The 1711 at a remote site has a guest VLAN to isolate traffic there from the default VLAN1. When this traffic gets to the main network on its way out to the Internet, the boss wants to have it bypass the firewall.
This simple network diagram lines up with fixed-pitch font.
Presumably the purpose of bypassing the firewall is to allow guests to get at their webmail and VPNs and mail servers and web servers, when inside access to those would normally be blocked... especially if the home sites have been configured on non-standard ports.
Recall, though, that the main purpose of the firewall is [likely] not to prevent internal people from going out: the main purpose of the firewall is to protect the systems within it. Including the guests.
If the guests are bypassing the firewall, then unless they happen to have good firewall software on their machines, they are going to be vulnerable to all the random exploits and script kiddies that hit most addresses in less than 3 minutes.
I would thus suggest that the guests still be placed within the firewall, but possibly that the firewall be configured so that those IP addresses are allowed to -initiate- connections to the outside.
If your boss wants other people to be able to initiate connections into the guests, then your boss will have to make a decision as to which makes for better relations: "Sorry, we block incoming connections in order to protect our honoured guests, but we can get our IT people to open a pinhole if you need it.", or "Sorry that your computer got hacked into while you were visiting us; next time you'll know to have your IT people protect your equipment before you leave, since you were so foolish as not to have done that yourself this time."
Walter, Many of your guesses are pretty much right on. But these "guest" PCs should all have Windows Firewall enabled, which should dramatically reduce the exposure.
There are several issues that I did not get into earlier for purposes of brevity. First of all, they're not really guests, they're actually business partners whose traffic will ride the physical network but should be segregated from normal traffic. Second, in addition to bypassing the firewall, this traffic will also bypass a Sonic Wall running web-filtering software. Third, firewall management is outsourced and requests to open up holes often meet resistance that usually has to be resolved by the boss telling them, "I'm aware this may be a bad idea but do it anyway."
Assuming that I need to proceed as described earlier, I'd like to hear how you'd go about it. If you provide a few general pointers, I will look up the details. Here are some thoughts that I've had so far:
I could extend the 802.1Q vlan from the 1711 through the 3745 into the
4503 and 2950. This would keep the "guest" traffic isolated throughout the internal network. But if I add a separate link from the 4503 to the 2950, wouldn't STP put it in blocking mode? Also, how would I direct VLAN 3 traffic through the second link and keep other traffic off it?
alternatively, if I ran second link between the two 3745s, I should be able to use the encapsulation vlan # on the subinterfaces to force VLAN 3 traffic on this link and keep VLAN 1 traffic out. Is this correct?
Not if the second link is in a different vlan, and you have Per Vlan Spanning Tree (PVST+) configured. And possibly you can use Multiple Spanning Tree (MST)
In the outgoing direction, the only traffic on the link is that initiated by the guests, and you don't have to worry about keeping other traffic off. For incoming traffic, the destination hosts will have a relatively narrow IP range dedicated to guest services, and simple "longest prefix" routing should take care of getting the traffic to the right interface. At worst case, you could use Policy Based Routing (PBR), which I -think- is supported on all your devices except the 2950.
What you are trying to do is very dangerous. If you want to keep the traffic segregated you need to put them on a completely different switch and keep the traffic off your "protected" internal network. Why, because if some hacks into one of the "guest" computers, its not difficult to get into the rest of the network because they have now bypassed your firewall. In addition there are many types of attacks that can compromise the layer 2 network (such as spanning tree, DoS attacks targeting ARP and CAM entries on the switch) that can bring down you entire network, not just the "guest" VLAN.
Essentially you're replacing your firewall with 'vlan separation" and PC's that "should" have a software firewall installed as a means of security from the Internet . You are seriously asking for trouble.
The firewall is there for a reason. If you want to trunk a vlan through the internal network fine, but terminate it at the firewall. Your firewall does support trunking on its internal interface doesn't it? and have them use your Internet proxy like any other internal client.
Walter, I see that BernieM and Scott seconded your recommendation to avoid proceeding along the lines my boss desires, adding additional pitfalls that I will share with him. Thanks guys!
I have thought some more about what you wrote above and I now see that I had some gaps in my understanding of how routers process VLANs. Here are the main issues I am not clear about:
1) Will a router with sub-interfaces configured with dot1q encapsulation reject packets from other VLANs (other than native untagged packets)?
2) Will the router strip off the encapsulation prior to processing the packet via it's normal routing process?
3) If this router does not have sub-interfaces configured on the outgoing interface, will this packet lose it's VLAN identity?
4) If I need to retain the VLAN identity for outbound packets, is the way to do it by configuring sub-interfaces with dot1q encapsulation on the outbound interface and use PBR to select which sub-interface to forward the packet to?