Options
Security Design Question
Comments
-
Options
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Spending money won't be the thing lol. More than likely, this is going to have to be something built from FOSS software. You can actually install snort on pfsense. If it comes to it, I might just build a few of those boxes instead of my general snort boxes just to appease the other guy so we can move on in life. I say that because more than likely, my boss will take his side on this (I don't know why but I just have a feeling she will) so if I can just give them what they want and still get what I want, all will be well. -
Options
SteveO86
Member Posts: 1,423
Bl8ckr0uter wrote: »Great information! I am going to have to give this a once over. Since our meeting about network design has been pushed back til Monday, i'll have more time to prepare my design.
Ok I still haven't been able to figure this out. Say I have switches set up like this:
3560>>3560>>3550
or like this:
3560>>3550>>3560
or even like this:
3550>>2950>>3560
Could I still deploy private vlans between the two 3560s? Like if at any frames have to traverse a path that doesn't read private vlans does that negate the ability to use private vlans? Also if the direct path of the switches can read private vlans but they all terminate into switches that either don't read private vlans or aren't configured for them, does that negate the ability to use them? I hope my question makes sense lol
To be honest I haven't had to do a PVLAN trunk yet, but it does sound like an interesting lab to run with Wireshark to see what happens. (or at least some debug commands on the lower end switch).
From I've gathered from Cisco documentation..Note Multiple PVLAN pairs can be specified using this command so that a PVLAN trunk port can carry multiple secondary VLANs. If an association is specified for the existing primary VLAN, the existing association is replaced. If there is no trunk association, any packets received on secondary VLANs are dropped.
Found here
I have some 2960's but not 2950's... On my 2960's I don't appear to have any private-vlan command syntax at all so it appears the 2960 would drop the packets.
There is information here concerning using a 4500 (Only because it supports PVLANs you should able to do the same with a 3560) that supports PVLANs and 2950 that does not. (about a quarter down the page under Isolated PVLAN Trunk Ports)In this illustration, a Catalyst 4500 switch is being used to connect a downstream switch that does not support PVLANs.
Traffic being sent in the downstream direction towards host1 from the router is received by the
Catalyst 4500 series switch on the promiscuous port and in the primary VLAN (VLAN 10). The packets are then switched out of the isolated PVLAN trunk, but rather than being tagged with the primary VLAN (VLAN 10) they are instead transmitted with the isolated VLAN's tag (VLAN 11). In this way, when the packets arrive on the non-PVLAN switch, they can be bridged to the destination hosts' access port.
Traffic in the upstream direction is sent by host1 to the non-PVLAN switch, arriving in VLAN 11. The packets are then transmitted to the Catalyst 4500 series switch tagged with that VLAN's tag (VLAN 11) over the trunk port. On the Catalyst 4500 series switch, VLAN 11 is configured as the isolated VLAN, and the traffic is forwarded as if it came from an isolated host port.
So the client ports on the switch that does not support PVLANs needs to be in a VLAN, and on the switch that supports PVLANs the same VLAN number must be configured as an isolated secondary VLAN...
Try rapping your head around that one...
(Hope this helps took a bit to find this information and then had to read it a few times to really get it.. I'm content with PVLANs running on a single switch......for now anyway till I get even more time to tackle this concept of course I don't have that many high-end switches to lab with at all nowadays..)
(I really hope I did not de-rail the main purpose of this thread since it was primarily concerning double firewalls. I only mentioned the PVLANs for increased security in the DMZ)My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Well we had our discussion today and we are basically going to go with a blend of what the other guy and I said. So now I get to roll out a pfsense firewall w/ snort plug ins. I purchased this book: Amazon.com: pfSense: The Definitive Guide (9780979034282): Christopher M. Buechler, Jim Pingle, Michael W. Lucas: Books
I plan to play with it tonight on my main network. -
Options
Forsaken_GA
Member Posts: 4,024
Bl8ckr0uter wrote: »Well we had our discussion today and we are basically going to go with a blend of what the other guy and I said. So now I get to roll out a pfsense firewall w/ snort plug ins. I purchased this book: Amazon.com: pfSense: The Definitive Guide (9780979034282): Christopher M. Buechler, Jim Pingle, Michael W. Lucas: Books
I plan to play with it tonight on my main network.
You may also want to pickup the Book of pf to supplement your knowledge. I'm a huge fan of pfSense, but it's basically a stripped down FreeBSD with a webgui to configure the basic tools. Knowing how pf works at the OS level is a good thing -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
I picked this up as well:
Amazon.com: Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort (9781593271411): Michael Rash: Books
I am probably going to pick this up based on your response:
Amazon.com: The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall (9781593272746): Peter N.M. Hansteen: Books
