Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
4
Helpful
4
Replies

Seperating management and data networks.

Ashley Gibbon
Level 1
Level 1

‎10-14-2011 07:22 AM

Hello all

Our network has developed over the years to a point where I have 4 seperate networks at each branch. Secure Data, Management, Vendor and VOIP.

Secure Data is used for uers to access the mainframe and do daily tasks including the internet

Management is used for access to routers switches and UPs's etc.

Vendor is used for unmanaged (by us) devices like ATM's and other systems provided by vendors.

VOIP is fo VOIP.

Each are seperate VLANS on the cisco 2811 trunked to the switch

What method  of seperating these networks do other companies use? IOS firewall or access lists, or am I missing something?

All of the Cisco IOS firewall stuff seems to be focussed on outside to indise, while access lists get super conplicated when i try to design them

There are all kinds of cross zone requirements, like PCs in Data to VOIP etc?

My company is a bank holding company so I am talking about bank branches, and we have 24 of them.

Looking forward to your responses.

Ashley

Labels:
0 Helpful
4 Replies 4

Ashley Gibbon
Level 1
Level 1

‎10-17-2011 01:31 PM

thanks your your valuable input..................

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎10-17-2011 02:09 PM

Ashley

You would probably have got a response if you had posted in the correct forum ie. this is nothing really to do with VPN. The firewalling or more likely the LAN Switching/Routing forums would have been a better choice. So that is probably why you didn't get a response because we do try to help

That said, the general answer to your question is it really does depend on how secure your requirements are. So a number of options -

1) use a dedicated firewall and route the vlans off that

2) use a router and ZBF or CBAC for each subinterface

3) use standard acls to limit the traffic between vlans

I have seen all the above used. If you have strict security requirements then firewalling each vlan is an option but it does get complicated. For most companies L3 acls on the vlan interfaces are usually enough.

So looking at each vlan you have -

1) management vlan. You would definitely want to restrict which IPs can access this vlan. Hopefully you have a set of defined IPs (which you may need to make static in DHCP) that can access the devices. You should also obviously be running SSH if supported to connect to devices

2) data vlan - what are you trying to do here. Stop the data vlan from accessing other vlans or stop other vlans accessing the data vlan. This and the VOIP vlan are probably the most open, simply because that is where the users reside.

So do you have specfic requirements for these vlans in terms of your company policy.

3) VOIP - see 2)

4) Vendors - this is the trickies one of the lot and can give so many headaches. It's very difficult to give vendors the access they need without then allowing them to see other parts of the network. A lot of this comes down to how much you trust your vendors. Obviously you would want to make sure that they cannot leave the vlan they are on.

Don't forget that as far as internal security is concerned firewalling/L3 acls is only one part of it and as you have said it can become very complex. Equally important is locking down the user desktop so they cannot modify settings etc, implementing L2 security features on devices eg. port security/DAI/STP bpduguard etc and use 802.1x authentication for access to the network.

Overall most networks i have come across rely on L3 acls internally to filter inter-vlan traffic + L2 security features. If there are any vlans critical to the business then they have been firewalled but firewalling every is a big adminstrative overhead.

With some routers/switches there is now also the option of vrf-lite which allows you to create multiple virtual routers on the same box. The good thing about this is that each has it's own routing table so unless you allow routes to be leaked between vrfs the 2 routing tables cannot see each other.

Hope some of this has helped. Any further questions please ask.

Jon

Ashley Gibbon
Level 1
Level 1
In response to Jon Marshall

‎10-18-2011 05:19 AM

Thanky ou very much for your extensive answer. LOL when I posted I read the forum as Security VLAN not VPN...

Is there a GUI or Visual tool for managing the ACL's? Cisco Configuration Proffessional for example?

Ashley

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Ashley Gibbon

‎10-18-2011 03:12 PM

Ashley

Not aware of any GUI but that's not surprising as i only really ever use the CLI.

One thing i should have mentioned about L3 acls on the subinterfaces. They are not stateful ie. they see each packet in isolation so as an example -

int fa0/0.10

encapsulation dot1q 10

ip address 192.168.5.1 255.255.255.0

int fa0/0.11

encapsulation dot1q 11

ip address 192.168.6.1 255.255.255.0

you want to allow vlan 10 clients to initiate connections to vlan 11 but you only want to allow vlan 11 to reply to that traffic and not initiate connections to vlan 10. With a stateful firewall this is easy but with L3 acls unless you can tie it down to specific ports it's not possible

eg

access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

int fa0/0.11

ip access-group 101 in

the above would stop vlan 11 clients initiating traffic to vlan 10 clients. But unfortunately it also blocks the return traffic to vlan 10 from connections initiated from vlan 10.

Fortunately there are reflexive acls which are able to keep a kind of state that can be used. Most L3 switches don't support them but as you are using a router for subinterfaces then you should be fine.

Jon

0 Helpful
Customers Also Viewed These Support Documents