On Wed, Aug 3, 2011 at 4:42 PM, David Lum <[email protected]> wrote:
> So ideally in your opinion the firewall would effectively give
> each VLAN (each VLAN defined by 802.1Q tags) it's own
> DHCP scope and thus their own IP settings, correct?
More or less.
I would separate your desired access groups into separate networks.
Conceptually, start with the idea that you have each group on a
different physical switch, each with its own DHCP server, and its own
DHCP scope and subnet. No connections between them. Each of those
physically separate networks gets plugged into a different firewall.
Conceptually simple because no two networks share the same hardware.
Expensive and bulky, though.
Now upgrade the concept to a firewall with multiple physical ports.
You only need one firewall. Each physically separate switch plugs
into a different port on the firewall. The firewall has a different
IP address on each port. Firewall is smart enough to do access
control for each network separately. So now you've still got multiple
switches, but a single firewall.
Now upgrade the concept to a single switch that does VLANs. You
configure each switch port on an appropriate VLAN. No VLAN tags on
any frames on the wire; it's all internal to the switch. No
connectivity between VLANs. Same as above, just with one physical
switch rather than several. Each isolated network gets a separate
cable to the firewall -- so you use multiple switch ports to connect
to the firewall. Seems silly to have several cables running from the
same switch to the same firewall.
So upgrade the concept to a firewall that understands 802.1Q VLAN
tags. Only one cable from the switch to the firewall. Each separate
VLAN gets associated with that single cable, and the switch and
firewall use 802.1Q VLAN tags to know which isolated network a given
frame is for.
Only the switch port connected to the firewall emits or expects
frames with VLAN tags. (I believe Cisco calls this a "VLAN trunk
port"; HP calls it "tagged"; I dunno what Dell calls it.) All the
other switch ports are on a single VLAN ("untagged" in HP-speak), and
just act like separate switches for the nodes which aren't aware of
the other networks.
Make sense?
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
