1. Home
  2. Cisco Systems
  3. general vlan questions

general vlan questions

I need to do something with my network. Currently I have a PIX 506 at 6.3(3). I need to either upgrade the PIX, get a slightly larger pix, move to a linux firewall and router, etc. I am curious about VLANS (I'm not a network admin, I'm a unix head). The PIX version starting with 6.3(4) says it supports two VLANs for the 506. Is that two VLANs total or the main network and two additonal VLANs?

Well, maybe I don't need VLANs. Yes I do, I want to separate the DMZ from the inside. I would need either a layer 3 switch or a smart layer 2 switch that supported the VLAN tagging.

On the inside I want a main server and workstation subnet, a DMZ subnet, a wireless subnet, and a subnet for a group of boxes that are used when we have guests. Sort of a training room that I want separated from the main workstations and servers on the inside.

So if I have:

purpose subnet security level

-------- ----------- -------------- inside 10.1.1.0/24 100 dmz 10.1.2.0/24 20 wireless 10.1.3.0/24 30 guests 10.1.4.0/24 30 outside 0.0.0.0/0 0

I do not want the guest machines to ever reach the inside machines, but I want the inside machines to be able to touch the guest machines. This sounds similiar to a firewall rule or stateful packet inspection.

I think I also would like some sort of admin subnet that can touch any machine for statistics, updates, etc.

Seems like there should also be a pinhole (vpn only?) between the wireless and inside. I prefer to get rid of the wireless and pay for extra network drops on the inside for people's laptops rather than use wireless.

Will a smart layer 2 switch route between the inside and the guests like I mentioned above? Will a smart layer 2 switch do any of the routing I mentioned above? What about the pinhole, if I need one, between the wireless and inside groups?

I also have a need for VOIP support. The VOIP is already working somehow. I've not learned that part, but I must keep VOIP with any change I make. I also have several VPN users coming in through the PIX 506(4) and want to add several more (4).

I currently only have 15 internal users and several machines. I only have a single machine in the DMZ, though I want to add another machine there. I want to do traffic shapping so that web/ftp from the DMZ to outside does not affect internal and VOIP users. The other machines/servers I have on the inside for the most part will not reach outside the firewall. There are OS updates, NTP, and users surfing from their workstations, but that's about it.

This is not a huge, multi-hundreds company. We're small and don't need that much.

Mike

Reply to
Mike
Loading thread data ...

I trunked a freebsd machine to a cisco 2950 and configured ipfw for traffic restriction. The freebsd router is now the logical center of my network through which all traffic must pass. I can provide detailed confugrations if you like.

Reply to
Dom

Two total additional 802.1Q tagged interfaces, which can be put on either of the interfaces or split between them.

No, Layer 2 switches never route: they might classify packets (i.e., some permit VLAN membership to be determined by characteristics beyond just port number), and they might label packets (with 802.1Q tag numbers), and they might distribute tagged packets to appropriate ports. Distribution of packets is not routing, as it does not depend upon IP address.

Reply to
Walter Roberson

Yes, please. I'd like to see how you're setup.

Mike

Reply to
Mike

Ask me specific questions or for specific software configurations and let me know if that e-mail address works.

Reply to
Dom

As a generalization:

Unless you have good reason to expect to be able to confine the wireless signals to an area totally under your company's control, then wireless access should be assumed to be something that the public -will- eventually find and start attempting to access. Accordingly, wireless access should be either only to DMZ'd services, or else should require extra layers of security such as IPsec (and 802.1x if you can.)

How fast is your internet connection? We've found that in practice, with a much larger organization, that we don't often go over 64 Kbit/s sustained for any length of time, and that we thus don't need to bother with traffic shaping. If we were on an ADSL or cable modem then we migh need shaping: asymmetric bandwidth -does- make a noticable difference in responsiveness and performance.

Anyhow, before bothering with shaping, I'd suggest measuring. If you push the PIX logging level up to 6, you can deduce total bandwidth requirements of a connection (but not until after it closes, so it is average bandwidth, and not seperable into sending and receiving.)

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.