Wednesday, December 18, 2019

Access restriction with Aruba switches

The background on this is that we have an old server running Windows Server 2003 that runs a legacy accounting application. We finally migrated to a cloud-based system a year ago, but of course, this server must be kept running indefinitely for audit purposes. We have no support for the application (nor did we for the previous 5 years I've been here when the application was actually in production), so we try to touch this server as little as possible lest we mess something up.

Since it needs to stay running, we want to wall it off from the rest of the network as much as possible. It's on our Active Directory domain, so we want to maintain the ability to authenticate with AD. We also need to allow access from a small number (3-4) of dedicated laptops but want to limit access beyond that.

One of the ways I've been looking at doing this is by enabling security at the switch. Our core switch is a 5406R and our access is a 2930M stack. I'm planning to create a new VLAN for the dedicated laptops. Those machines should have access to a domain controller for authentication, the accounting server, and nothing else. We plan to connect them to an unmanaged switch in the accounting department and bring it upstairs to a port in the access stack. I'd like to limit the server to connections to/from the domain controller and the dedicated laptops. None of these machines should have internet access.

Looking through the Aruba documentation, there appear to be a few ways to do this.

  • Traffic/Security Filters
  • Access Control Lists
  • Port Security/MAC Lockdown

Based on the information provided, can anyone suggest the best way to accomplish this task?

Thanks,



No comments:

Post a Comment