How to use your Cisco Catalyst 2950 switch to slow down the spread of viruses
This recipe shows how to configure a Cisco Catalyst 2950 to enable private VLAN edges, which are great for slowing down viruses that search for other machines to infect over a network.
The guts of private edge VLANs is that ports are given one of two states, private [aka protected] or public. Private ports can not talk to other private ports. The switch physically prevents it. Private ports can talk to public ports. Public ports can talk to private or public ports.
Normally workstations should have no need to talk to each other, so you should mark all workstation ports as private/protected. This prevents one virus infected workstation from infecting another workstation, because the switch will prevent the two from talking. Servers need to be public ports, as everything needs to talk to them - and hopefully someone has been keeping their patches up to date.
By reducing the number of communications points in your switched network, you greatly reduce the ability of a virus to spread.
Normally the easiest way to setup a 2950 is to make a group of the ports, say the first 16, protected ports, and leave the last 8 ports to plug in servers, and other devices that everyone needs to talk to. By default all ports are public ports, so you only need to designate which ports you would like to make private/protected.
WARNING: This should not be attempted by people not experienced with Cisco Switches. If you don't understand something here, get a professional to help you.
interface FastEthernet0/1
! This marks the port as a private VLAN edge port.
switchport protected
interface FastEthernet0/2
switchport protected
interface FastEthernet0/3
switchport protected
...
interface FastEthernet0/16
switchport protected
...
|
