Connecting Lab to Production Network

I want to connect my lab rack to a working network via the AUI on my access server. Problem is I don't want my lab gear talking to all the other Cisco stuff on our network. What is the best solution? Can I use a Cisco switch or router as a firewall between my lab and production network to block everything but Telnet?

Nothing from my lab can get out to the production network except Telnet.

Find more posts tagged with

Comments

networker050184

Use an ACL to deny/permit the traffic you want.

Forsaken_GA

boostinbadger wrote: »

I want to connect my lab rack to a working network via the AUI on my access server. Problem is I don't want my lab gear talking to all the other Cisco stuff on our network. What is the best solution? Can I use a Cisco switch or router as a firewall between my lab and production network to block everything but Telnet?

Nothing from my lab can get out to the production network except Telnet.

If this is an access server that just connects to your lab routers over their console ports, then it's a non issue. Just set the access servers ethernet interface up like it's a host on the network and you're fine, I'd be pretty impressed if you found a way to route traffic through a console session

If you've actually got IP connectivity to your lab rack from your access server (ie, you're using two interfaces on your access server), then yeah, just stick an ACL on the interface connecting the access server and the production network and you'll be fine.

mikej412

AUI port makes it sound like a 2509 or 2511. If you're not using the access server as part of you lab (nothing hooked up to the serial ports), then it's not much of an issue. You can disable ip routing and define a default gateway and let it be just another host on the network.

boostinbadger

The rack is going to be in another room so the console port won't work.

It is a 2509. The only problem is it keeps doing duplex mismatches on the 2509 and probably on the production side too. I am sure the engineers will see this. I don't even want them to see my gear using CDP.

I am trying to set up a 2940 with an ACL to only allow Telnet through. Problem is...I'm rusty after going on Cisco hiatus for almost a year.

**Note: I don't have access to the Cisco gear on the production side of the network

tiersten

boostinbadger wrote: »

I am trying to set up a 2940 with an ACL to only allow Telnet through.

Huh? On a Catalyst 2940?

boostinbadger wrote: »

It is a 2509. The only problem is it keeps doing duplex mismatches on the 2509 and probably on the production side too. I am sure the engineers will see this. I don't even want them to see my gear using CDP.

Turn off CDP then :P

boostinbadger

Ok, I have CDP turned off....duh

I know it seems a little unorthodox to use a 2940 to handle this, but it is what I have. I understand firewalls typically run at L3 and I am trying to make this work on an L2 device.

I used an extended acl:

permit tcp 10.13.0.0 0.0.255.255 any eq telnet

I understand the implicit deny is there. Is this the best method?

How do I apply this to an interface or vlan?