I need some VLAN security advice / recommendations on the following...
We have a stack of ws-c3750x-48 Layer3 switches that hosts 100+ VLANs. The VLANs are trunked to Hyper-V virtual host servers. Each virtual host cluster hosts VMs on multiple virtual networks / VLANs. Each VLAN hosts a /27 network.
The switch stack uplinks to a pair of ASA 5510's. The ASA pair is the Internet firewall as well as hosts L2L and client VPNs. We are in the process of installing an ACS server for VPN authenticatioin and TACACS.
The 100+ VLANs have been provisioned on the stack, but only a few are currently in use.
I need to ensure that each VLAN cannot talk to each other. As of right now I am controlling this with ACLs on each VLAN. However, as the VLANs are populated, I see this becoming a management nightmare.
What are my options? How can I do this better?
If ACLs are really my only option, what would be the least load on the switch, one large ACL applied to all VLANs or an ACL for each VLAN?
I looked into PVLANs, but thought they wouldn't work since each Hyper-V host server is plugged into a trunk port carrying all the current VLANs. For example, a Hyper-V blade server may have 6 or 8 NICs each plugged into a trunk port. The HV server may host five seperate domains. Each domain will have it's own VLAN (i.e. VLAN 100 = domain01, VLAN 101 = domain02, etc). The servers need to talk to other servers within their domain, but not other domains.
Will PVLANs work for this? Can a trunk port carry multiple PVLANs? If so, I gather I would need to use community PLVANs?
In this special edition of the Insider Series, we hear from Cisco partners who have taken steps to be more eco-friendly and sustainable. We hear what inspires ASHRAE, Southwire, Igor, and NTT to create a workplace that is centered around people and how th...
We know that the Type-1 LSA describes the link type connected to the router, the neighbor router and the subnet number.In this topology, assume we dont have a Type-2 LSA, so each router will create its own Type-1 LSA, the Type-1 LSA will describe the neig...
Here are some commonly asked questions and answers to help with your adoption of Cisco DNA Center Wireless. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend.
Q. I have a Cisco Appl...
Why IETF changed and inverted OSPF Type-7 LSA VS Type-5 LSA election In RFC 3101 compared to OLD RFC 1587?Many people learns that the Type-7 LSA and Type-5 election (ON Versus OE routes) depends on RFC 3101 for NSSA published in 2003 and RFC 1587 for NSSA...