06-16-2018 12:28 PM - edited 03-08-2019 03:23 PM
Hi to all,
I use a Cisco 2960X and 2960XR switch that are currently dedicated to LAN only (so 1 Vlan = 192.168.1.0/24), these switch are behind a NAT Router.
The target is to use pfsense firewall with 3 interfaces : 1 wan, 1 lan, 1 dmz
I wish to assign half of the ports to LAN network and the other to the DMZ.
LAN and DMZ network must not be seen between them, these networks must be isolated as if it were on two separate switch.
The web interface and telnet / ssh access must be accessible from LAN network for security reasons.
LAN stay in 192.168.1.1/24
DMZ will be 10.0.0.1/24
Does i need to create a new VLAN ? how to do that ?
How to assign each VLAN to each port dedicated ?
How to prevent each subnet to be reachable ?
How to allow Telnet/SSH and WebInterface to be accessed only from LAN ?
My setup :
C2960X#1#show conf Using 2381 out of 524288 bytes ! ! Last configuration change at 22:23:36 CET Fri Mar 9 2018 ! NVRAM config last updated at 22:23:46 CET Fri Mar 9 2018 ! version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname C2960X#1 ! boot-start-marker boot-end-marker ! enable secret 5 $1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx enable password 7 09xxxxxxxxxxxxxxxxxxxxxxx ! username Cisco privilege 15 secret 5 $1$bwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx no aaa new-model clock timezone CET 1 0 clock summer-time cest recurring last Sun Mar 3:00 last Sun Oct 3:00 switch 1 provision ws-c2960x-24td-l ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-2xxxxxxxxxxxxx enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2xxxxxxxxxxxxxx revocation-check none rsakeypair TP-self-signed-2xxxxxxxxxxxxx ! ! crypto pki certificate chain TP-self-signed-2xxxxxxxxxxxxx certificate self-signed 01 nvram:IOS-Self-Sig#1.cer spanning-tree mode pvst spanning-tree extend system-id ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet1/0/1 ! interface GigabitEthernet1/0/2 ! interface GigabitEthernet1/0/3 ! interface GigabitEthernet1/0/4 ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 ! interface GigabitEthernet1/0/13 ! interface GigabitEthernet1/0/14 ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 ! interface GigabitEthernet1/0/24 ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface TenGigabitEthernet1/0/1 ! interface TenGigabitEthernet1/0/2 ! interface Vlan1 ip address 192.168.1.250 255.255.255.0 ! ip default-gateway 192.168.1.1 no ip http server ip http authentication local ip http secure-server ! ! ! vstack ! line con 0 privilege level 15 line vty 0 4 password 7 xxxxxxxxxxxxxxxxxxxxx login line vty 5 15 password 7 xxxxxxxxxxxxxxxxxxxxx login ! ntp server pool.ntp.org end
Many thanks for your help in advance
Best Regards.
06-16-2018 01:37 PM - edited 06-16-2018 01:38 PM
Hello
A few options
1) you could inter- vlan route from your rtr and apply VRF lite on the subinterfaces of each vlan
2) private vlans
3) apply access control lists on the SVI of the L3 switch for each vlan
res
paul
06-16-2018 10:44 PM - edited 06-16-2018 11:08 PM
Just to be sure to understand your answer, the router will be replaced by psfense with three interface... (router was no more present on target).
One switch is layer 3, is it mandatory to have layer 3 ?
In this case, i will only start to setup one switch (it can be enough).
About the 3 options that you describe, how to do that ?
create a new vlan is not enough ? what about private vlans ? and how to apply access control list on SVI ?
Best Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide