Seperating management and data networks.

Hello all
Our network has developed over the years to a point where I have 4 seperate networks at each branch. Secure Data, Management, Vendor and VOIP.
Secure Data is used for uers to access the mainframe and do daily tasks including the internet
Management is used for access to routers switches and UPs's etc.
Vendor is used for unmanaged (by us) devices like ATM's and other systems provided by vendors.
VOIP is fo VOIP.
Each are seperate VLANS on the cisco 2811 trunked to the switch
What method  of seperating these networks do other companies use? IOS firewall or access lists, or am I missing something?
All of the Cisco IOS firewall stuff seems to be focussed on outside to indise, while access lists get super conplicated when i try to design them
There are all kinds of cross zone requirements, like PCs in Data to VOIP etc?
My company is a bank holding company so I am talking about bank branches, and we have 24 of them.
Looking forward to your responses.
Ashley

Ashley
You would probably have got a response if you had posted in the correct forum ie. this is nothing really to do with VPN. The firewalling or more likely the LAN Switching/Routing forums would have been a better choice. So that is probably why you didn't get a response because we do try to help
That said, the general answer to your question is it really does depend on how secure your requirements are. So a number of options -
1) use a dedicated firewall and route the vlans off that
2) use a router and ZBF or CBAC for each subinterface
3) use standard acls to limit the traffic between vlans
I have seen all the above used. If you have strict security requirements then firewalling each vlan is an option but it does get complicated. For most companies L3 acls on the vlan interfaces are usually enough.
So looking at each vlan you have -
1) management vlan. You would definitely want to restrict which IPs can access this vlan. Hopefully you have a set of defined IPs (which you may need to make static in DHCP) that can access the devices. You should also obviously be running SSH if supported to connect to devices
2) data vlan - what are you trying to do here. Stop the data vlan from accessing other vlans or stop other vlans accessing the data vlan. This and the VOIP vlan are probably the most open, simply because that is where the users reside.
So do you have specfic requirements for these vlans in terms of your company policy.
3) VOIP - see 2)
4) Vendors - this is the trickies one of the lot and can give so many headaches. It's very difficult to give vendors the access they need without then allowing them to see other parts of the network. A lot of this comes down to how much you trust your vendors. Obviously you would want to make sure that they cannot leave the vlan they are on.
Don't forget that as far as internal security is concerned firewalling/L3 acls is only one part of it and as you have said it can become very complex. Equally important is locking down the user desktop so they cannot modify settings etc, implementing L2 security features on devices eg. port security/DAI/STP bpduguard etc and use 802.1x authentication for access to the network.
Overall most networks i have come across rely on L3 acls internally to filter inter-vlan traffic + L2 security features. If there are any vlans critical to the business then they have been firewalled but firewalling every is a big adminstrative overhead.
With some routers/switches there is now also the option of vrf-lite which allows you to create multiple virtual routers on the same box. The good thing about this is that each has it's own routing table so unless you allow routes to be leaked between vrfs the 2 routing tables cannot see each other.
Hope some of this has helped. Any further questions please ask.
Jon

Similar Messages

  • Difference between cellular/voice network and data network?

    Hey guys, so I'm trying to learn this, any help would be greatly appreciated.
    What is the difference between cellular networks (I assume voice calls) and data networks (sending and recieving data, like using apps, etc.) for each of the different carriers?
    I tried researching this up, but with absolutely no luck. Any help towards understanding cellular networks and the difference if any between it and data networks would be helpful! If you can point me in the right direction, it would help too!
    Also, in the presence of a voice network but no data network, can data still be transmitted? Any values for speed for the major carriers?

    Try "Cellular voice vs data" as a Google search.
    From that search, this article should help:
    iOS: Understanding cellular data networks - Support - Apple

  • HT1807 With cellular and Data networks off, can I still receive and make calls on my 4s

    With cellular and data networks off, can I still receive and make calls.

    Old guy, still learning to use cell phone. Going out of US and don't want to have big charges when I return. I do want to have my phone on for emergencies and I plan to get international  cell. and messaging.

  • Performance Manager  and Data Gatherer

    Hello,
    I am looking for some basic info (I think). I have been using the EM Console - standalone for some time now but would like to use the diagnostic pack and Performance Manager. Can this be used in a standalone configuration or do I need to buy Enterprise Manager? If it works in a standalone configuration and I do not need to buy it, could you point me in the direction of documentation on how to start the data gatherer on my 9i database on AIX 5?
    Thanks,
    Jeff Graham

    Post Author: Ferhat
    CA Forum: Performance Management and Dashboards
    you have to find the keyword to see...
    i suggest you to uninstall businessobjects and install again(else it's very hard to add the performance management program).
    while you install, check the install performance management also(you have to have the keyword).

  • Seperating time and date from time stamp

    Hai,
          Can somebody tell me how time and date are seperated from a time stamp with format  like 12/01/2006 1:21:36
    I want 12/01/2006 in one object and 1:21:36 in another object.
    Also as BW takes only format YYYYMMDD, does having 12/01/2006 make any difference? If yes then how can I convert this?
    Thank you.

    Hi Visu,
    For converting date check these:
    Re: Date Conversion in Flat File
    Bye
    Dinesh

  • Time different on VOIP and data network

    i have a 5 minute time difference on the data network than the VOIP network.
    i started time services on the Pub and changed the router config to use an internal server that synchs with the clock in Boulder.
    any ideas?
    thanks!

    Jerry,
    Here is a link for tine service with some recommendations. However I would not use times as when you do an upgrade to CCM or install an SR XNTP will be installed & you will have t time sources fighting for time. Having 2 time clients fighting of the correct time on the servers is a BAD thing!!! I would use XNTP & point all of the Subs to the Pub & point the Pub to the same source that is being utilized by the data network. Please keep in mind that every time you install an SR or upgrade the XNTP config file for all servers will be over written with the default on all nodes, thus you will need to make the appropriate changes after to keep your time in sync.:
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_white_paper0900aecd8037fdb5.shtml
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a008009470f.shtml
    Mike

  • Seperating management and normal service on two different LAN interfaces

    We would like to keep administration and general service of Windows Servers seperate on two different LAN interfaces "A" and "B" (on "dual home" machines i.e. machines with two network interfaces).
    Is this feasible so that no administration can be performed on LAN Interface A, all regular Services runs over LAN Interface A and all administration has to be done over B?
    Reasoning for this is security - only certain people and machines would be granted access to the management LAN.
    Any ideas how this is best achieved?
    Thanks in advance
       

    Hi,
    We can use the firewall to achieve your goal.
    Firstly, disable all the port in firewall of LAN B.
    Enable the port which used by the services in firewall of LAN B.
    After that all traffic from LAN B, which is not related to the services will be denied on the server.
    This is the general method of protecting the server on internet. (It is usually to be performed by a hardware firewall).
    Best Regards.
    Steven Lee
    TechNet Community Support

  • Data management and Data Recovery

    Hi Friends....
               Can ne1 help in the folling topics in depth....
    1) Copy a subset of BW data from one cube to another cube in another box
    2) Then Deleting the original data
    3) Able to reload the archived data
    4) Recover the contents lost in Bw system
             I need this for my job....so plz help me in this guys.....
                       Regards
                                    CNU

    hi ,
    1. U need to create export datasource for source Cube and then setup connection b/w both the system, create source system in Target system . then follow the normal process of assigning to Infosource ,TRansfer rules etc.
    2. You can delete the data in Cubes either by selective deletion or by deleting the Requests if Cube not compressed.
    3. Check Archving Topic in Help .sap .com , reload depends where data is archived , Below link says how to reload from Archive files .
    <a href="http://help.sap.com/saphelp_bw33/helpdata/en/9b/91c53b03847b26e10000000a114084/frameset.htm">http://help.sap.com/saphelp_bw33/helpdata/en/9b/91c53b03847b26e10000000a114084/frameset.htm</a>
    4. Recover the data lost in the BW system depends on the source system and way data is loaded to system.
    Regards,
    Vijay
    Message was edited by: vijay Kumar

  • Seperating UI and data

    I’m about to construct a new Coldfusion application and
    I want do use an object orientated approach.
    But I don’t know how I should do this.
    I have read the article written by David Friedel. Building an
    object oriented user interface with Coldfusion MX
    http://www.adobe.com/devnet/coldfusion/articles/oo_interface.html
    He tells about the principles but not the actual development
    I have created a cfc library containing data retrievers.
    These cfc’s should provide my UI with the necessary data.
    Now I’m about to construct the User interface (UI) but
    I don’t know how I should combine the user interface with the
    data.
    I plan to split the UI in small function (Widget) just like
    in the article. Maybe I will have a grid showing some employees The
    UI part I would then insert into either a cfm or cfc.
    If I put it into a cfm and use CFINCLUDE to use it I
    can’t pass the data query to it.
    But then if I put into a cfc and use CFINVOKE I can pass the
    data to it. But then the cfc will fail because it uses the CFGRID
    and I don’t intent to insert a CFFORM into each cfc.
    How do you do this?

    I’m about to construct a new Coldfusion application and
    I want do use an object orientated approach.
    But I don’t know how I should do this.
    I have read the article written by David Friedel. Building an
    object oriented user interface with Coldfusion MX
    http://www.adobe.com/devnet/coldfusion/articles/oo_interface.html
    He tells about the principles but not the actual development
    I have created a cfc library containing data retrievers.
    These cfc’s should provide my UI with the necessary data.
    Now I’m about to construct the User interface (UI) but
    I don’t know how I should combine the user interface with the
    data.
    I plan to split the UI in small function (Widget) just like
    in the article. Maybe I will have a grid showing some employees The
    UI part I would then insert into either a cfm or cfc.
    If I put it into a cfm and use CFINCLUDE to use it I
    can’t pass the data query to it.
    But then if I put into a cfc and use CFINVOKE I can pass the
    data to it. But then the cfc will fail because it uses the CFGRID
    and I don’t intent to insert a CFFORM into each cfc.
    How do you do this?

  • BPFs and Data manager

    In Version 7.5M I found some new steps when creating a BPF step for Data Manager.
    - Data Manager for PackageExecute
    - Run specific package for PackageExecute
    - Run user package for PackageExecute
    can anyone explain me these new steps?
    Is it possible to link the data region from BPF to the Element selection in a specific package?
    Exmple: in BPF i select a category, time and entity.
    When starting a package, i would like to have these selections filled automaticly in the associated fields of the package.
    Regards
    Achim

    Hi,
    1) We use Import manager to import the spreadsheet  data.You can map the fields in Import Manager.
    Once the data is imported ,you can see the data in Data manager.You can edit ,update certain records,validate them  in data manager.
    2)Person resposible for importing data must have Import manager and Data manager  installed on PC.You can even automate the import process.Apart from this if you have any other role like approver then you can install Data manager only for them to approve via data manager
    End Users can search using SRM .they dont need the clients intalled on their system.
    Regards
    Nisha

  • Images ..... Image Manager Vs Data manger

    Hi All,
    would like to know the how Image manager and Data manager are connected........pls clarify
    ex. If I upload an image thru Image manager........perform some actions on the image, will this image be available when I log in thru Data Manage? If yes, how can I see this thru data manager.
    pls explain.
    regards,
    VV

    Hi Venu,
    Image manager is an Exclusive client to work with Images associated with master data within SAP-MDM.
    Although you have the featute of uploading Images in MDM Console and working on them in the MDM Data manager client.
    The number of enrichments you can do on the images and the extend to which you can develope the images are few.
    So MDM has provided the MDM Image manager to work with Images in a more detailed fashion.For this you will have to install the Image Manager client separately and work with it.
    It will be more useful when you are using the master data as a catalog item with images attached with them.
    Hope It Helped
    Thanks
    Yugandhar

  • Why does Verizon hide the fact on their network an iPhone cannot deliver simultaneous voice and data

    For me the breaking point was when the local Corporate Store clerk lied to be about their return policy.  He even documented the information he gave me and that didn't matter to management or corporate.  I made a decision to switch to the iPhone and was specifically told I had 30 days to evaluate weather I could make the transition from android to iOS.  If I couldn’t for any reason, I could just return the phone and pay the $35 restocking fee and we were then free to choose from one of the many androids.
    After weeks of challenges and countless hours spent with first tier then second tier then a product specialist we all came to the documented conclusion that the iPhone, on Verizons network could not support data and voice at the same time... Every other smart phone on Verizons network could and always has... the IPhone on ATT's network can support both voice and data at once... but Not On Verizons network...
    Each tech I spoke with seemed shocked and in utter disbelief that this could be so. They blamed ATT for harboring special privileges hold over from their exclusive relationship with Apple.  Which is not true.  Then they blamed Apple for delivering handicapped phones to Verizon on purpose. Well, with an Apple Product Manager on the phone listening in on a Verizon Tech giving me this among other excuses why I could not be on the phone and using google at the same time,  the Apple Rep finally jumped in and very politely cleared up any miss information the Verizon tier 2 support rep was fumbling out.
    So after I had done everything in my power to make the phone work the way I had understood it would.  And had every reason to believe it would.  As did every Verizon rep I spoke with at first until they did a little research and found Verizon had deliberately been hiding this fact from customers.  So I conceded to go back to the Android world for now and let Verizon sort out this glaring deficit hopefully in the near future…  Though every support rep concluded that there was no mention of this being fixed or even a problem so not to hold my breath…
    I couldn’t have been more shocked or infuriated when I went to exchange the “still in the plastic mint condition iPhone” I was told I had to have brought it back in the first 14 days… I pleaded and argued, even directed the manager to the notes entered in verizon’s own support documentation regarding my case and he said “well I see here where you were told that but that rep was wrong”.   That may be so but I based my entire testing and evaluation timeline based on the dates the rep clearly and admittedly told me!   The store manager said there was nothing he could do. 
    Now I mentioned I’m a Network Solutions Provider and being able to be on the phone doing a support call and using my cellular internet at the same time are an absolute must for me to be able to preform my job.  Every Verizon smart phone I have ever owned had been able to do this.  Now I am told I am STUCK in a two year contract with an inadequate  device that I cannot exchange and therefore functionally useless to me. 
    Verizon corporate nor the store manager cared one bit about my position.  They stood behind a little register tape that by signing my credit card receipt I now owed them two more years of my life and now they could care less weather I had a functioning solution or that I had been a loyal customer for over 17 years. Or that I had brought entire small business offices to them for cell services. Just stood there and held a copy of my receipt and said, well  you signed it so here is what it will cost ya to get out of it! 
    He got out a calculator and started running numbers for what I would have to pay to fix this situation… What I would have to pay to even leave Verizon and go get cell service from someone else.  It felt dirty … seedy… like being at some 3rd world used car lot where some shyster had gotten someone wrapped up in a contract and now was going to squeeze the life out of a customer even though they couldn’t’ even deliver the service they implied you were going to get in the first place. 
    In 30 years of being a small business owner I have never encountered an organization that had less integrity or more unscrupulous business practices… 
    I see post after post of Verizon  Customer Support  reps answering threads… funny I haven’t found one where a user honestly thanks the rep for actually helping them out…….  Please Verizon Customer Support, show me you actually can look at a situation and see an equitable solution where a Customer and the Share Holders can both win…..

    Well if this information was as ubiquitous on the web as you suggest, I am puzzled why it took three weeks of troubleshooting with many levels of Verizon support before we collectively concluded this was the situation...
    Regarding Reading what I sign... Thanks for that advice though in this situation I was handed a stylus and told to sign a Signature Pad at the check out counter... ONLY AFTER I signed (for the purchase only)  was I presented with this return policy conveniently nested in a 3 foot long reciept consisting of paragraphs of Helvitica 6 type set info...   I made the assumption that the sales person could correctly  answer a direct question regarding the policy I  inadvertently signed for when authorizing the credit card charge...   Even more concerning is that when by my actions and constant communications with Verizon, my intent was clearly based on the information I had gotten from the sales rep.  and if I was given misinformation it would seem Verizon could show some integrity and support the situation with some equitable solution rather than hiding behind contracts collected from sales staff who do not tell customers the truth..... 
    >> Minor edit <<
    Message was edited by: Verizon Moderator

  • Liner Asset Management Implementation for Railway and Road Network.

    Hi EAM Experts,
    My client currently is using SAP modules including SAP PM but now for better asset management they want to implement LAM.
    Please do guide me how to implement the LAM. Please specify with the config settings and the business cycle so that it will be helpful for me in mapping
    the business requirement.
    Your help required asap. Screen shots will be highly thankful.
    This requirement is with my mutiple clients who is into Road and Railway networks.
    Thanks
    Anil

    Didier,
    >So my question is what should we do to get the most accurate data for our
    >asset and inventory in the case were deep freeze is running and reseting
    >the system at every reboot....could you suggest a processs to make it more
    >accurate.
    Duplicate.
    This post has been answered in the Asset Inventory Forum.
    Jared Jennings - Data Technique, Inc.
    Novell Support Forums Sysop
    My Blog and Wiki with Tips, Tricks, and Tutorials
    http://jaredjennings.org

  • HT202157 setting network time and date

    What are the issues involved in setting the time and date on AppleTV?   Is this a network issue?

    P.C. was mentioned earlier so I will jump in and assume Windows....
    If the system is (made) a member of a Window administrative domain then all this is already in the box, and should be part of a well managed system (I have managed it on a workgroup as well, see the articles below for details). It's one of the things I try to promote as we often have systems switched on for hundreds / thousands of hours and knowing when some guy accidently switched it all off is realy usefull It helps with problems / events that occur outside our control and assists tracking down problems and stops drift / skewing of data.
    Check out the following articles for more information: -
      Basic Operation of the Windows Time Service
      http://support.microsoft.com/kb/q224799/
      Registry entries for the W32 TimeService
      http://support.microsoft.com/default.aspx?scid=kb;en-us;Q223184
      Windows 2000 cannot set the correct time when it connects to multiple NTP servers
      http://support.microsoft.com/?id=837196
    The time service is included on Windows XP as well. For NT4 there is / was a toolkit that allows operation from Microsoft.
    Use the command NET TIME /? (on W2K and XP)
    Either way you will come accross problems at the firewall if you want to get to an external time source. Unless you have on of those nifty little black boxes that pick up a radio signal from one of the available time sources.
    I like Dennis Knutsons idea because you can't always get IT's attention, sometimes they need a little help, thanks again Dennis for another good tip.

  • Netflix app error - Please make sure network connectivity and date and time are accurate

    Am getting this error message when trying to view instant movies via ipad2 or iphone.  Anyone have this error?  I can't connect to Netflix via either device - I've tried unistalling & re-installing Netflix app on both devices.  I  am connected to the internet via our home network and date & time are correct on all devices & home computer - any other setting I'm missing?  I didn't have any of these problems before I installed the new iOS5 on my devices.  Netflix said it's an apple operating setting that needs to be modified. 
    Any help would be greatly appreciated.
    Thanks!
    Kristen

    HI Jason,
    I feel for you. That's a lot of work!
    How large is the partition you tried to create using BootCamp for Windows?
    And how much free disk space is on the MacBook startup disk?
    Right or control click the MacintoshHD icon. Click Get Info. In the Get Info window you will see Capacity and Available. Make sure you always have a minimum of 10% to 15% free disk space at all times.
    Just in case, check the Mac startup disk for errors.
    Insert Installer disk and Restart, holding down the "C" key until grey Apple appears.
    Go to Installer menu (Panther and earlier) or Utilities menu (Tiger and later) and launch Disk Utility.
    Select your HDD (manufacturer ID) in the left panel.
    Select First Aid in the Main panel.
    (Check S.M.A.R.T Status of HDD at the bottom of right panel. It should say: Verified)
    Click Repair Disk on the bottom right.
    If DU reports disk does not need repairs quit DU and restart.
    If DU reports errors Repair again and again until DU reports disk is repaired.
    When you are finished with DU, from the Menu Bar, select Utilities/Startup Manager.
    Select your start up disk and click Restart
    Carolyn
    Message was edited by: Carolyn Samit

Maybe you are looking for