Yep, what you describe is exactly what I was envisioning, thanks! (BTW Dell also calls it tagging). Now to decide on a firewall. I called my client last night and she was already onboard with my thinking "go ahead and buy it or send me a link and I'll order it".
I love clients that trust you enough that all you need to do is explain the concept and benefits and they're ready to pull the trigger, weird telling them "uh, I'm not ready to buy anything as I need to decide on the exact product..." :-). It's also nice is knowing steering them to a managed switch 3 years ago is going to pay off with this little project. Dave -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Thursday, August 04, 2011 5:34 AM To: NT System Admin Issues Subject: Re: SMB firewall (was RE: VLAN N00b) On Wed, Aug 3, 2011 at 4:42 PM, David Lum <[email protected]> wrote: > So ideally in your opinion the firewall would effectively give > each VLAN (each VLAN defined by 802.1Q tags) it's own > DHCP scope and thus their own IP settings, correct? More or less. I would separate your desired access groups into separate networks. Conceptually, start with the idea that you have each group on a different physical switch, each with its own DHCP server, and its own <snip> So upgrade the concept to a firewall that understands 802.1Q VLAN tags. Only one cable from the switch to the firewall. Each separate VLAN gets associated with that single cable, and the switch and firewall use 802.1Q VLAN tags to know which isolated network a given frame is for. Only the switch port connected to the firewall emits or expects frames with VLAN tags. (I believe Cisco calls this a "VLAN trunk port"; HP calls it "tagged"; I dunno what Dell calls it.) All the other switch ports are on a single VLAN ("untagged" in HP-speak), and just act like separate switches for the nodes which aren't aware of the other networks. Make sense? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
