Options

Connecting Lab to Production Network

boostinbadgerboostinbadger Member Posts: 256
in CCNA & CCENT
I want to connect my lab rack to a working network via the AUI on my access server. Problem is I don't want my lab gear talking to all the other Cisco stuff on our network. What is the best solution? Can I use a Cisco switch or router as a firewall between my lab and production network to block everything but Telnet?

Nothing from my lab can get out to the production network except Telnet.
· Share on FacebookShare on Twitter

Comments

  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    Use an ACL to deny/permit the traffic you want.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    Forsaken_GAForsaken_GA Member Posts: 4,024
    boostinbadger wrote: »
    I want to connect my lab rack to a working network via the AUI on my access server. Problem is I don't want my lab gear talking to all the other Cisco stuff on our network. What is the best solution? Can I use a Cisco switch or router as a firewall between my lab and production network to block everything but Telnet?

    Nothing from my lab can get out to the production network except Telnet.

    If this is an access server that just connects to your lab routers over their console ports, then it's a non issue. Just set the access servers ethernet interface up like it's a host on the network and you're fine, I'd be pretty impressed if you found a way to route traffic through a console session :)

    If you've actually got IP connectivity to your lab rack from your access server (ie, you're using two interfaces on your access server), then yeah, just stick an ACL on the interface connecting the access server and the production network and you'll be fine.
    · Share on FacebookShare on Twitter
  • Options
    mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    AUI port makes it sound like a 2509 or 2511. If you're not using the access server as part of you lab (nothing hooked up to the serial ports), then it's not much of an issue. You can disable ip routing and define a default gateway and let it be just another host on the network.
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • Options
    boostinbadgerboostinbadger Member Posts: 256
    The rack is going to be in another room so the console port won't work.

    It is a 2509. The only problem is it keeps doing duplex mismatches on the 2509 and probably on the production side too. I am sure the engineers will see this. I don't even want them to see my gear using CDP.

    I am trying to set up a 2940 with an ACL to only allow Telnet through. Problem is...I'm rusty after going on Cisco hiatus for almost a year.

    **Note: I don't have access to the Cisco gear on the production side of the network
    · Share on FacebookShare on Twitter
  • Options
    tierstentiersten Member Posts: 4,505
    boostinbadger wrote: »
    I am trying to set up a 2940 with an ACL to only allow Telnet through.
    Huh? On a Catalyst 2940?
    boostinbadger wrote: »
    It is a 2509. The only problem is it keeps doing duplex mismatches on the 2509 and probably on the production side too. I am sure the engineers will see this. I don't even want them to see my gear using CDP.
    Turn off CDP then :P
    · Share on FacebookShare on Twitter
  • Options
    boostinbadgerboostinbadger Member Posts: 256
    Ok, I have CDP turned off....duh

    I know it seems a little unorthodox to use a 2940 to handle this, but it is what I have. I understand firewalls typically run at L3 and I am trying to make this work on an L2 device.

    I used an extended acl:

    permit tcp 10.13.0.0 0.0.255.255 any eq telnet

    I understand the implicit deny is there. Is this the best method?

    How do I apply this to an interface or vlan?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.