cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
680
Views
0
Helpful
5
Replies

Best option for isolating development lab environment?

ben
Level 1
Level 1

We've had a few instances where development testing in our lab has caused the entire network to be compromised. I'd like to keep this from happening, but I'm trying to get some ideas besides my own. I have attempted other solutions in the past, but they have been frustrating for the users, and were abandoned. Here is a quick idea of the network:

192.168.128.0/255.255.248.0, corporate LAN now using 192.168.131.0 and 192.168.132.0.

The lab is currently connected to unmanaged switches, which are connected in turn to the corporate LAN. The lab needs to access the corporate LAN, and vice versa, but should not be able to flood the corporate LAN with packets in the event of a test gone awry. A router seems a simple solution, however, our corporate router is managed. I also have a spare PIX 515 and Catalyst 3550 with which to work...any suggestions?

5 Replies 5

scottmac
Level 10
Level 10

If you put in a VPN gateway (or two - one for each direction) between the two it should isolate any issues to the Lab and still allow (very controllable) access in either direction.

If you set it up for L2TP / PPTP, then any MS client should be able to access without additional per-client charges.

If any malicious activity does occur, it can be traced back to a host or two and traced further to the offending system in the Lab.

Good Luck

Scott

steve.busby
Level 5
Level 5

Ben,

I'd suggest putting the PIX515 between your lab and your corporate network. With your corporate network being your "internal" interface and your lab would be "external".

It would be very easy to write the rules as needed to allow very specific traffic from the lab into your corporate network. Additionally, you would have the option of specifying who from your corporate network would be able to access the lab environment.

HTH

Steve

Thanks for the responses...I was thinking the PIX would be the best option as well, so I'll try to implement that...

Ben

corey.lohr
Level 1
Level 1

Well, the lab environment should not be anywhere near the production network. Secondly, a router is part of the solution that came to mind. How about a 2514 or if it's in the budget a 2610 with a NM-16A or NM-32A module. You could configure the 2514 or 2610 as an Access Server providing complete out-of-band management of the lab via asynch interfaces (reverse telnet), and in-band access to the lab from the production network would be limited to the ethernet interface of the Access Server. You would also gain the ability to restrict access to and from the lab with ingress and egress access-lists. The main objective is to make sure that none of the lab devices are able to pass frames or packets upstream into the production network except ssh, and/or telnet .

-C

craig.essex
Level 1
Level 1

It seems to me that you want to isolate the lab environment which is normally a good thing, but at the same time you need to access your production LAN. These two statements are mutually exclusive. The solutions using the PIX and/or the dual interface router are reasonable given that you are not really creating an isolated lab environment. Pick whichever one you feel most comfortable with and understand what the interfaces are between your Production and Lab "compartments".

Review Cisco Networking for a $25 gift card