Re: VLAN

itindia · ‎12-24-2007

Hi,

I need to provide a solutions as follwoing.

ISP link----->Rtr------>Firewall(Natting)------>Switch (for some 25-30 subnets).

Would like to know what type of switch I should use(L2/L3)?

I don't know how to route the traffic from switch to internal Natted interface of my firewall(say 192.168.0.1)?

How should I configure my VLAN(would like to know about some document over the same)?

Reg,

Sushil

royalblues · ‎12-24-2007

i think a 2960-48 port L2 switch would satisfy your needs.

I am assuming all your users would be in one subnet and will be configured with the default gateway of the FW. There is no need to configure vlans in this case and all the users can be placed in one vlan (either default or the one you define)

For management you can define an IP on the switch. The switch does not require any other configuration to route the traffic to the firewall

If you are planning to segregate your users into different subnets then you would require an L3 switch

Narayan

xcz504d1114 · ‎12-25-2007

Typically I see a

ISP link ------ RTR ----- Rirewall ----- RTR --- Switch

You setup sup interfaces on the internal router to accommodate your VLAN's.

Like the previous post stated, if you have no layer 3 device internally, then you will use one big VLAN. Internally on the switch you would want to choose something capable of handling your L3 traffic if you choose a L3 device.

Depending on your traffic needs you might choose a 4500 or 6500 series switch, or even a 3750. It all depends on your traffic, network design and ISP bandwidth.

Unfortunately I don't have a simple answer for you, there are a lot of variables.

The most simple answer is just to get an internal router and run a router on a stick,they aren't always the best solution, but generically, it's the easiest answer.

itindia · ‎12-25-2007

Thanks for your reply guys.

To be very precise,I have to go with Vlans.

Its a Business centre envrionment With so many diffrent customer.where One customer opt for 4-6 connection for their people(only browsing).Same goes for other customer.

I have to cater some 120 people means 120/6,some (20 Different customer.Say6 People from Cisco and other 4-8 from Microsoft and so on).

My priority is to provide internet access to them and want to secure internally so that CustomerA can't communicate with B internally.

There is only one link terminating in my premise only.

Do I need to use router after my Firewall?

How will I Stop internal access among different customers?

Hope my question is clear to you.

Reg,

Sushil

yassine-m · ‎12-26-2007

I suggest a L2/L3 switch where the VLANs will be implemented. The users will have their gateways from the VLAN IP addresses.

Hope that will help u.

Br

itindia · ‎12-27-2007

So how will diffrent vlan will be able to go to internet gateway.

Say my natted IP on Firewall is 192.168.1.1

Vlan10 is having IP 192.168.2.1 and say 192.168.3.1 for Vlan20.

Internal desktop client from respective VLAN will be able to hit their defined gateway(192.168.2.1)but how will this go to internet gateway i.e 192.168.1.1 for all the different VLANs to access internet.

Reg,

Sushil

Mark Luther · ‎12-28-2007

If you're going to try to limit traffic between subnets, you might want to consider placing an ACL on your L3 device. Assuming you'll have a common DHCP and DNS server that you'll want to allow ALL VLANs to, you can apply an ACL like the following:

Extended IP access list 101

permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

permit udp 192.168.0.0 0.0.0.255 host eq domain

deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip any any

________________________________

This will allow DHCP and DNS traffic to your specified IP-Helper-Address and your DNS server. All other traffic will be allowed to non-private subnets.

Hope that helps!