I need to do something with my network. Currently I have a PIX 506 at 6.3(3). I need to either upgrade the PIX, get a slightly larger pix, move to a linux firewall and router, etc. I am curious about VLANS (I'm not a network admin, I'm a unix head). The PIX version starting with 6.3(4) says it supports two VLANs for the 506. Is that two VLANs total or the main network and two additonal VLANs?
Well, maybe I don't need VLANs. Yes I do, I want to separate the DMZ from the inside. I would need either a layer 3 switch or a smart layer 2 switch that supported the VLAN tagging.
On the inside I want a main server and workstation subnet, a DMZ subnet, a wireless subnet, and a subnet for a group of boxes that are used when we have guests. Sort of a training room that I want separated from the main workstations and servers on the inside.
So if I have:
purpose subnet security level
-------- ----------- -------------- inside 10.1.1.0/24 100 dmz 10.1.2.0/24 20 wireless 10.1.3.0/24 30 guests 10.1.4.0/24 30 outside 0.0.0.0/0 0
I do not want the guest machines to ever reach the inside machines, but I want the inside machines to be able to touch the guest machines. This sounds similiar to a firewall rule or stateful packet inspection.
I think I also would like some sort of admin subnet that can touch any machine for statistics, updates, etc.
Seems like there should also be a pinhole (vpn only?) between the wireless and inside. I prefer to get rid of the wireless and pay for extra network drops on the inside for people's laptops rather than use wireless.
Will a smart layer 2 switch route between the inside and the guests like I mentioned above? Will a smart layer 2 switch do any of the routing I mentioned above? What about the pinhole, if I need one, between the wireless and inside groups?
I also have a need for VOIP support. The VOIP is already working somehow. I've not learned that part, but I must keep VOIP with any change I make. I also have several VPN users coming in through the PIX 506(4) and want to add several more (4).
I currently only have 15 internal users and several machines. I only have a single machine in the DMZ, though I want to add another machine there. I want to do traffic shapping so that web/ftp from the DMZ to outside does not affect internal and VOIP users. The other machines/servers I have on the inside for the most part will not reach outside the firewall. There are OS updates, NTP, and users surfing from their workstations, but that's about it.
This is not a huge, multi-hundreds company. We're small and don't need that much.
Mike