---------------
-----------------------172.16.10.1/30 no switchport to backup-server
172.16.10.2/30
-------------trunk to cat2900-1 - vlan11-12
-------------trunk to cat2900-2 - vlan 31


The config I've in mind:

--The config is probaly not syntaxly-correct, but I need to know for sure,
before I'm allowed to buy a expensive cat 3500

fastethernet 0/1
desc to backup-server 172.16.10.1 - Vlan 1
no switchport
ip address 172.16.10.2 255.255.255.252
ip access-list everyone-in in
ip access-list everyone-out out

fa0/21
desc to switch 2900-1 172.16.10.0/24
switchport mode trunk dot1q

fa0/22
desc to switch 2900-2 172.16.10.0/24
switchport mode trunk dot1q

fa0/23
desc to switch 2900-3 172.16.10.0/24
switchport mode trunk

 

I've a backup-server, with which i like to backup my servers(obvious, isn't it??)

[snip]

I think you need to look into protected ports. Essentially protected
ports cannot talk to each other, but traffic can flow to/from
non-protected ports. This applies to a single switch, and can't be
extended across multiple switches.

Very easy to configure, you simply issue 'switchport protected' for
each interface you wish to protect in this manner.

I did a quick search on Cisco (link may be wrapped):
http://www.cisco.com/en/US/products...tion_guide_chapter09186a008007e707.html#56161

A good example of protected ports would be a hotel where the ports for
each room should not be able to talk to each other, but they all need
to talk to a gateway.

Just curious, but is this to isolate different customers servers from
each other, or is this a damage control method in case a server is
hacked (an excellent idea for a dmz, btw)?

-Chris

 

I think you need to look into protected ports.

Also, I believe your 2900 can do this. The syntax is slightly
different, eg 'port protected' instead of 'switchport protected'.

-Chris

 

I've proteced ports right now, but the servers on one switch can talk to the
servers on an other switch.
I need it both for protecting if a server is hacked (or someone nasty buys a
server a can get access to our LAN)
And if customers do not diables file-sharing , other server see that,
master-browser election etc. etc. etc. MS-stuff-junk

But to be more detailed. I've not 1 but 2 backup-servers and a snmp-server
that must reach and must be reachable by all servers, and they're on
different switches... so VLAN should be the solution

 

Gotcha. So protected ports would work except you need to cross
switches.

A quick fix for this is having the two switches uplinked to a third
switch that has the two uplink ports protected. Or, grouping all of
the protected ports on each switch into a vlan per switch would cut
down the number of vlans you'd need to create.

For either case, if you go with multiple vlans and routing between
them, you need to ensure that whatever is routing between vlans has an
acl to prevent someone from 'bouncing' off the router (eg altering
their subnet mask) onto the same vlan to get around the port
protection.

Otherwise, the brute-force and possibly simplest solution would be a
vlan per port/server. The 3550 could handle the routing, but you
need to setup an ACL for each vlan to only allow the traffic you want
routed. This would have the advantage of being able to customize the
ACL per server (eg one server should not have smtp access).

Good luck.

-Chris