| Suggestion for cisco 3560 Needed Dear All
Hope so you all will be fine
I am designing a network and i need your suggestion.
I have a cisco Switch 3560 and cisco Router 2921. Network diagram is attahced.
According to existing scenario, all servers, wireless links and clients are on the same subnet and can ping each other. Instead of 3560 there is just hub.
Now i want to restrict them. Client should just communiucate with servers.
What should be configuration on Switch.
Should i make each port on switch no switch port then apply acl or just make them in different Vlan.
Feel free to ask if you need more information to help me. |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | Since the 3560 is a Layer-3 switch, you use it as so. With that in mind; leave internal routing (LAN) on the 3560 and have 2921 to handle WAN routing.
In regards of internal routing, following is what you can do.
* Assign specific VLAN for specific machine types such as server VLAN, wired user VLAN, wireless user VLAN, and printer VLAN
* Restrict inter-VLAN traffic using ACL so that only legitimate traffic is allowed while other traffic is denied
* At the switch itself, there should be a default gateway pointing to the router to reach network outside LAN |
|
| reply to Gryphon
Id agree with aryoba.
Start off by breaking down your network into VLANs that are specific to devices. (Servers, Wired, Wireless, and Printers)
After you do that you can use ACLs to restrict inter-vlan traffic. I would permit everything to the Server VLAN, and thats it. Then point your default route (gateway of last resort) back up at your 2921.
This way, all your local traffic will be routed on ur 3650 and not need to put any un-needed load on the 2921. And then for all other traffic (WAN/Internet), the nodes go to the 2921. |
|
| Thanks dear for your swift responce
I am a little bit confused. Suppose i have 6 clients in the SITE A and then wireless bridge IP then come to my cisco 3560. The port from wireless bridge to 3560, what will be that port. will it be switchport and i will put in VLAN. Suppose vlan 6. and on site A client i will give default route of Int Vlan 6.
Where i will apply acl?? on switchport connected to wireless bridge or Int vlan 6 ? |
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | In your scenario, typically there is a separate VLAN called Management VLAN for network device management such as switches, AP, and wireless controllers. You also need to dedicate specific /30 subnet for point-to-point connectivity such between the 3560 switch and the router to provide routing to reach network at the WAN. In some organizations, there is Loopback interface IP addresses for network management such as ssh access, SNMP pool, syslog, NTP, and TACACS/RADIUS authentication.
In regards of the wireless network, here is what a typical setup is.
* AP connects to switch
* Layer-2 trunk between AP and switch
* AP has IP address of Management VLAN
* AP broadcasts multiple SSID; i.e. one SSID for regular user, one SSID for guests, and one SSID for IT support
* Each SSID is assigned to one wireless VLAN
* You can have the switch providing specific IP address for a machine in specific wireless VLAN; or you can have the Wireless Controller to do so
* All wireless VLAN terminate at the switch from Layer-3 perspective; meaning there are SVI Layer-3 VLAN interfaces on the switch to provide access to the network
* Apply ACL on those SVI VLAN interfaces where you permit user VLAN to only access servers and the Internet, permit guest to only access the Internet, and permit IT support to access everything |
|
| reply to Gryphon
Could you combine ZBFW with VLANs on this scenario?
What about VRFs to logically isolate each 'segment,' for lack of a better term?
Regards |
|
| reply to Gryphon
You could probably use a vlan access control list or zone bases firewall as previously suggested to control your internal traffic:
1) »fir3net.com/Cisco-Router/configu···ial.html (Zone based firewall config)
2) »www.cisco.com/en/US/docs/switche···acl.html (Vlan Access Control List Config)
Jay |
|
