VLANs for a DORM to isolate rooms from each other?

[Guest]

Archived from groups: alt.computer.security,alt.computers.security,comp.security.firewalls (More info?)

I have a client with a dorm of 100 students. They currently (not my
design) use a stack of switches and connect all users to a single DHCP
scope for addresses and then NAT it to internet access.

As you can guess, this really causes problems when one or more of the
kids get infected.

I was thinking of purchasing a couple managed switches, setting up one
VLAN per switch port to keep each network jack isolated from the others.
I would still need a single DHCP server to provide addresses to the kids
network devices, and I would want them to all use the same NAT internet
solution, just to be isolated from each other.

Anyone got any feedback on VLAN's using a managed switch to build this?


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: alt.computer.security,alt.computers.security,comp.security.firewalls (More info?)

Leythos <void@nowhere.com> wrote in news:MPG.1ae5fe574de8815198a3ad@news-
server.columbus.rr.com:

> I have a client with a dorm of 100 students. They currently (not my
> design) use a stack of switches and connect all users to a single DHCP
> scope for addresses and then NAT it to internet access.
>
> As you can guess, this really causes problems when one or more of the
> kids get infected.
>
> I was thinking of purchasing a couple managed switches, setting up one
> VLAN per switch port to keep each network jack isolated from the others.
> I would still need a single DHCP server to provide addresses to the kids
> network devices, and I would want them to all use the same NAT internet
> solution, just to be isolated from each other.
>
> Anyone got any feedback on VLAN's using a managed switch to build this?
>
>

you gonna setup 100 vlans? why?

your major spof is the acual switches' ip address that you use to manage
the switch. got to manage the switch sans ip or telnet.

:-(



Rowdy Yates
"the man who tried and failed miserably"
--
Visit Rowdy's Home Page
http://rowdy_yates2.tripod.com/

 

[Guest]

Archived from groups: alt.computer.security,alt.computers.security,comp.security.firewalls (More info?)

On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:

> I have a client with a dorm of 100 students. They currently (not my
> design) use a stack of switches and connect all users to a single DHCP
> scope for addresses and then NAT it to internet access.
>
> As you can guess, this really causes problems when one or more of the
> kids get infected.
>
> I was thinking of purchasing a couple managed switches, setting up one
> VLAN per switch port to keep each network jack isolated from the others.
> I would still need a single DHCP server to provide addresses to the kids
> network devices, and I would want them to all use the same NAT internet
> solution, just to be isolated from each other.
>
> Anyone got any feedback on VLAN's using a managed switch to build this?

This probably would not be a good idea. Remember the only way to
communicate between VLANs is to route. So you are going to need 2 ports
per user, one to them, one to an external router. Another option would be
to use VLAN tagging which would allow users to be in their own VLAN as well
as in the VLAN of the default gateway, but everything in the default
gatewaty's VLAN would need to be 802.1q compliant. I've never tried that
so I dont even know if it would work.

Im not sure if you can configure this over inter-switch links so you might
need a huge switch to do it this way, probably making cost a factor.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

W.B wrote:

> On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:
>
>
>>I have a client with a dorm of 100 students. They currently (not my
>>design) use a stack of switches and connect all users to a single DHCP
>>scope for addresses and then NAT it to internet access.
>>
>>As you can guess, this really causes problems when one or more of the
>>kids get infected.
>>
>>I was thinking of purchasing a couple managed switches, setting up one
>>VLAN per switch port to keep each network jack isolated from the others.
>>I would still need a single DHCP server to provide addresses to the kids
>>network devices, and I would want them to all use the same NAT internet
>>solution, just to be isolated from each other.
>>
>>Anyone got any feedback on VLAN's using a managed switch to build this?
>
>
> This probably would not be a good idea. Remember the only way to
> communicate between VLANs is to route. So you are going to need 2 ports
> per user, one to them, one to an external rout
> to use VLAN tagging which would allow users to be in their own VLAN as weller. Another option would be
> as in the VLAN of the default gateway, but everything in the default
> gatewaty's VLAN would need to be 802.1q compliant. I've never tried that
> so I dont even know if it would work.
>
> Im not sure if you can configure this over inter-switch links so you might
> need a huge switch to do it this way, probably making cost a factor.


Not so fast... Cisco now has Layer 3 switches that does inter-vlan
routing. This will eliminate the layer3 issues, I curently use 5 cisco
3550 with about 8-10 VLANS , one VLAN per department and this works
great. Also the added security you get is also a plus. One other thing
you will see with doing VLANS is you reduce the amount of broadcast
traffic from all the PC's as the broadcast will not go from one VLAN to
another.


hth,

Chad

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>
>
> Not so fast... Cisco now has Layer 3 switches that does inter-vlan
> routing. This will eliminate the layer3 issues, I curently use 5 cisco
> 3550 with about 8-10 VLANS , one VLAN per department and this works
> great. Also the added security you get is also a plus. One other thing
> you will see with doing VLANS is you reduce the amount of broadcast
> traffic from all the PC's as the broadcast will not go from one VLAN to
> another.
>
>
> hth,
>
> Cha

Neato. I'll have to check those out. My Catalysts are ancient, but I'm
not in a rush until Cisco managed Gigabit switching gets a little cheaper.

The only other problem with this, is in Leythos's case, all ports would
need to be expensive Cisco Catylist ports. Which is tough on the
pocketbook. But apparently it is plausable.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

W.B wrote:

>>
>>Not so fast... Cisco now has Layer 3 switches that does inter-vlan
>>routing. This will eliminate the layer3 issues, I curently use 5 cisco
>>3550 with about 8-10 VLANS , one VLAN per department and this works
>>great. Also the added security you get is also a plus. One other thing
>>you will see with doing VLANS is you reduce the amount of broadcast
>>traffic from all the PC's as the broadcast will not go from one VLAN to
>>another.
>>
>>
>>hth,
>>
>>Cha
>
>
> Neato. I'll have to check those out. My Catalysts are ancient, but I'm
> not in a rush until Cisco managed Gigabit switching gets a little cheaper.
>
> The only other problem with this, is in Leythos's case, all ports would
> need to be expensive Cisco Catylist ports. Which is tough on the
> pocketbook. But apparently it is plausable.
This is true **BUT** the switch is also a router so Leythos would not
need to do one port to one vlan instead he could create VLANS based on a
per floor basis and then create ACL's to restrict traffic even when the
machines are in the same VLAN.

Chad

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <1w8m8rbsa6jxu$.1tn71b2al0olu.dlg@40tude.net>,
civikminded@yahoo.com says...
> On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:
>
> > I have a client with a dorm of 100 students. They currently (not my
> > design) use a stack of switches and connect all users to a single DHCP
> > scope for addresses and then NAT it to internet access.
> >
> > As you can guess, this really causes problems when one or more of the
> > kids get infected.
> >
> > I was thinking of purchasing a couple managed switches, setting up one
> > VLAN per switch port to keep each network jack isolated from the others.
> > I would still need a single DHCP server to provide addresses to the kids
> > network devices, and I would want them to all use the same NAT internet
> > solution, just to be isolated from each other.
> >
> > Anyone got any feedback on VLAN's using a managed switch to build this?
>
> This probably would not be a good idea. Remember the only way to
> communicate between VLANs is to route. So you are going to need 2 ports
> per user, one to them, one to an external router. Another option would be
> to use VLAN tagging which would allow users to be in their own VLAN as well
> as in the VLAN of the default gateway, but everything in the default
> gatewaty's VLAN would need to be 802.1q compliant. I've never tried that
> so I dont even know if it would work.
>
> Im not sure if you can configure this over inter-switch links so you might
> need a huge switch to do it this way, probably making cost a factor.

So, other than installing 100 linksys NAT routers, got any idea on how I
can isolate 100 users in the same network without having to install
anything on their personal computers?

Thanks

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <107qjph6d0lt640@news.supernews.com>, spamme@mah0ney.com
says...
> Not so fast... Cisco now has Layer 3 switches that does inter-vlan
> routing. This will eliminate the layer3 issues, I curently use 5 cisco
> 3550 with about 8-10 VLANS , one VLAN per department and this works
> great. Also the added security you get is also a plus. One other thing
> you will see with doing VLANS is you reduce the amount of broadcast
> traffic from all the PC's as the broadcast will not go from one VLAN to
> another.

Chad, this was what I was looking for. In order to isolate the dorm
rooms from each other I know of about 3 ways to do it, but I was looking
for something like VLANS there it would route all the traffic to port 48
on each switch...

Are you using different subnets for each vlan, I'm assuming you are?

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> In article <107qjph6d0lt640@news.supernews.com>, spamme@mah0ney.com
> says...
>
>>Not so fast... Cisco now has Layer 3 switches that does inter-vlan
>>routing. This will eliminate the layer3 issues, I curently use 5 cisco
>>3550 with about 8-10 VLANS , one VLAN per department and this works
>>great. Also the added security you get is also a plus. One other thing
>>you will see with doing VLANS is you reduce the amount of broadcast
>>traffic from all the PC's as the broadcast will not go from one VLAN to
>>another.
>
>
> Chad, this was what I was looking for. In order to isolate the dorm
> rooms from each other I know of about 3 ways to do it, but I was looking
> for something like VLANS there it would route all the traffic to port 48
> on each switch...
>
> Are you using different subnets for each vlan, I'm assuming you are?
>
Leythos,

Yes I use subnets such as 192.168.100.0/24 for IT then 192.168.200.0/24
for accounting, etc ...

As far as routing traffic to a certain port, very doable **BUT** there
are about a hundred ways to do this, depending on YOUR actual needs. I
would start with this link from cisco:

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008007e71b.html


http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008014f375.html


However I would not suggest using a VLAN per switch ports, remember the
switch is also a router therefore you can always setup ACL's to restrict
traffic from machine even within the same VLAN. But then again if money
is of no object then yes one port = one vlan

Chad

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <107qnsak742o455@news.supernews.com>, spamme@mah0ney.com
says...
> However I would not suggest using a VLAN per switch ports, remember the
> switch is also a router therefore you can always setup ACL's to restrict
> traffic from machine even within the same VLAN. But then again if money
> is of no object then yes one port = one vlan

Actually, money is a problem. I have about $1000 to find and build a
solution. I don't think it's going to involve CISCO since I can't even
spell CISCO without being charged $10 for it

Thanks for all the feedback.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> In article <107qnsak742o455@news.supernews.com>, spamme@mah0ney.com
> says...
>
>>However I would not suggest using a VLAN per switch ports, remember the
>>switch is also a router therefore you can always setup ACL's to restrict
>>traffic from machine even within the same VLAN. But then again if money
>>is of no object then yes one port = one vlan
>
>
> Actually, money is a problem. I have about $1000 to find and build a
> solution. I don't think it's going to involve CISCO since I can't even
> spell CISCO without being charged $10 for it
>
> Thanks for all the feedback.
>


too funny...



Chad

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"W.B" <civikminded@yahoo.com> wrote in
news:1w8m8rbsa6jxu$.1tn71b2al0olu.dlg@40tude.net:

> On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:
>
>> I have a client with a dorm of 100 students. They currently (not my
>> design) use a stack of switches and connect all users to a single
>> DHCP scope for addresses and then NAT it to internet access.
>>
>> As you can guess, this really causes problems when one or more of the
>> kids get infected.
>>
>> I was thinking of purchasing a couple managed switches, setting up
>> one VLAN per switch port to keep each network jack isolated from the
>> others. I would still need a single DHCP server to provide addresses
>> to the kids network devices, and I would want them to all use the
>> same NAT internet solution, just to be isolated from each other.
>>
>> Anyone got any feedback on VLAN's using a managed switch to build
>> this?
>
> This probably would not be a good idea. Remember the only way to
> communicate between VLANs is to route. So you are going to need 2
> ports per user, one to them, one to an external router. Another
> option would be to use VLAN tagging which would allow users to be in
> their own VLAN as well as in the VLAN of the default gateway, but
> everything in the default gatewaty's VLAN would need to be 802.1q
> compliant. I've never tried that so I dont even know if it would
> work.
>
> Im not sure if you can configure this over inter-switch links so you
> might need a huge switch to do it this way, probably making cost a
> factor.

i thoghout about his idea after i posted. actually it's an interesting
thought. i am just thinking it might be a serious pain the the butt to
setup. lots of manual grunt work involved on the switch.

you also make a very good point.

Rowdy Yates
"the man who tried and failed miserably"
--
Visit Rowdy's Home Page
http://rowdy_yates2.tripod.com/

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <MPG.1ae71949ace4bd0f98a3af@news-server.columbus.rr.com>,
void@nowhere.com says...
> In article <1w8m8rbsa6jxu$.1tn71b2al0olu.dlg@40tude.net>,
> civikminded@yahoo.com says...
> > On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:
[cut]
> So, other than installing 100 linksys NAT routers, got any idea on how I
> can isolate 100 users in the same network without having to install
> anything on their personal computers?

Hi,

You could use a switch with level 4 ACL to filter/block trafic between
users.

http://www.infoworld.com/article/03/10/24/42TCdell_1.html
http://www1.us.dell.com/content/products/productdetails.aspx/pwcnt_3348?
c=us&cs=555&l=en&s=biz


--
ICQ# 114297372