Solved: Port security/isolation help

jkay18041 · ‎11-27-2018

I have the config listed below on a 3750x-24t-s switch that I'm using as a WAN switch. One side connects to ISP the other is my /27 for my internal network. I have created 2 vlans, vlan 100 is WAN and vlan 200 is the LAN. I want to keep the entire /27 as one subnet as possible to preserve IPs. However one of my devices that will be connected directly to this switch is a Nomadix gateway which is an edge device for Guest networks. This will go into port 13. Port 23 will go to another firewall that the rest of the network will be behind.

My goal is to allow traffic from port 13 out to port 1 (WAN) but not allow any device behind port 13 to communicate with any device on port 23.

Current configuration : 3071 bytes
!
! Last configuration change at 00:35:14 UTC Mon Mar 1 1993 by lodgeworks
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no logging console
!
username user privilege 15 secret 5
no aaa new-model
switch 1 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
!
ip domain-name network.local
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
description To_ISP
switchport access vlan 100
switchport mode access
no vtp
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 200
switchport mode access
no vtp
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport access vlan 200
switchport mode access
no vtp
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description to ISP
ip address 100.2.31.134 255.255.255.252
!
interface Vlan200
description LAN
ip address 100.2.31.193 255.255.255.224
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 100.2.31.133
!
ip access-list standard SSH_ACCESS
permit 100.2.31.194
permit 6.2.219.66
deny any
!
ip access-list extended Block_Stuff
permit tcp host 100.2.31.194 host 100.2.31.193 eq 22
permit tcp 6.2.219.64 0.0.0.63 host 100.2.31.134 eq 22
permit tcp 6.2.219.64 0.0.0.63 100.2.31.192 0.0.0.31 eq 22 www 443
permit udp 6.2.219.64 0.0.0.63 100.2.31.192 0.0.0.31 eq snmp
deny udp any 100.2.31.192 0.0.0.31 eq snmp
deny tcp any 100.2.31.192 0.0.0.31 eq ftp-data ftp 22 telnet www 443 3389
deny tcp any 100.2.31.192 0.0.0.31 eq 301 1111 1112 2111 3000
deny tcp any host 100.2.31.134 eq ftp-data ftp 22 telnet domain www 443
permit ip any any
!
logging esm config
snmp-server community snmpcomname RO SSH_ACCESS
!
no vstack
!
line con 0
login local
line vty 0 4
access-class SSH_ACCESS in
login local
transport input ssh
line vty 5 15
access-class SSH_ACCESS in
login local
transport input ssh
!
end

Can someone show me an example of a port isolation config for a similar setup. I seem to be a little stumped.

Thank you

dbeattie · ‎11-28-2018

Private VLAN config can be found here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html

However, if it were me I would get a firewall for the Internet Edge, put the Nomadix on one DMZ and everything else on an Inside interface. That way everything (including the Nomadix) could use RFC1918 addresses and you would only need to NAT when going out to the Internet.

Obviously, its your call. Good luck with it.

Dave

View solution in original post

dbeattie · ‎11-28-2018

Maintaining your current set up you could use private VLANs to segregate the two VLAN 200 ports, by putting them into isolated mode.

I would question why you need to use your Internet addressing on the hosts, when you could use a NAT-capable device at the edge, allowing you the freedom to use RFC1918 addresses inside. This would be a more normal deployment.

Hope this helps

Dave

jkay18041 · ‎11-28-2018

looks like I double posted, this one got flagged for spam last night so I reposted it.

Dave, I think that is what I was going for the private vlan. However I was having issues finding examples of a config on the interface. So the host (Nomadix gateway) will have a public IP as well then it does NAT to the devices behind it. This is for a hotels guest network.

Thank you for the help

dbeattie · ‎11-28-2018

Private VLAN config can be found here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html

However, if it were me I would get a firewall for the Internet Edge, put the Nomadix on one DMZ and everything else on an Inside interface. That way everything (including the Nomadix) could use RFC1918 addresses and you would only need to NAT when going out to the Internet.

Obviously, its your call. Good luck with it.

Dave