I work for a hopsital and I am semi competent around cisco equipment. Here is my dilemma. We have about 16 switches that are located across 4 floors in 4 seperate closets. The switches on the floor are connected to each switch within its respective closet via cross-over cables.Then there is a switch in each closet that has a gbic module with fiber that run back to a fiber module on a 6506 in our data center. The 6506 has vlans 1-7 on it and are trunking isl via the fiber for each of the closets. The 6506 is also the VTP server VTP Domain brooks. Vlan 2 goes out to our radiology dept. Vlan3 is our wireless network. Vlan4 is our Fiber connection to our ISP. VLAN 5 is to our Cisco Pix 515. Vlan 6 is our Pix inside. Vlan 1,2,3,6 connect from the 6506 to a Cisco 3640 router and are plugged into ethernet ports where they are then routed. VLAN 7 is a new VLAN that I am trying to create for the following reason.
The hospital wants practicing doctors that are not residents in the hospital to have access to webmail so they can access their outside email, such as yahoo and hotmail. I do not want any outside email on the network for obvious reasons. I have been tasked by my Director to create a seperate VLAN that the doctors can access outside email on without being able to connect to the rest of our network. I am the new Network Admin who did not design this network and have only been here for about 1.5 months.I have made VLAN 7 on the 6506 and i have checked the switches in the closets to make sure it has propigated to the switches. I have assigned switchport access vlan 7 on port fa0/13 on a cisco 3524 that is in one of the closets on the floor(my end host connects to that port). I do not have any more free ethernet ports on the 3640 to plug into from the 6506 to route the traffic to pix and out to the internet. the reason the traffic is routed I believe is because the person who built this network laid out the network as follows. Pix inside is 128.6.0.254/16, Pix DMX 192.168.0.1/24, 3640 ethernet
0/0(Vlan1)128.1.0.101, e0/1(vlan2)128.2.0.1, e1/0(vlan3)128.3.0.1, e1/1(vlan6)128.6.0.1. The question is how do I get 3 desktop machines all on seperate floors of the hospital all internet access via VLAN 7 without being able to access any of the other vlans and all of them on a subnet that is not part of the rest of my network.Any help would be greatly appreciated.
Steven Johnson Network Administrator Brooks Memorial Hospital snipped-for-privacy@brookshospital.org