bump.

I do only have one public subnet range.  So, I can't really do vlans on the public side of things with only one subnet correct? I am under the assumpiton a layer 2 switch will be fine, just plug in the router to that and assign it one of the open public ip's and then plug the ISA570 firewall to that switch as well and assign that another public ip in that same range.  That will work right?  I understand they will be in the same default vlan, which will be fine.  Any reason why this wouldn't work?  I should be able to setup telnet to a public ip if I assign it to the management interface, correct? 

So this might actually help, did a diagram here and the stuff in red is obviously what we are needing to add.  So I mocked up our network, from what you are saying I can put the SVI/Management address of the switch in the same vlan as our internal network, I put that in red in the drawing.  How can you put a private address in between devices with public ip's?  I would never reach it to be able to hit the management address, correct? 

Note:In the drawing the router at the bottom is going to be the separate network, so there will be stuff hanging off of it, but I omitted it because it isn't needed.  I just need to get that router a public ip.  If I subnetted our public range, the isp would have to make changes to their interface and add a subnetwork on their interface, correct?  Just a question as we won't do it because we have very limited ip addresses (Maybe 6).

I don't see a picture attached but I'm on my phone so maybe that is why. As for the switch. If it is a layer 2 switch you use the same VLAN as your management or your internal subnet. You create the SVI and give it an IP address. Then you put ONE port on the switch in that VLAN and connect it to your internal subnet.

The rest of the switch should be in a separate VLAN that is in the public IP space. There isn't any IP assigned to this VLAN as that IP is most likely going to be your connection for the ISP.

If you did subnet out your range of IPs, your ISP routing anything with those addresses to your router/firewall. When your firewall gets the traffic it will look at its routing table and route it to the correct server if the policy allows. Otherwise you would be assigned a range totally separate from what your public IP is and your ISP would route everything in that subnet to you or you would run BGP and distribute the routes to your ISP and I turn it gets added to the Internet routing table.

Sent from Cisco Technical Support iPhone App

Okay, so updated the diagram.  Looks like you are just saying I can stick the management VLAN on this switch to the ip of my internal subnet and just trunk it to my internal switch?  I have my management vlan of my internal switches to VLAN 1, I might have to change management VLAN given this new switch will default to VLAN 1 for ALL ports, correct?  I did another diagram.

Bob,

What you drew up this time looks good. However I wouldn't trunk that connection to the internal switch. I would make both ports on that connection access ports in VLAN 1. I would also set the VTP mode of the layer 2 switch to transparent. Every other port on that switch should be in another VLAN that is used for the public IP traffic.

By default all ports will be in VLAN 1 but you will need to change all ports but your uplink to the internal network to another VLAN.

Okay, so I will have to have my ISP change the default vlan on their equipment if I change all the other ports to a different vlan, and assuming I would need to change the native vlan on the isp router, switch, bottom router and my ISA570.  As far as VTP, I left that to default, looks like all 3 of my internal switches are set in server mode, but from some research, looks like that only works if you specify the VTP domain name.  If I just leave VTP alone I should be okay, correct?

Your ISP won't need to change anything. If you put all of the other ports in "switchport mode access" but just in another VLAN it will work just fine. These ports are are only able to see untagged traffic which is what your ISP will be sending you. It really doesn't matter what VLAN the ports are in as long as they are in "switchport mode access".

As far as VTP I just think it is a good practice to put it in transpartent mode especially when this switch does touch the public Internet.

Another recommendation I can give is to either completely disable CDP on the switch or at least disable CDP on all ports on the VLAN that you use for the public devices.

I assume routers work off of default vlan1, maybe I am confused here.  I keep looking looking at a switch and if you have a port in vlan1 and one port in vlan2, you would need a layer 3 device for them to communicate, correct?

You are correct that they work off of VLAN1 however there is a difference between thinking of the VLAN number and thinking of the native VLAN. By default the routers are not tagging traffic which means as long as the switch has a port in access mode it is also not tagging traffic and it doesn't care what VLAN the traffic was sent on because it wasn't tagged with a VLAN ID. Think of your ISP and your routers just as a PC that connects to the switch.

The switch will have the IP address on your internal subnet which you will be able to reach just like you would any other device in that subnet.

The two subnets dont directly need to communicate through this switch, that would be dangerous anyways. When one of your PCs needs to communicate with the Public internet they will contact your router on its LAN IP of 192.168,1,1 or 192.168.2.1 depending on their VLAN. Then the router will route the traffic to either your public IP range or somewhere out on the Internet. So your router is where the layer 3 stuff is going on.

Also another consideration is how are you going to setup failover to the other router incase the primary fails? But first I would worry about understanding the VLANs and how things are connecting.

The bottom router actually is the failover router, there is another router connecting to it, which will have a fiber line.

So what you are saying is the isp router coming out as vlan 1 can communicate to the devices in vlan 2 of the switch even though the switch has the native vlan 1?  To me, that makes me think that won't work since vlan 2 would be tagged traffic to the router (Anything other than vlan 1 is tagged)?  However, I am use to trunks, maybe because you are specifying access port there is no tagging involved and that is how it would work?

So at the end of the day are you saying any vlan can communicate with one another over an access port because all vlans would be untagged? And if it were trunked and not an access port only the same vlans would be able to communicate unless a layer 3 device was involved?