civic00typer
Gawd
- Joined
- Dec 5, 2003
- Messages
- 517
I have attached my running configuration for my Cisco 3750G. A quick description of the configuration: I have several hosts and three iSCSI storage appliances that I want to isolate from my public LAN. However, I want to be able to access the management interface from my Public LAN. At the same time I want to isolate my iSCSI traffic. I created a separate VLAN (VLAN 500) and moved all ports on my storage network into this VLAN. Then I configured the VLAN interface (for VLAN 500) so I could access the management functions from my stroage network. Do I need an ACL on VLAN 500 because I assigned an IP address? I assume that I am safe, as I didn't define any routes between this VLAN and the VLAN 1 that is connected to my Public LAN.
Please share any suggestions regarding this configuration, security, or performance implications.
Note: Port 21 on my Public LAN Switch is Connected to Port 24 on my SAN Switch.
CISCO 2960G Port Configuration - I don't manage this switch
interface GigabitEthernet0/21
switchport access vlan 3
switchport mode access
no logging event link-status
spanning-tree portfast
CISCO 3750G Stack - I manage this switch
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname CPSANSW
!
boot-start-marker
boot-end-marker
!
username XXXXX privilege 15 secret 5 X
!
no aaa new-model
clock timezone EST -5
clock summer-time EST recurring
switch 1 provision ws-c3750g-24ts
switch 2 provision ws-c3750g-24ts
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
ip subnet-zero
no ip domain-lookup
ip domain-name chipit.XXXXX
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment selfsigned
serial-number
revocation-check none
rsakeypair HTTPS_SS_CERT_KEYPAIR
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
certificate self-signed 01
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
no spanning-tree vlan 1,500
!
vlan internal allocation policy ascending
!
vlan 500
name CHIP_STORAGE
!
interface GigabitEthernet1/0/1 - 23, Gi2/0/1 - 24
switchport access vlan 500
switchport mode access
flowcontrol receive desired
!
interface GigabitEthernet1/0/24
description CPSANSW MGMT UPLINK
switchport mode access
!
interface GigabitEthernet1/0/25 - 28, Gi2/0/25 - 28
shutdown
!
interface Vlan1
description MGMT VLAN
ip address 10.65.34.72 255.255.248.0
!
interface Vlan500
description STORAGE VLAN
ip address 10.32.70.1 255.255.255.0
!
ip default-gateway 10.65.32.1
ip classless
no ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
ip sla enable reaction-alerts
!
no cdp run
!
line con 0
exec-timeout 0 0
login local
line vty 0 4
access-class 2 in
login local
transport input ssh
line vty 5 15
access-class 3 in
login local
transport input ssh
!
ntp clock-period 36029026
ntp server X
end
Please share any suggestions regarding this configuration, security, or performance implications.
Note: Port 21 on my Public LAN Switch is Connected to Port 24 on my SAN Switch.
CISCO 2960G Port Configuration - I don't manage this switch
interface GigabitEthernet0/21
switchport access vlan 3
switchport mode access
no logging event link-status
spanning-tree portfast
CISCO 3750G Stack - I manage this switch
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname CPSANSW
!
boot-start-marker
boot-end-marker
!
username XXXXX privilege 15 secret 5 X
!
no aaa new-model
clock timezone EST -5
clock summer-time EST recurring
switch 1 provision ws-c3750g-24ts
switch 2 provision ws-c3750g-24ts
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
ip subnet-zero
no ip domain-lookup
ip domain-name chipit.XXXXX
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment selfsigned
serial-number
revocation-check none
rsakeypair HTTPS_SS_CERT_KEYPAIR
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
certificate self-signed 01
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
no spanning-tree vlan 1,500
!
vlan internal allocation policy ascending
!
vlan 500
name CHIP_STORAGE
!
interface GigabitEthernet1/0/1 - 23, Gi2/0/1 - 24
switchport access vlan 500
switchport mode access
flowcontrol receive desired
!
interface GigabitEthernet1/0/24
description CPSANSW MGMT UPLINK
switchport mode access
!
interface GigabitEthernet1/0/25 - 28, Gi2/0/25 - 28
shutdown
!
interface Vlan1
description MGMT VLAN
ip address 10.65.34.72 255.255.248.0
!
interface Vlan500
description STORAGE VLAN
ip address 10.32.70.1 255.255.255.0
!
ip default-gateway 10.65.32.1
ip classless
no ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
ip sla enable reaction-alerts
!
no cdp run
!
line con 0
exec-timeout 0 0
login local
line vty 0 4
access-class 2 in
login local
transport input ssh
line vty 5 15
access-class 3 in
login local
transport input ssh
!
ntp clock-period 36029026
ntp server X
end