Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
5
Helpful
1
Replies

Suggestions for connectivity issue

Go to solution
Stacey Hummer
Level 1
Level 1

‎10-07-2021 06:58 AM

Good day all,

I have been tasked with providing a recommendation for securing a specific server on our network. Our network is Cisco Centric, hence being here. As it stand I have a 3560CX switch connected to the server. From that switch it goes to a 4500x then to another 4500x and finally out our firewall (sadly palo alto).

I am required to provide a recommendation to prevent any other device from getting to snoop unencrypted traffic from this server. So I need to have some sort of tunnel/acl/ combination of them to prevent anybody from tampering with this server. The server itself builds a VPN outbound to a server in a different country.

I have looked at VRF-Lite as well as GRE, however with the Palo Alto in the mix and it not supporting VRF I am not overly sure what to do. Do I stop the VRF at the last 4500 and then GRE it to the Palo Alto? I do not have any routers available only the layer 3 switches I mentioned.

If I find a solution, I believe they will want to implement it with numerous other IP ranges to prevent snooping from one range to another.

Any help would be greatly appreciated.

 

Server – 3560 – 4500 – 4500 – Palo Alto --- Internet

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-07-2021 07:13 AM

Hi there,

The palo alto does support VRFs, they are called Virtual Routers in palo parlance.

 

You could tag your server VLAN all the way towards the palo and to an layer3 interface in the new VR. You would then need to leak routes between this new VR and the default VR which has your internet connectivity. This can be done with with either BGP or static routes. Finally create a security policy between the security zones involved to allow inter-zone traffic.

You could achieve the same level of security just by using security polices, the extra VR doesn't really gain you anything.

 

Regarding snooping of unencrypted traffic, the bad actor would need to be on the same layer2 subnet to observe any broadcasts, and to snoop anything else it would need to spoof the servers address. If you tightly control your infrastructure this should be easy to control. Beyond that, you are talking about rogue wire taps, and if you encounter those you have some big problems!

 

cheers,

Seb.

 

View solution in original post

1 Reply 1

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-07-2021 07:13 AM

Hi there,

The palo alto does support VRFs, they are called Virtual Routers in palo parlance.

 

You could tag your server VLAN all the way towards the palo and to an layer3 interface in the new VR. You would then need to leak routes between this new VR and the default VR which has your internet connectivity. This can be done with with either BGP or static routes. Finally create a security policy between the security zones involved to allow inter-zone traffic.

You could achieve the same level of security just by using security polices, the extra VR doesn't really gain you anything.

 

Regarding snooping of unencrypted traffic, the bad actor would need to be on the same layer2 subnet to observe any broadcasts, and to snoop anything else it would need to spoof the servers address. If you tightly control your infrastructure this should be easy to control. Beyond that, you are talking about rogue wire taps, and if you encounter those you have some big problems!

 

cheers,

Seb.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card