2 separate networks - router or pix?

Unanswered Question
May 16th, 2008

Hi. A customer has 2 physically separate networks, lets call them Network A and Network Z.

Now. Network A would like to be able to access some info on Network Z, but we dont want Network Z to see anything on Network A.

Network A -----> Network Z

now as they're phsically separate networks, which would be best to allow connectivity from A to Z, a router or a firewall?

Now I could also throw away the switch on Network Z for example, and just use VLANS and run the network from Network A's switch, eliminating the need for multiple switches. Would a router on a stick be suitable for use with such a setup?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
srue Fri, 05/16/2008 - 04:51

a firewall because of the need for security and access control. not that a router (with firewall feature set especially) couldn't do it, a firewall could just do it better - and by default.

davieshuw Fri, 05/16/2008 - 06:28

Yes thats what im leaning towards.

Ok, well if I was to use one network and impliment 2 VLANS, VLAN A and VLAN B carrying their original traffic, do you think a router would do the job ? as a Pix would have bit of a time trying to deal with VLAN's id imagine?

Jon Marshall Fri, 05/16/2008 - 06:32

Not sure what you mean by one network 2 vlans. Pix firewalls can do 802.1q routing on a stick just as routers can - at least pix 515E and above. But if you separate the vlans with the pix ie. vlan A on one interface of pix and vlan B on another interface then the pix doesn't need to understand vlan id's at all.


davieshuw Fri, 05/16/2008 - 06:37

Sorry I should have been more clear:

As they have 2 physically separate networks at the moment with separate switches and the likes, I was thinking of doing away with one of the physical networks and making 2 VLANS to run over one set of infrastructure (saving on cost of new switches mainly)

Jon Marshall Fri, 05/16/2008 - 06:42

This still doesn't mean your pix has to understand vlan id's. If you had just one switch you would create 2 vlans on it and then just attach one of the pix interfaces to one of the vlans and the other to the other vlan. This is not routing on a stick just using the same physical switch for both vlans.

If you only wanted to use one of the pix interface to separate both vlans then yes you would need 802.1q on that connection and the Pix 515E and above + ASA's can do that.



This Discussion