INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Securing VLAN so it has limited access

Securing VLAN so it has limited access

(OP)
I have a feeling this can be done but I'm not exactly sure how it can be achieved. Not sure if it would be done in Catalyst router or ASA (or parts in both).

Scenario:
  • ASA5520 as firewall. Interface GiEth0/0 security-level 100 as 'inside network', interface GiEth0/1 security-level 0 as 'outside network', interface GiEth0/2 security-level 100 as 'dmz network'. IP 10.15.0.1/16
  • Catalyst 4507 as core router. IP 10.10.32.88/16 (VLAN10). Multiple VLANs 11 (10.11.x.x/16), 20 (10.20.x.x/16) etc
  • DHCP server on VLAN11 (10.11.0.7/16. All VLANs have ip-helper address of this.
  • I want to create VLAN80 (10.80.x.x/16) and allow then DHCP but stop traffic to all other VLANs (including servers on same as DHCP) but still allow Internet.
I've read a bit about the security-level feature. Giving one VLAN a higher value than another to restrict access but VLANs aren't defined in ASA only Catalyst. This feature isn't available in the Catalyst for some reason.

Any ideas on how this could be achieved?

RE: Securing VLAN so it has limited access

dmz i'd put at 50 and create ACLS from dmz to inside if need be. having two interfaces on the same security level creates unique situations you dont want to have to deal with unless you click the two check boxes allowing devices to talk to each other between the same security level under the interfaces menu or using the cli...

as for the interfaces, you connect ASA to 'core' (take 2 to be on the same side of for port failures, and create a prot channel interfaces on ASA and a channel-group on the 'core')
click add interface,
you can drop down to port-channel and then create vlan interfaces.. sub interfaces really. you match vlan numbers, and on the 'core' you trunk them to the ASA on the proper channel-group ..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close