general vlan questions
- From: Mike <mikee@xxxxxxxxxxxx>
- Date: Fri, 28 Jul 2006 15:33:50 GMT
I need to do something with my network. Currently I have a
PIX 506 at 6.3(3). I need to either upgrade the PIX, get a
slightly larger pix, move to a linux firewall and router,
etc. I am curious about VLANS (I'm not a network admin, I'm
a unix head). The PIX version starting with 6.3(4) says it
supports two VLANs for the 506. Is that two VLANs total or
the main network and two additonal VLANs?
Well, maybe I don't need VLANs. Yes I do, I want to separate
the DMZ from the inside. I would need either a layer 3 switch
or a smart layer 2 switch that supported the VLAN tagging.
On the inside I want a main server and workstation subnet,
a DMZ subnet, a wireless subnet, and a subnet for a group
of boxes that are used when we have guests. Sort of a training
room that I want separated from the main workstations and
servers on the inside.
So if I have:
purpose subnet security level
-------- ----------- --------------
inside 10.1.1.0/24 100
dmz 10.1.2.0/24 20
wireless 10.1.3.0/24 30
guests 10.1.4.0/24 30
outside 0.0.0.0/0 0
I do not want the guest machines to ever reach the inside
machines, but I want the inside machines to be able to
touch the guest machines. This sounds similiar to a firewall
rule or stateful packet inspection.
I think I also would like some sort of admin subnet that
can touch any machine for statistics, updates, etc.
Seems like there should also be a pinhole (vpn only?) between
the wireless and inside. I prefer to get rid of the wireless
and pay for extra network drops on the inside for people's
laptops rather than use wireless.
Will a smart layer 2 switch route between the inside and
the guests like I mentioned above? Will a smart layer 2
switch do any of the routing I mentioned above? What about
the pinhole, if I need one, between the wireless and inside
groups?
I also have a need for VOIP support. The VOIP is already
working somehow. I've not learned that part, but I must keep
VOIP with any change I make. I also have several VPN users
coming in through the PIX 506(4) and want to add several
more (4).
I currently only have 15 internal users and several machines.
I only have a single machine in the DMZ, though I want to
add another machine there. I want to do traffic shapping so
that web/ftp from the DMZ to outside does not affect internal
and VOIP users. The other machines/servers I have on the inside
for the most part will not reach outside the firewall. There
are OS updates, NTP, and users surfing from their workstations,
but that's about it.
This is not a huge, multi-hundreds company. We're small and
don't need that much.
Mike
.
- Follow-Ups:
- Re: general vlan questions
- From: Walter Roberson
- Re: general vlan questions
- From: Walter Roberson
- Re: general vlan questions
- From: Dom
- Re: general vlan questions
- Prev by Date: IS-IS as an IGP for a SP
- Next by Date: Re: How to test Spanning tree protocol
- Previous by thread: IS-IS as an IGP for a SP
- Next by thread: Re: general vlan questions
- Index(es):
Relevant Pages
|
