Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing VLAN so it has limited access

Status
Not open for further replies.

disturbedone

Vendor
Sep 28, 2006
781
AU
I have a feeling this can be done but I'm not exactly sure how it can be achieved. Not sure if it would be done in Catalyst router or ASA (or parts in both).

Scenario:
[ul]
[li]ASA5520 as firewall. Interface GiEth0/0 security-level 100 as 'inside network', interface GiEth0/1 security-level 0 as 'outside network', interface GiEth0/2 security-level 100 as 'dmz network'. IP 10.15.0.1/16[/li]
[li]Catalyst 4507 as core router. IP 10.10.32.88/16 (VLAN10). Multiple VLANs 11 (10.11.x.x/16), 20 (10.20.x.x/16) etc[/li]
[li]DHCP server on VLAN11 (10.11.0.7/16. All VLANs have ip-helper address of this.[/li]
[li]I want to create VLAN80 (10.80.x.x/16) and allow then DHCP but stop traffic to all other VLANs (including servers on same as DHCP) but still allow Internet.[/li]
[/ul]
I've read a bit about the security-level feature. Giving one VLAN a higher value than another to restrict access but VLANs aren't defined in ASA only Catalyst. This feature isn't available in the Catalyst for some reason.

Any ideas on how this could be achieved?
 
dmz i'd put at 50 and create ACLS from dmz to inside if need be. having two interfaces on the same security level creates unique situations you dont want to have to deal with unless you click the two check boxes allowing devices to talk to each other between the same security level under the interfaces menu or using the cli...

as for the interfaces, you connect ASA to 'core' (take 2 to be on the same side of for port failures, and create a prot channel interfaces on ASA and a channel-group on the 'core')
click add interface,
you can drop down to port-channel and then create vlan interfaces.. sub interfaces really. you match vlan numbers, and on the 'core' you trunk them to the ASA on the proper channel-group ..


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top