3.2. Securing the network
3.2 Securing the network
Consider the network of Figure 3.1 where the switch is used to route between two VLANs. Routing
allows all devices on each network to access all other devices, i.e devices on one routing VLAN can
access all devices on it’s routing VLAN partner. This may not be desired.
In the network of Figure 3.1 VLAN-B-22 was a wireless LAN. An exception was PC 1 on that VLAN
which was physically connected to switch port 19. Despite this wireless network having WPA2 protec-
tion, it was vulnerable to unauthorized and physically unseen connection of devices. However, it was
through this VLAN all devices accessed the Internet. Configuration of the switch was to allow such
Internet access while denying any access off the wireless network to VLAN-A-12.
The design of the switch configurations was:
1. No device on the wireless network was to have access to any device on VLAN-A-12
2. All devices on the network of Figure 3.1 were to have Internet access
3. PC 1 was to have access to all devices on VLAN-A-12 except PC 2
4. PC 2 was to have access to PC 1
Item 1 was, at least, inhibit access by the wireless network to the printer and NAS of VAN-A-12 Item
2 allows all devices access to the Internet through the wireless network throug the wireless extender at
port 23 of the switch. Items 3 and 4 were of a less significant nature.
3.2.1 Implementation overview
A combination of IP and MAC address based ACLs provided switch configuration solutions to the
design requirements. Because the configuration of the wireless network established by the Internet
gateway of Figure 3.1, a wireless device needed to have an IP address of the form 192.168.8.x. This
wireless network entered the switch through the wireless extender at port 23. An ACL based on source
IP addresses provided a solution to Item 1.
The wirelesss network also provided the Internet connection not only for the devices on the wireless
network and the VLAN-B-22 VLAN, but for devices on VLAN-A-12. This was the way routing had
been set up on the switch. So care was needed in setting up the configuration for supporting Item 1 so
as not to prohibit Internet connection for the VLAN-A-12 based devices.
Since PC 1 and Pc 2 were know devices, their MAC address was also know. Hence a MAC bases was
used to produce Items 3 and 4 of the design.
3.2.2 Wireless and Internet
Since the wireless network connected to the switch through port, all packets arriving on that port were
to be discarded by the switch. To do this an ACL was created using the swtch menu sequence:
Security → ACL → ACL Wizard
to bring up the ACL Type Selection screen. From the ACL Type pull down menu ACL Based
on Source IPv4 was selected, resulting in a ACL Based on Source IPv4 being displayed. Into
this set of entry windows, the value 5 was typed into the Rule ID window, Deny from the Action
pull down menu, False from the Match Every pull down menu, 192.168.8.16 was typed into the
23
To Next Page
Loading...
