-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scheidel, Greg (Contractor)
Sent: Thursday, December 20, 2001 4:57 PM
To: 'Adam Hudson'; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: Aaron Shilts (Aaron Shilts)
Subject: RE: An obvious mystery to me... VLAN trunking on firewallNICs that support trunking (802.1q and ISL) are on the market for Intel platforms; I don't know about Solaris. Check out 3Com's 3C980B-TX.
Greg S.
-----Original Message-----
From: Adam Hudson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 12:56 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: Aaron Shilts (Aaron Shilts)
Subject: An obvious mystery to me... VLAN trunking on firewallI am in search of an effective method of trunking (802.1q or ISL) traffic from a firewall to a Cisco 6509 platform (or any switch for that matter). It would be highly desirable to have a firewall (preferably CheckPoint/Nokia) in place that could interface to the switch on one or more links and perform VLAN communication (gig or copper). This would allow me to create many virtual segments for the firewall to deal with, without consuming large quantities of physical interfaces and expenses.
Perhaps the industry already has a solution available that I just have not heard of or come across yet? Is there any good hardware around that will perform this need?
I have several clients that would benefit from this functionality nicely, since they run many different private WAN connections and have the need to isolate them with switch port level security, layer-3 and firewall evaluation before entering the main sections of the network.
Obviously, this could be done with elaborate access lists and firewall IOS features in the MSFC cards, but having the control in Firewall-1 would be a lot easier on administration.
Adam Hudson
Networking and Security Consultant
Office 720-348-0564
Fax 720-294-0778
Title: Message
I have
done this several times.
If you are running an NT based firewall, the Intel VLAN trunking
drivers and Intel based NICS (82559/i960 and GigE) worked quite well for me
with 6509's.
I
don't know about the Nokia...
Keep
in mind, many purists will argue that simple vlan tagging is insufficient to act
as a security measure,
and
would advise you against doing this. However, it does let you do some very fine
grained control of traffic.
Instead of having a "DMZ", you can have each bastion on it's own virtual
leg off the firewall.
Instead of a 3 legged firewall, you can have a many legged
firewall.
- An obvious mystery to me... VLAN trunking on f... Adam Hudson
- RE: An obvious mystery to me... VLAN trun... Scheidel, Greg (Contractor)
- Security Checklist for Firewall-1 Carl E. Mankinen
- Security Checklist for Firewall-1 Fredy Santana
- Re: Security Checklist for Fi... Ron DuFresne
- Re: Security Checklist for Fi... Bret Watson
- RE: An obvious mystery to me... VLAN trun... ext-Harri . Kotakoski
- Re: An obvious mystery to me... VLAN trun... David J. Cavuto
