I work for a heathcare company with 20 branches.
My question is related to the implematation of dynamic routing between the brances.
The current situation is as follows:
Our network consists of a Catalyst 4507 at our main location and 3560's at our branches. For the employee workstations we've created vlans. Every branch has it own vlan. Our servers are together in a server vlan.
At our main location, at the 4507, there are vlan interfaces in each vlan and ip routing is enabled for routing between the vlans. The brances are connected via trunks in one ring-like network.
Internet for our employees is supported by a hardware firewall which is connected with one of its interfaces to a switch interface at the 4507. This firewall interface is configured as gateway-of-last-resort with the ip route command.
To provide our patients with an internet connection we've created a company-wide vlan. This vlan doesn't have a vlan-interface at the 4507 so traffic to
and from this patients-vlan cannot be routed to and from our other vlans. We have done this for security reasons.
The firewall has a 2nd interface in this vlan and at this interface dhcp is enabled and acts as the routed interface (default-gateway) for this patients vlan.
In the nearby furure we want implement dynamic routing between our brances with ospf. We want to get this done by setting up the trunking interfaces of the 3560's to be routing interfaces. This means that at every branch a employee vlan and a
patients vlan need to be created.
What is the best way to keep the patients ip traffic seperated from the other traffic? I was thinking of create ACLs on the patients-vlan. But is this the best way?
interface which denies traffic to private networks (10.x.x.x in our case) so only traffic to the internet is allowed.
Is there a way to route our patients internet traffic directly to a chosen interface at the firewall?
Is there a technique to span a vlan or in other words to span the same ip subnet over multiple brances in this configuration?
thanks in advance