40 likes | 161 Views
Shared Server/Shared Internet Access Application. Servers. V2. V3. V4. Shared Servers (Mail Server, data server, Internet Access servers) can be access by all user groups, but the access between groups are not allowed (for the performance or security consideration)
E N D
Shared Server/Shared Internet Access Application Servers V2 V3 V4 • Shared Servers (Mail Server, data server, Internet Access servers) can be access by all user groups, but the access between groups are not allowed (for the performance or security consideration) • L2 solution: Asymmetric VLAN or Traffic Segmentation • L3 solution: L3 switch + ACL to limit the access between group.
Traffic Segmentation Standalone ISP • V1: port 1-8 • Shared Server(s) or Internet Gateway • V2: port 9-16 • VLAN2 users (PC or hub/switch) • V3: port 17-24 • VLAN3 users (PC or hub/switch) • Requirement: • V2 and V3 can access V1 for shared Server (with IPX, same network IP, AppleTalk, NetBEUI etc) • V2 and V3 can access Internet Gateway for Internet Access using same network IP. • No access between V2 and V3. V1, Servers 192.168.1.x V1, Internet Gateway 192.168.1.1 V2 192.168.1.x Gw192.168.1.1 V3 192.168.1.x Gw192.168.1.1 configuration Config traffic_segmentation 1-24 forwarding_list 1-24 Config traffic_segmentation 9-16 forwarding_list 1-16 Config traffic_segmentation 17-24 forwarding_list 1-8,17-24
L3 Switch Shared Server application Scenario: Only shared IP network can be accessed Des-3326S • Net1 (192.168.1.x) can be accessed by Net2, Net3, Net4. • Net2, Net3, Net4 cannot access each other Net4 192.168.4.x/24 Gw192.168.4.1 Net3 192.168.3.x/24 Gw192.168.3.1 Net2 192.168.2.x/24 Gw192.168.2.1 Servers Net1 192.168.1.x/24 Gw192.168.1.1
L3 Switch Shared Server application • Rules: • If Dest. IP=192.168.1.x, permit • If Src. IP=192.168.1.x, permit • If DestIP=192.168.2.x and destIP=192.168.2.x, permit • If DestIP=192.168.3.x and SrcIP=192.168.3.x, permit • If DestIP=192.168.4.x and SrcIP=192.168.4.x, permit • Deny Others # create access_profile rule # permit only 192.168.1.x to be accessed by other subnet create access_profile ip destination_ip_mask 255.255.255.0 permit profile_id 10 config access_profile profile_id 10 add access_id 11 ip destination_ip 192.168.1.2 create access_profile ip source_ip_mask 255.255.255.0 permit profile_id 20 config access_profile profile_id 20 add access_id 21 ip source_ip 192.168.1.2 # permit 192.168.2.x and 192.168.3.x can access themselves. create access_profile ip source_ip_mask 255.255.255.0 destination_ip_mask 255.255.255.0 permit profile_id 30 config access_profile profile_id 30 add access_id 31 ip source_ip 192.168.2.2 destination_ip 192.168.2.2 config access_profile profile_id 30 add access_id 32 ip source_ip 192.168.3.2 destination_ip 192.168.3.2 config access_profile profile_id 30 add access_id 33 ip source_ip 192.168.4.2 destination_ip 192.168.4.2 #### other nets added here # deny others. create access_profile ip source_ip_mask 0.0.0.0 deny profile_id 40 config access_profile profile_id 40 add access_id 41 ip source_ip 0.0.0.0 • Test: • Net2 (192.168.2.x), Net3, Net4 PCs can Ping Net1 PC (192.168.1.x). • Net2, Net3, Net4 PCs cannot ping each other.