Need help controlling access between vlans

The new IT manager wants to bring in a third party to check our Cisco network for problems. I want to do whatever I can to get a get a good report. I have students and teacher on the same vlans and I think this is something the consultant may point out. Students and teachers access some of the same servers, printers, etc. Also, teacher workstations use software that allows them to view the screens of students and any VLAN can get to anything on any other VLAN. We have eight buildings with 3750's at each building and a 4507 at the core. We have 3560G's at each IDF with older 3com's daisy chained to them. All IDF's, including other schools are trunked to the core. Can anyone recommend best practice in this situation? I think I'd like to start with blocking traffic from some vlans to other vlans. What approach do I take when there are shared resources? Do I put those things on a special vlan? What happens to my DHCP scopes? What are the commands to prevent some vlans from being routed? thanks

Reply to
1crazyrican
Loading thread data ...

Provided you must separate the networks, create a new network/vlan with a new dhcp scope for faculty, and assign ports as needed. I would hope that none of your servers are DHCP, and that hostnames are being used instead of IPs. With that being said, move those to a third vlan that you can control via access-lists. Truthfully, rather than pegging down the server vlan, I would peg down the student vlan since that is probably your biggest security risk. Use ACLs to allow what you want and block anything else. Depending on how loose or strict the ACLs are on the student vlan, you may also want some ACLs on the server network to only allow specific connection types from the student vlan. It just depends what all you are trying to prevent/lock down and how to best do that with ACLs.

If you can't move the servers due to IP address usage, then create two new vlans for your dhcp clients. Your users shouldn't care provided you do it during a specific time, and at worst, they may require a reboot if they don't have access to the command prompt and ipconfig.

If you want vlans that are completely non-routed, just don't put a router interface in the network, just create it on layer 2. Or just put an ACL on the VLAN to deny any any.

Reply to
Trendkill

Thanks for responding. Your suggestion to work on the student vlan is a good one.

Here is my plan:

  1. move students to their own vlan. Each of our 8 schools has a separate vlan, so I will need to create 8 student vlans. I will need to keep them separate because of scripts that run based on Active Directory sites which uses subnets. **Will this create a lot of extra work with ACL's?

  1. create ACL on the student vlan to only allow traffic to specific servers on the server vlan.

  2. Allow staff vlans to connect to the student vlan (teachers run apps to monitor student workstations)

  1. Don't allow any vlan to talk to another vlan unless there is a reason. In other words, currently no schools need to directly access anything in any other school. They all access servers at our core.

Am I on the right track here? Now all I need is some free open source software to monitor my network.

thanks

Reply to
1crazyrican

Couple of caveats:

First, you can't really allow teachers full access to students without also doing the other way around due to traffic being bi-directional. You'll want to know exactly which ports to allow through and punch them as holes into your ACLs. Some recommend putting the ACL closest to the source, while others recommend putting them closest to the destination, particularly if you have a situation like yours where instead of putting 8 ACLS on 8 VLANs, you can put one on the server or teacher vlan to only allow certain ports from those source. In short, its either 8 ACLs (1 on each VLAN), or 1 ACL on the destination network with 8 or more statements to cover the 8 network ranges.

Also be careful with ACLs as they all have an implicit deny at the end, If you aren't careful, you will block transit traffic to the internet or to other parts of the network that you may not want to impact. For this reason, you have to be very careful whether or not you use ACLs with deny and a permit ip any any on the end, or permits on the front and remember the implicit deny. If there is internet access here, and you use a proxy, you may be able to get around this by permiting port 80 (or whatever port you use) to the IP of the proxy. Else you'll have to use a permit ip any any.

Bottom line is draw it out, and look at your common points and decide where you want to put your ACLs, and how you want to apply them. Think through ALL scenarios, and test it out on a single vlan which you put yourself in to see what is working and what is not. You also want to be careful with non-routed vlans in this same scenario, this means that DHCP would not work (unless you route the network and only allow DHCP through), and all other inter-vlan communications would be null and void.

Overall, just make sure you think through ingress and egress traffic (if you apply ACLs in and out, be careful), and I would definitely recommend a template that you apply to all 8 vlans if you go down that path. Truthfully, if all your networks are centrally routed from a MSFC or core router, you can just use one ACL (based on destinations) and apply it to all vlans. Else you will need to create 8 different ones (Based on source) and do it that way.

Reply to
Trendkill

As always, thank you for sharing what you know. You've helped me out a lot on a number of my posts.

Reply to
1crazyrican

Trenkill sure is one awesome dude :)

GNY

Reply to
geekazoid

My pleasure, always happy to assist where I can. Good luck OP.

Reply to
Trendkill

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.