cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
298
Views
20
Helpful
6
Replies
Highlighted

Restrict communication between ports in the layer 3 switch

Hi, I have no expertise on the network. I always appreciate your taking the time to answer my question.

 

We will connect independent systems (System A and B) using the L3 Switch (Catalyst 9300).

and send the syslog to the cyber security operation center like attached picture.

* System A and B consist of L2 Switch (Catalyst 2960).

 

In order to prevent access from each system to another system, we would like to ensure that coming data through Port 1~3 is transferred to only port 4. Is it possible to implement this function by changing the settings of the Catalyst 9300?

 

SYStem ABC.JPG

 

 

6 REPLIES 6
Highlighted
VIP Expert

Question is the Cat 9300 Only for send the Syslog to the cybersecurity operation center?

 

You can have ACL deployed on Cat 9300 - and Allow the source of the network A and B to only to communicate to Syslog server IP.

so they can not communicate with each other network IP address range.



BB


*** Rate All Helpful Responses ***

Highlighted

Thank you for your reply.

 

Yes, Cat 9300 transmits only syslog to cybersecurity operation center.

Highlighted
VIP Expert

Hello,

 

I assume System A and System B are on different subnets ? And the layer 3 switch is doing the inter-Vlan routing ?

 

You can use a simple access list to keep both systems from communicating with each other. The configuration would look something like below:

 

interface GigabitEthernet0/1

description Port 1 Link to System A

switchport mode access

switchport access vlan 10

!

interface GigabitEthernet0/2

description Port 2 Link to System B

switchport mode access

switchport access vlan 20

!

interface GigabitEthernet0/3

description Port 3 Link to System B

switchport mode access

switchport access vlan 20

!

interface GigabitEthernet0/4

description Port 4 Link to Syslog

no switchport

ip address 172.16.1.1 255.255.255.0

!

access-list 101 deny 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit 192.168.10.0 0.0.0.255 any

!

interface Vlan 10

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

!

interface Vlan 20

ip address 192.168.20.1 255.255.255.0

Highlighted
Rising star

use VRF if you can, VRF separate the traffic.

Highlighted

Just to add a note - On Cat 9K - VRF needs Network Advantage License.



BB


*** Rate All Helpful Responses ***

Highlighted
Beginner

Hi Wang,

Simply put, a layer 3 switch combines the functionality of a switch and a router. It acts as a switch to connect devices that are on the same subnet or virtual LAN at lightning speeds and has IP routing intelligence built into it to double up as a router.

Regards

Content for Community-Ad