Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6070
Views
0
Helpful
2
Replies

How to create a DMZ network on switch ?

Elrick Landon
Level 1
Level 1

‎06-16-2018 12:28 PM - edited ‎03-08-2019 03:23 PM

Hi to all,

 

I use a Cisco 2960X and 2960XR switch that are currently dedicated to LAN only (so 1 Vlan = 192.168.1.0/24), these switch are behind a NAT Router. 

 

The target is to use pfsense firewall with 3 interfaces : 1 wan, 1 lan, 1 dmz
I wish to assign half of the ports to LAN network and the other to the DMZ.

LAN and DMZ network must not be seen between them, these networks must be isolated as if it were on two separate switch.

The web interface and telnet / ssh access must be accessible from LAN network for security reasons.

 

LAN stay in 192.168.1.1/24

DMZ will be 10.0.0.1/24

 

Does i need to create a new VLAN ? how to do that ?

How to assign each VLAN to each port dedicated ?

How to prevent each subnet to be reachable ?

How to allow Telnet/SSH and WebInterface to be accessed only from LAN ?

 

My setup :

 

 

C2960X#1#show conf
Using 2381 out of 524288 bytes
!
! Last configuration change at 22:23:36 CET Fri Mar 9 2018
! NVRAM config last updated at 22:23:46 CET Fri Mar 9 2018
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C2960X#1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 09xxxxxxxxxxxxxxxxxxxxxxx
!
username Cisco privilege 15 secret 5 $1$bwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
no aaa new-model
clock timezone CET 1 0
clock summer-time cest recurring last Sun Mar 3:00 last Sun Oct 3:00
switch 1 provision ws-c2960x-24td-l
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2xxxxxxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2xxxxxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-2xxxxxxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-2xxxxxxxxxxxxx
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
ip address 192.168.1.250 255.255.255.0
!
ip default-gateway 192.168.1.1
no ip http server
ip http authentication local
ip http secure-server
!
!
!
vstack
!
line con 0
privilege level 15
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxxx
login
line vty 5 15
password 7 xxxxxxxxxxxxxxxxxxxxx
login
!
ntp server pool.ntp.org
end

 

 

 

Many thanks for your help in advance

 

Best Regards.

 

Labels:
0 Helpful
2 Replies 2

paul driver
VIP
VIP

‎06-16-2018 01:37 PM - edited ‎06-16-2018 01:38 PM

Hello

A few options

1) you could inter- vlan route from your rtr and apply VRF lite on  the subinterfaces of each vlan

2) private vlans

3) apply  access control lists  on the SVI of the L3 switch for each vlan

 

res

paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Elrick Landon
Level 1
Level 1
In response to paul driver

‎06-16-2018 10:44 PM - edited ‎06-16-2018 11:08 PM

Just to be sure to understand your answer, the router will be replaced by psfense with three interface... (router was no more present on target).

 

One switch is layer 3, is it mandatory to have layer 3 ?

In this case, i will only start to setup one switch (it can be enough).

 

About the 3 options that you describe, how to do that ?

create a new vlan is not enough ? what about private vlans ? and how to apply access control list on SVI ?

 

Best Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card