Unanswered Question


I need to provide a solutions as follwoing.

ISP link----->Rtr------>Firewall(Natting)------>Switch (for some 25-30 subnets).

Would like to know what type of switch I should use(L2/L3)?

I don't know how to route the traffic from switch to internal Natted interface of my firewall(say

How should I configure my VLAN(would like to know about some document over the same)?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
royalblues Mon, 12/24/2007 - 04:10

i think a 2960-48 port L2 switch would satisfy your needs.

I am assuming all your users would be in one subnet and will be configured with the default gateway of the FW. There is no need to configure vlans in this case and all the users can be placed in one vlan (either default or the one you define)

For management you can define an IP on the switch. The switch does not require any other configuration to route the traffic to the firewall

If you are planning to segregate your users into different subnets then you would require an L3 switch


xcz504d1114 Tue, 12/25/2007 - 15:12

Typically I see a

ISP link ------ RTR ----- Rirewall ----- RTR --- Switch

You setup sup interfaces on the internal router to accommodate your VLAN's.

Like the previous post stated, if you have no layer 3 device internally, then you will use one big VLAN. Internally on the switch you would want to choose something capable of handling your L3 traffic if you choose a L3 device.

Depending on your traffic needs you might choose a 4500 or 6500 series switch, or even a 3750. It all depends on your traffic, network design and ISP bandwidth.

Unfortunately I don't have a simple answer for you, there are a lot of variables.

The most simple answer is just to get an internal router and run a router on a stick,they aren't always the best solution, but generically, it's the easiest answer.

Thanks for your reply guys.

To be very precise,I have to go with Vlans.

Its a Business centre envrionment With so many diffrent customer.where One customer opt for 4-6 connection for their people(only browsing).Same goes for other customer.

I have to cater some 120 people means 120/6,some (20 Different customer.Say6 People from Cisco and other 4-8 from Microsoft and so on).

My priority is to provide internet access to them and want to secure internally so that CustomerA can't communicate with B internally.

There is only one link terminating in my premise only.

Do I need to use router after my Firewall?

How will I Stop internal access among different customers?

Hope my question is clear to you.



yassine-m Wed, 12/26/2007 - 02:17

I suggest a L2/L3 switch where the VLANs will be implemented. The users will have their gateways from the VLAN IP addresses.

Hope that will help u.


So how will diffrent vlan will be able to go to internet gateway.

Say my natted IP on Firewall is

Vlan10 is having IP and say for Vlan20.

Internal desktop client from respective VLAN will be able to hit their defined gateway( how will this go to internet gateway i.e for all the different VLANs to access internet.



Mark Luther Fri, 12/28/2007 - 20:47

If you're going to try to limit traffic between subnets, you might want to consider placing an ACL on your L3 device. Assuming you'll have a common DHCP and DNS server that you'll want to allow ALL VLANs to, you can apply an ACL like the following:

Extended IP access list 101

permit udp host eq bootpc host eq bootps

permit udp host eq domain

deny ip

deny ip

deny ip

permit ip any any


This will allow DHCP and DNS traffic to your specified IP-Helper-Address and your DNS server. All other traffic will be allowed to non-private subnets.

Hope that helps!


This Discussion