Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco 3550 Switches - shoving traffic from certain ports 2
- Thread starter fuseen
- Start date
-
1
- #2
- Thread starter
- #3
- Thread starter
- #5
My issue is, having users not on our network plugging into this switch. I do not want any of their traffic on my network...for obvious reasons..
I need anything that comes from their port to go directly to this other port, which will have a router for their internet use...
I need anything that comes from their port to go directly to this other port, which will have a router for their internet use...
- Thread starter
- #7
- Thread starter
- #8
So, I can assign say 10 ports to VLAN2 and have that VLAN go directly to say port 44 on my switch. That port has the new router which hits our new ISP.
If a PC gets onto that VLAN and has a virus..it will not propagate through to any other port on that switch...only port 44...??
If a PC gets onto that VLAN and has a virus..it will not propagate through to any other port on that switch...only port 44...??
-
1
- #11
firestormsp1
MIS
Is the switch gear your own kit??
If so, I'd be inclined to disable all unsed ports and assing 'sticky' MAC security to your active ports, that way, they cant make use of your kit even if they disconnect your active users.
It's a lot less hassle than designing and implementing a VLAN strategy. (If this Draconian solution is viable).
Colin
If so, I'd be inclined to disable all unsed ports and assing 'sticky' MAC security to your active ports, that way, they cant make use of your kit even if they disconnect your active users.
It's a lot less hassle than designing and implementing a VLAN strategy. (If this Draconian solution is viable).
Colin
- Thread starter
- #12
firestormsp1
MIS
A VLAN is just than, a virtual lan, instead of a physically segregated network, you have a logically separate network. It isnt so much a case of you 'sending' traffic, it more a case of if you have 4 ports assigned to the same vlan, you have 4 ports that can be communicated across. They wont 'leak'. If you assign vlan x to ports 1, 2, 3 and 4, vlan y to ports 9, 10, 11 and 12; then correctly addressed devices can communicate with each other within their vlan, and their vlan alone.
However, as this is all done at layer 2, if you do want to get traffic off these vlans you will need to route it.
If, as it sounds, you just want to 'kick off' certain pc's from your LAN, so they can soley communicate with each other and nothing else, then set a vlan up on your switch, assign the offending pc's ports to the configured vlan and advised them of their network addressing.
You can get away with leaving them as they are if statically assigned, but that doesnt prevent any one from patching them into your ports and communicating with your kit, give them a new subnet and you'll be better protected.
If they use/access physically remote resources, you'll need to look at trunking and vtp domains etc.
How reliable are they? 5000+ users, 40+ vlan's, 3 DMZ's, 4 firewalls... we're pretty happy with them.
However, as this is all done at layer 2, if you do want to get traffic off these vlans you will need to route it.
If, as it sounds, you just want to 'kick off' certain pc's from your LAN, so they can soley communicate with each other and nothing else, then set a vlan up on your switch, assign the offending pc's ports to the configured vlan and advised them of their network addressing.
You can get away with leaving them as they are if statically assigned, but that doesnt prevent any one from patching them into your ports and communicating with your kit, give them a new subnet and you'll be better protected.
If they use/access physically remote resources, you'll need to look at trunking and vtp domains etc.
How reliable are they? 5000+ users, 40+ vlan's, 3 DMZ's, 4 firewalls... we're pretty happy with them.
- Thread starter
- #14
Thanks Firestorm...
The skinny of the situation is that I have 10 ports on switch5 I will put into VLAN2. THese ports are for the press here. The press can bring in their laptops and hook into our network and get internet access. Those ports are on a switch that I use for my regular employees as well. Upstairs I have a node that is responsible for authenticating remote users for purposes of VPN, that will plug into say port 1 on switch3. I want all my traffic from VLAN2 to go only to port 1 on switch3.
I cannot have nay "leakage". I cannot have someone in the press hook up a laptop to my network with a virus and have it propagate throughout...
Obviously it would be ideal to physically separate these users with their own switch, but that may not be possible...
The skinny of the situation is that I have 10 ports on switch5 I will put into VLAN2. THese ports are for the press here. The press can bring in their laptops and hook into our network and get internet access. Those ports are on a switch that I use for my regular employees as well. Upstairs I have a node that is responsible for authenticating remote users for purposes of VPN, that will plug into say port 1 on switch3. I want all my traffic from VLAN2 to go only to port 1 on switch3.
I cannot have nay "leakage". I cannot have someone in the press hook up a laptop to my network with a virus and have it propagate throughout...
Obviously it would be ideal to physically separate these users with their own switch, but that may not be possible...
firestormsp1
MIS
OK so you have vlan's currently?
you'll need suitable distribution switches to configure and route your vlans on.
Do you want to issue DHCP on your risky vlan or assign static ip's?
You'll need to ensure your vtp domain name and password are configured, we run our switches as vtp servers, assign an interface on your router module for the vlan's with relevant IP's, such as x.x.vlan.254, this will be your vlan default gateway. Use 802.1q trunking to your edge switches and then assign the individual ports to the required vlan. We use a 'dummy' vlan that goes nowhere for our unused ports, it's a ball-ache to keep going back to put them in the required vlan when needed, but it's better than rogues patching in at will.
You can then trunk your press vlan to your firewall and out to the net.
Or you could use an access list to restrict the obvious traffic (sasser, blaster etc) from their vlan.
Seems a lot of hassle (unless you already have the infrastructure there to do it) and expenses when personal firewalls and antivirus coupled with a stringent IT policy could do much the same job, if they get a virus and infect anything, they get sacked. Another alternative is script their logon to run something like stinger before granting network access.
So many solutions, pick one that works for you, lol
COlin
you'll need suitable distribution switches to configure and route your vlans on.
Do you want to issue DHCP on your risky vlan or assign static ip's?
You'll need to ensure your vtp domain name and password are configured, we run our switches as vtp servers, assign an interface on your router module for the vlan's with relevant IP's, such as x.x.vlan.254, this will be your vlan default gateway. Use 802.1q trunking to your edge switches and then assign the individual ports to the required vlan. We use a 'dummy' vlan that goes nowhere for our unused ports, it's a ball-ache to keep going back to put them in the required vlan when needed, but it's better than rogues patching in at will.
You can then trunk your press vlan to your firewall and out to the net.
Or you could use an access list to restrict the obvious traffic (sasser, blaster etc) from their vlan.
Seems a lot of hassle (unless you already have the infrastructure there to do it) and expenses when personal firewalls and antivirus coupled with a stringent IT policy could do much the same job, if they get a virus and infect anything, they get sacked. Another alternative is script their logon to run something like stinger before granting network access.
So many solutions, pick one that works for you, lol
COlin
- Thread starter
- #16
Thanks Colin....
Some of that I am not familiar with ("Use 802.1q trunking to your edge switches ") and will do some research to see what you are actually talking about...
I don't have the VLAN's setup yet...but that is simple enough. I assume that extra node I talked about before(CES box from Qwest) will be the DHCP server, so I do not have to worry about it myself.
We are getting a VPN solution and internet pipe from Qwest, where they provide the hardware. That hardware is what they call a CES box...it sits between a router and our network...
So, a user would travel through our network to get to that CES box, they would authenticate through there...and go out to the web..probably just a DHCP server handing out addresses and DNS.
I am using Cisco Catalyst 3550 for switches....
I hear you on the Antivirus software and I.T. policies...all of which we do have...but cannot be too careful...
Some of that I am not familiar with ("Use 802.1q trunking to your edge switches ") and will do some research to see what you are actually talking about...
I don't have the VLAN's setup yet...but that is simple enough. I assume that extra node I talked about before(CES box from Qwest) will be the DHCP server, so I do not have to worry about it myself.
We are getting a VPN solution and internet pipe from Qwest, where they provide the hardware. That hardware is what they call a CES box...it sits between a router and our network...
So, a user would travel through our network to get to that CES box, they would authenticate through there...and go out to the web..probably just a DHCP server handing out addresses and DNS.
I am using Cisco Catalyst 3550 for switches....
I hear you on the Antivirus software and I.T. policies...all of which we do have...but cannot be too careful...
firestormsp1
MIS
Just some pointers, but you can refine your search on the site (
- Status
