Limiting Communication on Same VLAN

Tim Glen · ‎01-09-2017

Hi All,

I’ve been given a business requirement to keep end user’s PCs from communicating with other end user PCs. This is primarily to keep a malware infected PC from discovering and spreading malware to other Windows PCs on the same VLAN and across other end user VLANs within the enterprise.

Of course, there needs to be exceptions, RDP needs to be allowed across the board and in some cases tcp/80 & tcp/443 will be allowed, some end user PC’s host dev web sites.

Some facts…

* End user VLANs are all within a specific CIDR block.

* End users are allowed to communicate with servers.

* Server VLANs are on a different CIDR block.

* End users are allowed to communicate with the internet.

* End users have an IP Phone at their desk.

* End user PC’s plug into the phone.

* IP phones plug into the switch port.

* Switch ports are configured with a Voice and Access VLAN.

I’ve been considering using an IPv4 ACL and applying it to each port, however I have the feeling that this will become ‘out of control’ as other exceptions will be needed.

I realize I cannot use ‘switchport protected’ because of the need for traffic exceptions.

Are there any other options (Cisco \ Microsoft) that would accomplish the requirements?

Thanks very much for any advice!

Tim

chrihussey · ‎01-09-2017

I have not had to implement them, but Private VLANs may be a good solution.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swpvlan.html

Tim Glen · ‎01-09-2017

I don't believe that Private VLANs are supported on 2960S.

I do appreciate the tip.

Any other ideas would be greatly appreciated.

paul driver · ‎01-10-2017

Hello

end user’s PCs from communicating with other end user PCs

If PVLANS are not appropriate, You can try using protected ports with the switchport protected command

It will negate to communication to any other port with the same feature applied to it and will allow communication to non protected ports even if its own port is in protected mode.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Tim Glen · ‎01-10-2017

Hi Paul,

I would like to use switchport protected because its one and done, but cannot due to the need for exceptions.

As I mentioned above some users will need to hit websites on the same VLAN, and Call Center Managers use Supervisor Desktop to Live Monitor those using Cisco CAD.

Any other suggestions would be appreciated.

Also , How common is a business request like this ? Do engineers on this forum run into this in enterprises ?

Thanks

Tim

paul driver · ‎01-10-2017

Hello

as I stated even if a port is protected it WILlL still communicate to ports that are not - like servers in the same vlan

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎01-10-2017

Tim

You might take a look at port acl as a way to achieve your requirements. I believe that they are supported on 2960 switch. You could find information in this link

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swacl.html#44781

HTH

Rick

HTH

Rick

Tim Glen · ‎01-10-2017

Sorry, but likely I wasn't clear with the requirements.

In the case of Cisco Agent Desktop and Cisco Supervisor Desktop VoIP applications both the applications run on end users PC's on the same VLAN.

Both end users PC's need to be limited ~but~ there needs to be the ability to create 'same-vlan' exceptions. Because of this requirement, I don't believe switchport protected will solve this problem.

I'm leaning toward a VLAN Access Map or a Port ACL. I'm attempting to gather a pro \ con list for each.

Richard Burts · ‎01-10-2017

Tim

I do not know enough about VLAN access map to offer much for a pro/con list. For the port acl I believe the major pro is that does allow you to apply controls at the individual port level. I believe that the con list would include the fact that PACL is applied to inbound traffic and as far as I know does not apply to outbound (so basically you are controlling what can communicate with this PC where we tend to think of controlling what this PC can communicate with. I believe the result can be the same but the logic applied is a bit different). Also I believe that configuring PACL will be tedious.

To answer a different part of your original question - I have not seen this requirement from my enterprise customers. While they might have thought that it would be nice to prevent a contaminated PC from access others, I believe that the level of effort to achieve the result and the potential for errors in the logic to reduce the effectiveness has led them to decide that it was not worth trying to implement this kind of control.

HTH

Rick

HTH

Rick

paul driver · ‎01-10-2017

Hello

Possible then Vacl could fit your requirement

Negate telnet communication hosts within vlan 10
access-list 110 permit tcp host 1.1.1.1 host 1.1.1.2 eq telnet
access-list 110 permit tcp host 1.1.1.2 host 1.1.1.1 eq telnet

vlan access-map STAN 10
action drop
match ip address 110

vlan access-map STAN 99

vlan filter STAN vlan-list 10 <------------applying it to vlan

Vlan access-map "STAN" 10
Match clauses:
ip address: 110
Action:
drop

Vlan access-map "STAN" 99
Match clauses:
Action:
forward

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul