05-16-2008 04:25 AM - edited 03-05-2019 11:02 PM
Hi. A customer has 2 physically separate networks, lets call them Network A and Network Z.
Now. Network A would like to be able to access some info on Network Z, but we dont want Network Z to see anything on Network A.
Network A -----> Network Z
now as they're phsically separate networks, which would be best to allow connectivity from A to Z, a router or a firewall?
Now I could also throw away the switch on Network Z for example, and just use VLANS and run the network from Network A's switch, eliminating the need for multiple switches. Would a router on a stick be suitable for use with such a setup?
05-16-2008 04:51 AM
a firewall because of the need for security and access control. not that a router (with firewall feature set especially) couldn't do it, a firewall could just do it better - and by default.
05-16-2008 06:28 AM
Yes thats what im leaning towards.
Ok, well if I was to use one network and impliment 2 VLANS, VLAN A and VLAN B carrying their original traffic, do you think a router would do the job ? as a Pix would have bit of a time trying to deal with VLAN's id imagine?
05-16-2008 06:32 AM
Not sure what you mean by one network 2 vlans. Pix firewalls can do 802.1q routing on a stick just as routers can - at least pix 515E and above. But if you separate the vlans with the pix ie. vlan A on one interface of pix and vlan B on another interface then the pix doesn't need to understand vlan id's at all.
Jon
05-16-2008 06:37 AM
Sorry I should have been more clear:
As they have 2 physically separate networks at the moment with separate switches and the likes, I was thinking of doing away with one of the physical networks and making 2 VLANS to run over one set of infrastructure (saving on cost of new switches mainly)
05-16-2008 06:42 AM
This still doesn't mean your pix has to understand vlan id's. If you had just one switch you would create 2 vlans on it and then just attach one of the pix interfaces to one of the vlans and the other to the other vlan. This is not routing on a stick just using the same physical switch for both vlans.
If you only wanted to use one of the pix interface to separate both vlans then yes you would need 802.1q on that connection and the Pix 515E and above + ASA's can do that.
Jon
05-16-2008 06:56 AM
makes perfect sense, thanks mate!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide