Firewall/Switching/VLAN Design and Security considerations

Hi,
Consider the following:
/SW3---|
External--S1--FW---/ |Subnet 1
| \ \ |
| \__\SW4---|
| /\
| / /SW5--|
External--S2--FW-/ |Subnet 2
\ |
\SW6--|
Requirements:
Router/Switch/Firewall/NIC resiliency. We can pretty much cover this with HSRP/redundant links(STP)/HA between firewalls/ and (HP) NIC Teaming.
Question:
Is it unreasonable to have SW3-SW6 physically on the one switch due to lack of available ports?
I take it this wouldn't be the securtiy purists choice of implementation?
If it is reasonable/doable, what are the features on IOS on switches eg. 2950's to implement this?
Any help appreciated.
Thanks
Mark

You can configure network security by using ACLs by either using the Cluster Management Suite (CMS) or through the command-line interface (CLI). You can also use the security wizard to filter inbound traffic on the Catalyst 2950 switches. Filtering can be based on network addresses or TCP/UDP applications. You can choose whether to drop or forward packets that meet the filtering criteria. To use this wizard, you must know how the network is designed and how interfaces are used on the filtering device. For more information refer to following url:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8ed.html#36127

Similar Messages

Management VLAN Design and Implementation

Greetings, friends. I'm having trouble getting a clear picture of how a management VLAN ought to look. I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches. I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN. Are you able to point me in the right direction to find such documentation? Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
What is the best practice for accessing the management VLAN? Inter-VLAN routing + ACLs? Multi-homed PCs or servers? Additional PCs to be used as access stations?
Thank you for your wisdom, experience, and advice!
Kevin

1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall, but the hardcore customer insist on a second pc connected to the management lan.
Points to consider are as always,
Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
Find the right balance between security, costs, easy of access for the business your in.
Cheers,
Michel

Switching between Design and JSP tabs add code?

I am new to SJSC and I am taking the time to go through all of the little odds & ends of the IDE.
I was looking at:
http://blogs.sun.com/roller/page/tor?entry=computing_html_on_the_fly
And I decided to try this.
When I add the following in the JSP tab:
<h:outputText binding="#{Page1.tableHtml}" id="outputText1"/>Save.
Then click on the Design tab, then go back to the JSP tab, I now have:
<h:outputText binding="#{Page1.tableHtml}" id="outputText1"/>
<h:outputText binding="#{Page1.outputText1}" id="outputText1"/>It's late here, but this doesn't make any sense, why would switching between Design and JSP tabs add code?
Thanks,
--Todd

Girish: I followed these steps:
1.) Downloaded:
Sun Java Studio Creator 2, Multilanguage creator-2-windows-ml.exe 254.23 MB
2.) When I started the install, I received the message:
Welcome to Sun Java(TM) Studio Creator 2! You are installing: Sun Java Studio Creator 2 development environment Sun Java System Application Server Platform Edition 8.1 2005Q1 Update Release 2 Bundled database
3.) Installed version:
Product Version: Java Studio Creator 2 (Build 060120)
IDE Versioning: IDE/1 spec=5.9.1.1 impl=060120
Also, Under, the Palette window: Standard component list, there is a component labeled Output Text.
When placed on a jsp, the following code is produced:
<h:outputText binding="#{Page1.outputText1}" id="outputText1" style="position: absolute; left: 24px; top: 48px"/>Thanks,
--Todd

Basic schema design and security mechanisms for slowing down bandwidth

Hi to all!
At first I am sorry for a lot of noob questions - I am just beginner in networking.
I have LAN with 1 SW (cisco catalyst 2950 series), 1 R (cisco 2501), one Apache server on Linux machine (Fedora) and 5 computers . My task is to test my application for preventing DoS attacks on the computer with Apache. My network design is on the image, but if will be necessery, I can change it (I can use more switches and routers like this). So my noob questions are:
1.) will this desing work? How can I connect these to LANs to router? do I need one more router? can I connect SW ethernet port to router's console port?
2.) I have erased SW and R configuration. I have configured only interfaces and RIP protocol with networks 10.0.0.0/8 and 192.168.0.0/24. what else I need to configure for making possible viewing webpage from computer with apache on other computer?
3.) what is "ip http server" setting?
4.) i need to send TCP, UDP, HTTP and ICMP packets from computers to apache (is it default allowed?).
5.) i need to use all bandwidth for DoS attack, so i need to disable security mechanisms (configurations are erased, so what else do i need to disable or set up?) I heard only about storm-control, but it is disabled.
6.) do I need to setup something like this for full speed on devices?
interface range fa 0/1 - 3
speed 100
duplex full
7.) last question is, I want to monitor protocols and ports of packets sent from computers to apache computer or bandwidth usage (bits/s). Does have SW/R some mechanisms for statistics like this?
Thank you very much.
Matej

Matej Mihalech wrote:Hi to all!At first I am sorry for a lot of noob questions - I am just beginner in networking.I have LAN with 1 SW (cisco catalyst 2950 series), 1 R (cisco 2501), one Apache server on Linux machine (Fedora) and 5 computers . My task is to test my application for preventing DoS attacks on the computer with Apache. My network design is on the image, but if will be necessery, I can change it (I can use more switches and routers like this). So my noob questions are:1.) will this desing work? How can I connect these to LANs to router? do I need one more router? can I connect SW ethernet port to router's console port?2.) I have erased SW and R configuration. I have configured only interfaces and RIP protocol with networks 10.0.0.0/8 and 192.168.0.0/24. what else I need to configure for making possible viewing webpage from computer with apache on other computer?3.) what is "ip http server" setting?4.) i need to send TCP, UDP, HTTP and ICMP packets from computers to apache (is it default allowed?).5.) i need to use all bandwidth for DoS attack, so i need to disable security mechanisms (configurations are erased, so what else do i need to disable or set up?) I heard only about storm-control, but it is disabled.6.) do I need to setup something like this for full speed on devices? interface range fa 0/1 - 3speed 100duplex full7.) last question is, I want to monitor protocols and ports of packets sent from computers to apache computer or bandwidth usage (bits/s). Does have SW/R some mechanisms for statistics like this?Thank you very much.Matej
The 2950 switch and 2501 router are pretty old, low specification devices, so you might run into performance problems. Be aware of this. The 2950 also is not, from memory, a layer 3 switch, so it does *no* routing.
To answer your questions 9I'm assuming some basic knowlege of how to use IOS, so these commands are indicative only).
The 2501 has only one ethernet port, so you can't connect the way you have in your diagram. Youc an not connect an ethernet port to the router console port - the console port is a serial connection, by default running at 9600/8N1, and is not convertable to ethernet.
To make your required network work, you'd need to do the following.
1) Configure your 2501 ethernet port for dot1q VLAN trunking by doing something like this
interface fastethernet0
no shutdown
speed 100
duplex full
no ip address
interface fastethernet0.2
encapsulation dot1q 2
ip address 10.0.0.4 255.0.0.0
interface fastethernet0.3
encapsulation dot1q 3
ip address 192.168.0.1 255.255.255.0
Setup in this manner you don't need routing protocols such as RIP because both routes will be directly connected, and the router will know how to get between them without anything fancy.
Then connect the ethernet interface of your 2501 to a port on your 2950 switch - I'll assume it's a 24 port switch, so I'll use interface f0/24
Create VLAN's 2 & 3 for your devices by doing this (2950 is so old the IOS method us creating VLAN's won't work, from memory)
vlan database
vlan 2 name workstations
vlan 3 name server
interface f0/24
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
duplex full
switchport trunk allowed vlans 2-3
You can create a VLAN interface for management of your switch at the same time if you like
interface vlan2
ip address 10.0.0.7 255.0.0.0
no shutdown
Then connect your devices. You will need to configure each switchport into an appropriate VLAN - for example, if you are connecting your server to port f0/23
interface f0/23
switchport mode access
spanning-tree portfas
switchport access vlan 3
Use "switchport access vlan2" for your workstation ports.
The "ip http server" setting on switches/routers enables management via the web - on these old devices, turn it off, as it's next to useless. Type "no ip http server" in configuration mode.
There is no packet filtering or security enabled on these devices by default, so you can just sling whatever you like at the Apache server.
Unfortunately, owing to the fact you only have one ethernet port to uplink to the router, you will never be able to saturate the server. The best you will manage is 50 megabits per second (half in, half out) because you have to trunk back to the switch to get to the server. If you really need to flood the server, you either need a better router (one wit two ethernet ports) or a layer-3 capable switch (so you can eliminate the trunk and just use the in-built routing capabilities between subnets).
And finally - you won't be able to monitor protocols/ports using this hardware. You *could* setup a MONITOR/MIRROR port and use a separate PC running wireshark or something to monitor the trunk port, but that'd need additional hardware (PC's), and a bit more configuration.
Phew. Hope that helps a bit. Basically, to do the loading you want, you need better/different hardware, but you can come close with what you've got.
Cheers.

SGE2010 switches, VLAN's and a blocked port in spanning-tree

Folks,
I have 2 switch groups.
2 SGE2010's with VLAN's defined as 10,20 and 30
Vlan 10 is the management VLAN, and it uplinks to our border router.
Vlan 20 is the workstation VLAN, and all workstations point to the switch as their default GW
Vlan 30 is the ip phone VLAN, and all phones use this as their gateway.
I would like to put a LAG between said switches, we have some servers on the ip phone switch that need to be accessed by the workstation clients, and the single 100mb link through the router is probably not going to be enough.
As I understand it, because the switches have different networks on them, a simple lag will not work. I did create a lag, and assign ip addresses to each side, however in that mode, it doesn't appear I can block vlan 10 from transiting the LAG, and with out that block I will end up with a logical loop, and spanning-tree will block one of the uplinks, or the LAG itself.
I have attached an image with a diagram of our current set up.
Any help/advice would be much appreciated.

Tom,
I remember our conversation a few weeks ago. I did not get a chance to have a go at MSTP, mainly because I have no expierence with it, and looking at the configuration properities, it looks a little daunting.
It has also been a very busy few weeks with the deployment of 200+ phones across several sites, and the system is functioning great with out the LAG trunk, I am just trying to plan for the future.
I made a few postings a few weeks ago, one here and one on the Cisco forums on reddit, and a user there gave me some advice I have been unable to make work (I think it's just wrong), but I would love to go this route if it is in fact possible.
Here is the thread : http://www.reddit.com/r/Cisco/comments/x91tc/vlan_trunks_spanning_tree_and_a_port_blocked/c5kskch
This user implies it's possible to block a VLAN across the LAG which would end the logical loop problems.
It looks like his advice is to make the LAG into a trunk, and then block specific VLAN's from transiting it, but in trunk mode, I can't assign it an IP, so I am sorta wondering how exactly you transport packets across it.
Can you confirm that his advice is in fact incorrect?
If MSTP is my only route, then I suppose it's time to dig into the docs and see If I cant get it up and running.

Vlan dhcp and security

HI all.
I'm a newbie with Cisco.
I wanted to achieve something like this.
I want to make separate subnets on Layer 3 switch. I'm not using any router.
Each Interface is each vlan&subnet. So Interface fa0/2 is vlan2, interface fa0/10 is vlan10 and so on. Additionaly vlan 2 is subnet 2.x and vlan10 is subnet 10.x
I already configured Dhcp server with scopes and configured IP helper
BUT
And here starts my question.
Is that true that I have to enable IP routing between Vlans? If yes then what's the point of creating Vlans when we have to enable routing between them?
Or maybe there is a way to enable only communication with DHCP server but disable any other communication between VLans?
Let say I have DHCP server on vlan1 and want vlan5 to only communicate with DHCP server but not communicate with vlan10 and any other computersi n vlan1. Is that possible?
Thanks

The config can be as below if i understand your question :
interface vlan 2
ip address 2.x
interface Fa0/2
switchport access vlan
interface vlan 5
ip address 5.x
interface Fa0/5
switchport access vlan 5
interface vlan 1
ip address 1.x
interface fa0/1
switchport access vlan 1
ip routing
interface fa0/3
description --> DHCP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,5,2,10
switchport mode trunk
So you have DHCP server on VLAN 1. The computer on VLAN 1 can acquire IP from DHCP Server .
This is my solution, but if i not understand your question you can answer me

Advice About Network Design and Security

Dear All,
I have the following network scenario:
An Internal Mail server that forward the mail messages to an external sendmail server that send/receive the mails from Internet.
Between the two mails servers starting from the inside, there are a L3Switch that act like bridge among the internal networks subnets 172.16.0.0/22 where is connected the internal mail server .161.
The L3Switch is connected to the first Pix on the inside interface, and it is connected to the second Pix inside interface by its Dmz interface.The second pix has connected on the outside interface the ISP router, and on its DMZ the sendmail server that has a public ip 84.184.164.83/29.
My question is:
From a security point of view, how is important that the internal and external mail server do not has routing informations about the external and internal networks ?I have configured the second pix to perform a port redirection in this way:
static (dmz,inside) tcp 172.16.243.1 smtp 84.184.164.83 smtp netmask 255.255.255.255
The internal mail server forward the mail to 172.16.243.1 the pix apply the static, perform the port redirection to 84.184.164.83.
Than I have added also:
static (dmz,inside) 172.26.243.1 84.184.164.83 netmask 255.255.255.255
In this way the pix perform the outside nat so the source address is changed from 84.184.164.83 to 172.26.243.1,so I have configured on the external mail server the 172.26.243.1 instead of the real ip.

Hi,
I'm not sure about best practice in this area, but I think it's safe to say that the less information that's available on your externally reachable devices, the better. I think your config is sound, but if possible, it's a good idea to retrict access to the smtp port of your external mail server to trusted hosts.
Cheers,

Firewall and security

Hello All,
I have a basic question
"The requirement is such that we need to create a portal for our vendors to access and we still want that all our vendors (no matter how trusted they may be ) not to access our systems that are inside the firewall."
Is this possible in EP or how does EP support/address this??can any one send me the architecture diagram and an explanation for the same.
Thanks and Regards
Pradeep Bhojak

Hi Pradeep,
SAP's EP is designed to work with in a variety of firewall/DMZ configurations. With out knowing your specific network architecture, it would be had to say how it would best fit your environment. I suggest you download the portal master guide and security guide from service marketplace.
http://service.sap.com/nw-ep On the navigation panel, select Portal > Media Library > Documentation & More > EP6 SP2 (or your portal version) > Fundamentals.
This guides give insight into the portal architecture and how it will work in your environment.
Thanks,
John

Do I need virgin PCguard anti virus and firewall switched on with Firefox

Do I need to have Virgin media PCguard anti virus and firewall switched on when browsing with Firefox?

The person who told you that you do not need another security program was wrong, Firefox is just a web browser.
There are free anti-virus programs available if you do not want to renew Norton. Some examples are:
* Microsoft Security Essentials - http://www.microsoft.com/security_essentials
* Avast - http://www.avast.com/free-antivirus-download
* Avira - http://www.avira.com/en/avira-free-antivirus
* Comodo - http://antivirus.comodo.com/

Nvidia Firewall and Secure Sites

Dear All,
I am hoping someone can help me.... I have Googled for answers and searched this board but not found answers!
One reason I bought my Neo Platinum was for the hardware firewall, which on the whole seems to be great... apart from the fact I cannot connect to my online bank when any setting other than OFF is enabled. Basically my browser hangs and times out.
I have read that a number of other people have this problem and also a number of people DON'T have this problem! Sites which I cannot access include:
www.postbank.nl
www.americanexpress.com
www.nettavisen.no
I have tried copying the OFF profile with the view to enabling things systematically to discover which setting prevents the site from loading, but even a copy of OFF doesn't load anything...
After my last Google, I downloaded the Beta 6.11 with the updated Firewall, which adds application control, and set rules for my Java plug-in as others thought that it was due to this, but despite having the same settings as others I still can't access the sites listed above.
I also used the wizards to allow secure HTTP traffic, but that hasn't solved my problem!
Please, if you can access these sites with Nvidia's Firewall switched on, would you post details of your Nvidia Firewall settings so that I can check mine?!
Failing that, if you could post any links that may help me I would be very grateful... I cannot find very much information regarding the Firewall on t'internet.... Other than the Administrators Guide .pdf document....
Many Thanks,
fM

Thanks Shanks!
Have looked at that, and read through the admin user guide, but most of it means nothing to me!
I want someone to tell me... I'm too lazy, I know
To anyone else having this problem.... I think the answer is to open Port 443 (an absolute requirement in order to use Secure Sockets Layer (SSL) I will check later and post back....)
fM

Remote Sites w/VLANs and Security

Attached I have a high level overview visio of what I'm trying to accomplish. Basically, I need to setup VLANs for both company and public traffic at remote sites seperated by PTP T1's. Company VLANs need to access other Company VLANs and the Internet, and Public VLANs only need to access the internet out the CheckPoint firewall.
I'm assuming that ACL's would be needed to control what VLANs can see other VLANs, along with a routing protocol like EIGRP...but my main concern is ACL hell because I will be dealing with a lot of remote sites and a lot of company VLAN subnets.
Also, my boss is worried about security in regards to the public network and he doesn't think that you can easily prevent the public network from accessing all the other company networks and still letting them get to the internet without extending the VLANs accross the T1's and all the way up to the CheckPoint Firewall.
Any help and suggestions would be greatly appreciated.
Thanks in advance,
Scott

So essentially I could have one ACL that encompasses the entire public network like 10.0.0.0 0.255.255.255 on each router and do the same for the corporate network to minimize the configurations needed.
If I create ACLs denying anything with a source of the public network and destination of the corporate network, then allow all other traffic it should be sufficient correct? Also, I only need to put these ACLs on the interfaces closest to the source right? Not on every router on the network.
Thanks again for taking the time to respond.
Scott

HT203163 I am not able to access to iphone updates/store; as secure link to itunes store failed. I tried to turn firewall off, reinstall itunes and other troubleshoot options but none of them works.....

I am not able to access to iphone updates/store; it displays the message under diagnostics 'secure link to itunes store failed'.
I tried to turn firewall off, reinstall itunes and other troubleshoot options but none of them works......
Please help.

Update: I tried the "Toshiba Recovery Wizard" after everything else either fizzled out or hung up. After going all the way thru the recovery process (up to 100%), I finally got an error message.....it didn't work. And now, when I fire up the computer, I don't even get to that menu with the recovery options....the only thing I can boot into is the screens with the various ways to run your OS (in "safe mode", "safe mode with networking", etc).
I'm not a techie, but I'm guessing at this point, the part of my hard drive that got damaged in the fall was, at the very least, the partition with the recovery data. Couple that with the fact that this cheapo Toshiba laptop didn't even come with recovery disk (or ANY kind of disk, even basic installation software!), I'm screwed: I don't see any way to get a workable computer now without some kind of disk to boot from. So NOW my concern is more about spending the $$ for a new OS and THEN finding out the hard drive has other problems too...is broken in some other way to boot.
How to check this? As I said, I did run "chkdsk" back when I could get into the recovery menu and run the fix-it programs. It didn't note any problems. Thinking of taking this opportunity to upgrade to Windows 7 from Vista (which I never liked), but I have to know that the computer is otherwise ok....how to be sure?

The background behind my pages has turned black, how do i get it to go back to grey? i have switched between preview, normal, bleed, slug and presentation and closed and opened in design and it is still black. I can't imagine layouts with the black backgr

the background behind my pages has turned black, how do i get it to go back to grey? i have switched between preview, normal, bleed, slug and presentation and closed and opened in design and it is still black. I can't imagine layouts with the black background please help!

or maybe the interface has been set to Dark?
Go to Preferences > Interface tab, choose Light from Color Theme dropdown on Apearance section (upper part of the window)

I got an ipad mini and when i try to switch it on and configure it to use it it says IP is temporarily blocked for security reasons..what do i do?

I got an ipad mini and when i try to switch it on and configure it to use it it says IP is temporarily blocked for security reasons..what do i do?

An odd message? Is this on your home network? Could try at a library.
Robert

Dynamic VLAN assignment and Layer 3 switching on 300 series

I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right?
I'm new to VLAN configuration and layer 3 switching so I wanted to check my understanding. Doesn't this limitation significantly reduce the usefulness of the DVA feature?
I may well be confused and missing something regarding how this is typically used..

Hello Glenn,
Your concept about packet forwarding is correct. With a layer 2 switch, there must be something directing traffic with multiple subnets for intervlan communication or something that provides an IP route to give the request a path back for the request.
The usefulness for the DVA feature, is not particularly limited to the switch as the switch will correctly assign the VLAN for you, as VS the L3 switch mode, you're dealing with IP addresses. In any scenario, you're going to require a router to get to the internet since the switch does not support NAT.
Additionally, if you're router does not support VLAN, the L3 switch feature would still be the solution since you should be able to make a static route pointing back to the switch to allow any subnet to traverse the single media. It would still beg the question, how to assign VLAN dynamically.
The answer, although (in my opinion is terrible) would be GVRP. But, this application would require ALL of your network cards to be GVRP Enable / Capable which most likely is not the scenario for you (or most anyone else for that matter).

Firewall/Switching/VLAN Design and Security considerations

Similar Messages

Maybe you are looking for