Security for 100+ VLANs

Cipher2011 · ‎03-15-2011

I need some VLAN security advice / recommendations on the following...

We have a stack of ws-c3750x-48 Layer3 switches that hosts 100+ VLANs. The VLANs are trunked to Hyper-V virtual host servers. Each virtual host cluster hosts VMs on multiple virtual networks / VLANs. Each VLAN hosts a /27 network.

The switch stack uplinks to a pair of ASA 5510's. The ASA pair is the Internet firewall as well as hosts L2L and client VPNs. We are in the process of installing an ACS server for VPN authenticatioin and TACACS.

The 100+ VLANs have been provisioned on the stack, but only a few are currently in use.

I need to ensure that each VLAN cannot talk to each other. As of right now I am controlling this with ACLs on each VLAN. However, as the VLANs are populated, I see this becoming a management nightmare.

What are my options? How can I do this better?

If ACLs are really my only option, what would be the least load on the switch, one large ACL applied to all VLANs or an ACL for each VLAN?

Thanks in advance.

Collin Clark · ‎03-15-2011

Check out private VLANs-

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

Cipher2011 · ‎03-15-2011

I looked into PVLANs, but thought they wouldn't work since each Hyper-V host server is plugged into a trunk port carrying all the current VLANs. For example, a Hyper-V blade server may have 6 or 8 NICs each plugged into a trunk port. The HV server may host five seperate domains. Each domain will have it's own VLAN (i.e. VLAN 100 = domain01, VLAN 101 = domain02, etc). The servers need to talk to other servers within their domain, but not other domains.

Will PVLANs work for this? Can a trunk port carry multiple PVLANs? If so, I gather I would need to use community PLVANs?