The Layer 3 core switch that is found in the Campus module of the medium-sized network design provides the following functionality:
VLAN segregation
Access filtering
You can implement this functionality by using the configurations discussed in the following sections.
VLAN segregation within the Campus module, as shown in Figure 16-1, uses the following five VLANs:
VLAN10 Corporate Internet module link
VLAN11 Corporate servers
VLAN12 Corporate users
VLAN13 WAN module link
VLAN20 Management
The configuration in Example 16-1 defines the preceding VLANS.
interface Vlan10 description ** Link to Corporate Internet Module *** ip address corporate-internet-VLAN-IP mask ! interface Vlan11 description ** Corporate Servers *** ip address corporate-server-VLAN-IP mask ! interface Vlan12 description ** Corporate Users *** ip address corporate-user-VLAN-IP mask ! interface Vlan13 description ** Link to WAN Module *** ip address WAN-module-VLAN-IP mask ! interface Vlan20 description ** Management *** ip address management-VLAN-IP mask
The following is a summary of important commands that you should be aware of, at a minimum, regarding the Layer 3 filtering:
Layer 3 and 4 filtering and RFC filtering:
- access-list command
- access-group command
Trust exploitation:
- set vlan command (configures private VLANs, if practical)
CAM table overflow and ARP spoofing attacks:
- set port security command
- show port command
Access filtering within the Campus module takes place on the corporate servers and corporate users VLANs and the management VLAN in the configuration example that follows. This filtering is applied to the appropriate VLAN interface by using the ip access-group command.
Apply RFC 2827 filtering to the corporate servers VLAN:
interface Vlan11 ip access-group 110 in ! access-list 110 permit ip corporate-servers-network any access-list 110 deny ip any any log
Apply RFC 2827 filtering to the corporate users VLAN:
interface Vlan12 ip access-group 111 in ! access-list 111 permit ip corporate-users-network any access-list 111 deny ip any any log
Restrict access to the management VLAN:
interface Vlan20 ip access-group 120 out ! access-list 120 permit tcp host corporate-server-IP eq service host management-server-IP access-list 120 permit udp host corporate-server-IP eq service host management-server-IP ! access-list 120 permit ip host PIX-inside-IP host management-server-IP eq service access-list 120 permit ip host PIX-inside-IP host management-server-IP eq service ! access-list 120 deny ip any any log