Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
298
Views
20
Helpful
6
Replies
Highlighted
WangSteven02215
Beginner
Beginner
‎01-21-2021 02:21 PM
‎01-21-2021 02:21 PM

Restrict communication between ports in the layer 3 switch

Hi, I have no expertise on the network. I always appreciate your taking the time to answer my question.

 

We will connect independent systems (System A and B) using the L3 Switch (Catalyst 9300).

and send the syslog to the cyber security operation center like attached picture.

* System A and B consist of L2 Switch (Catalyst 2960).

 

In order to prevent access from each system to another system, we would like to ensure that coming data through Port 1~3 is transferred to only port 4. Is it possible to implement this function by changing the settings of the Catalyst 9300?

 

SYStem ABC.JPG

 

 

Labels:
Reply
6 REPLIES 6
Highlighted
balaji.bandi
VIP Expert VIP Expert
VIP Expert
‎01-21-2021 02:37 PM
‎01-21-2021 02:37 PM

Question is the Cat 9300 Only for send the Syslog to the cybersecurity operation center?

 

You can have ACL deployed on Cat 9300 - and Allow the source of the network A and B to only to communicate to Syslog server IP.

so they can not communicate with each other network IP address range.



BB


*** Rate All Helpful Responses ***

0 Helpful
Reply
Highlighted
WangSteven02215
Beginner
Beginner
In response to balaji.bandi
‎01-22-2021 05:43 AM
‎01-22-2021 05:43 AM

Thank you for your reply.

 

Yes, Cat 9300 transmits only syslog to cybersecurity operation center.

0 Helpful
Reply
Highlighted
Georg Pauwen
VIP Expert VIP Expert
VIP Expert
‎01-21-2021 02:43 PM
‎01-21-2021 02:43 PM

Hello,

 

I assume System A and System B are on different subnets ? And the layer 3 switch is doing the inter-Vlan routing ?

 

You can use a simple access list to keep both systems from communicating with each other. The configuration would look something like below:

 

interface GigabitEthernet0/1

description Port 1 Link to System A

switchport mode access

switchport access vlan 10

!

interface GigabitEthernet0/2

description Port 2 Link to System B

switchport mode access

switchport access vlan 20

!

interface GigabitEthernet0/3

description Port 3 Link to System B

switchport mode access

switchport access vlan 20

!

interface GigabitEthernet0/4

description Port 4 Link to Syslog

no switchport

ip address 172.16.1.1 255.255.255.0

!

access-list 101 deny 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit 192.168.10.0 0.0.0.255 any

!

interface Vlan 10

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

!

interface Vlan 20

ip address 192.168.20.1 255.255.255.0

Reply
Highlighted
MHM Cisco World
Rising star
Rising star
‎01-21-2021 02:58 PM
‎01-21-2021 02:58 PM

use VRF if you can, VRF separate the traffic.

0 Helpful
Reply
Highlighted
balaji.bandi
VIP Expert VIP Expert
VIP Expert
In response to MHM Cisco World
‎01-21-2021 03:01 PM
‎01-21-2021 03:01 PM

Just to add a note - On Cat 9K - VRF needs Network Advantage License.



BB


*** Rate All Helpful Responses ***

Reply
Highlighted
stopher
Beginner
Beginner
‎01-22-2021 03:49 AM
‎01-22-2021 03:49 AM

Hi Wang,

Simply put, a layer 3 switch combines the functionality of a switch and a router. It acts as a switch to connect devices that are on the same subnet or virtual LAN at lightning speeds and has IP routing intelligence built into it to double up as a router.

Regards

Reply
Latest Contents
Cisco SD-WAN Global Forum : Quick Guide to Design, Deploy, O...
Created by ciscomoderator on 03-05-2021 12:50 PM
0
0
0
0
To participate in this event, please use the  button to ask your questions * Note: The link to join the discussion will be activated on March 8 All the knowledge of these four experts at your disposal! Cisco Software-Defined Wide Area Network (SD-WAN... view more
Community Live Event- ISR1100X-4G and ISR1100X-6G Platform O...
Created by Cisco Moderador on 03-02-2021 05:23 AM
1
0
1
0
Community Live- ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture (Live event -  Tuesday, 23 March, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event will have place on Tuesday 23rd, March 2021 at 10:00 hrs PDT&... view more
Cisco Secure Network Access Bridges the Gap
Created by Kelli Glass on 02-26-2021 04:19 PM
0
0
0
0
Cisco Secure Network Access is helping IT to bridge the gap between what is essential to the business and what the network delivers and to build the next-generation campus network for an unplugged and uninterrupted experience. Learn more about how these w... view more
Community Live Video - New Additions to the Catalyst 8000 Fa...
Created by Cisco Moderador on 02-24-2021 08:49 AM
0
0
0
0
(view in My Videos) Community Live- New Additions to the Catalyst 8000 Family (Live event -  Tuesday, 23 February, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event had place on Tuesday 23rd, February 2021 at 10:00 hrs PDT... view more
New Additions to the Catalyst 8000 Family- FAQ
Created by Cisco Moderador on 02-24-2021 07:23 AM
0
0
0
0
This event had place on Tuesday 23rd, February 2021 at 10hrs PDT  Introduction Designed for an intent-based network, the Cisco Catalyst 8000 Edge Platforms family offers best-in-class networking and security combined. The platforms, available in b... view more
Content for Community-Ad