Solving The Problem; Example 6, Securing Sensitive Information According To Subnet - Enterasys SmartSwitch 2200 Management Supplement

Example 6, Securing Sensitive Information According to Subnet

3.2.1

Solving the Problem

To prevent the RIP broadcasts from flooding the user's workstation connected to S1 and S2, a new
VLAN will be added to each switch, but not assigned to any ports (making them Null VLANs).
Then each switch will be configured with a Layer 4 classification rule that will classify each RIP
broadcast frame received on Port 25 of each switch to the Null VLAN. Since the Null VLAN is not
associated with any ports, the frame will be dropped and not transmitted out any port.
In this example, the switches have already been configured and operating. The following covers
only those steps needed to configure each switch to eliminate the problem.
Switches 1 and 2
Each switch is set as follows:
1. A VLAN is added to the list of VLANs in the Device/VLAN Configuration screen and assigned
to a FID. In this example, the switch is set as follows:
•
VLAN ID 99, FID 99, with a VLAN Name of Null VLAN
2. The VLAN Classification Configuration screen is used to configure the switch to detect and
classify the incoming RIP broadcast frames on Port 25 to the Null VLAN. Since the Null VLAN
is not assigned to any port, the frame is dropped (not transmitted out any port). The VLAN
Classification Configuration screen is set as follows:
•
VID: 99
•
Classification: Dest UDP Port
•
IP UDP Port: 520
Port 520 is a well-known port number used by RIP.
3.3 EXAMPLE 6, SECURING SENSITIVE INFORMATION ACCORDING
TO SUBNET
The ABC Company wants to confine the sensitive information being transmitted by their Finance
Department to its user's only.
In this example, illustrated in
Finance VLAN and are also on Subnet 28 as shown in bold type.
3-6 Configuration Examples
Figure 3-3, the user in the Finance Department are members of the