From: Phil (theccie@gmail.com)
Date: Fri Nov 12 2004 - 09:32:11 GMT-3
All,
Sorry for the OT but interesting nevertheless. I have the following scenario:
Because of Sarbanes-Oxley requirements some servers of a certain
subnet need to be isolated from other servers in the same subnet and
from users in a different subnet. The servers were originally
connected to a 6509 and pvlan would do the trick with IP ACLs in the
MSFCs, but because code upgrade was required and not approved we
decided to move the servers needing protection to a pair of SMI 3560
switches and apply an inbound ACL to the uplink ports connected to the
6509s.
It works perfect except that the ACLs are applied in hardware and the last line
(access-list 152 deny ip any any log) does not log anything because
the packets are discarded without the CPU noticing it. I can move the
ACL to the MSFCs to log the denied packets and use pvlan in the 3560
for local segment protection or even use an ACL blocking the servers
in the same segment that are connected in the 6509s.
My question is this: is there a way to keep the ACL in the 3560 and
capture logs of denied packets? I am thinking in creating interface
vlans, upgrade the code to EMI, apply ACLs to the interface vlans,
configure 2 interface vlans to the same bridge-group, etc. I will try
these in the lab later.
Does anyone have any suggestions?
Thanks in advance,
Phil
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:42 GMT-3