I apologize that the diagram is not clear. Assume that the "core" switch includes all of my distribution/access switches and all vlans that traverse it are trunked.

One switch in building A has 2 ports assigned to VLAN 98 which is non-routable and exposed to the my ISP.

Ditto for switch 2 in building B which may have 2 ports assigned to VLAN 99 which is also non-routable and exposed to a different ISP.

Both switchs in Building A and B also provide ports to my inside network as well through "internal" VLANS that are fully routable across my "internal" LAN.

No apologies necessary, just wasn't sure

To be honest i'm still not. vlans 98 and 99 seem only to exist between the ISP routers and your firewalls ie. they don't seem to traverse any of your main core/distro switches. Yet you say you want to trunk these vlans across multiple switches.

Don't worry, it's me that's not getting it but can you treat me like you would a child and explain very clearly so i can understand

Jon

Ok. lets try another picture. Hopefully the formatting will hold.

ISP #1-------Switch A port 4 vlan 98 (non routable)

FW #1-------Switch A port 5 vlan 98 (non routeble)

FW #1-------Switch A port 2 vlan 1 (routable)

   Switch A port 25 ---- trunk (all Vlans) ---- switches incl. my core ---- tunk (all Vlans) Switch B port 25

                                                                                                     Switch B port 8 vlan 2    (routeable) ---- FW #2

                                                                                                     Switch B port 11 vlan 99 (non-route) -- FW #2

                                                                                                     Switch B port 13 vlan 99 (non-rout) --- ISP #2           

Not sure the formatting did hold but i think i get the picture and still vlan 98 & 99 only exists between the ISP routers and the firewalls ie. they do not extend across your core.

So maybe i am not understanding the question rather than the layout. Is the question directly related to vlans 98 and 99 or have i missed the point ?

Jon

Basically I want to take ports from my switch and create a VLAN that is not accessable from the other VLANs nor from layer 2 traffic from the other ports. I only need the devices to communicate with each other. I basically want to create a 2 or 3 port layer 2 switch for the outside interface of my firewall and the ISP router. I want to know if this has any pitfalls with respect to someone being able to compromise my switch from the outside since I am exposing the ports to my ISP equipment. I don't think they could because the VLAN is non routeable. On another note I may want to add another port on a different switch that may be accross a trunked connection and still have the devices able to communicate within the VLAN. I believe that is possible, but not sure.

I actually have two ISP connections so that is why I was showing VLAN 99. I guess it is not really necessary to the above two questions.

Right i think i'm getting there.

In terms of separation you are right it would be relatively safe because vlan 99 would only be routed on the ISP router inside and the outside of your firewall. But, and it is a big but, as you say you are exposing the switch to the ISP or more specifically the internet.

So there are 2 main issues with this -

1) misconfiguration or bugs on the switch could mean the vlan could be used to hop past the firewall. Don't use vlan 1 which you aren't. Personally i wouldn't worry about this too much and it wouldn't stop me implementing it.

2) The more serious issue is that because the switch is exposed to the internet a denial of service for example would have to go through this switch to the firewall outside interface. In theory your switch could be overloaded and this would not just affect vlan 99 but also any other vlans on the switch. This could well take down some of your internal LAN with it.

Personally i don't feel comfortable collapsing the outside and inside of the firewall onto the same chassis. The inside and DMZs yes, that's fine because you still have to go through the firewall to get to the switch but with the setup you are proposing your LAN, or part of your LAN is exposed to the internet.

Jon