Internal and External VLAN

Unanswered Question
Apr 21st, 2009

I have a Switch that needs to be able to separate Internal and External IP traffic for Firewall/VPN.

SCENERIO: I have 2 Firewall/VPN devices and an Internet connection plugged into (what I'd like to consider) the External IP ports/VLAN of my switch. The internal ports of the Firewall/VPN devices, along with other equipment, are plugged into the internal ports/VLAN of the switch.

Basically, I have a 24 port switch that needs to have 12 ports on an Interal VLAN and 12 ports on an External VLAN. The Internal VLAN ports will be connecting to our LAN which contains many other VLAN's. What is the best configuration to separate the External from Internal ports on the switch, but still allow other VLAN traffic to flow through to the Firewall/VPN devices.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
NickNac79 Wed, 04/22/2009 - 00:33

Hi,

My security guy would be screaming "NO NO NO NO!" at me if I put this in front of him :-)

I would strongly recommend against using the same switch for outside and inside traffic, unless traffic has to pass through another external firewall first.

I would recommend instead to use either a completely separate switch for the outside, or in a pinch, create a DMZ port on your 5510, and connect your "MedTech VPN"s outside interface to that - negating the need for an outside switch altogether.

If you are dead set on using the switch in this method, then you will need to to:

a) Ensure that the switch IOS is kept up-to date.

b) Your external VLAN (e.g. 666) should be isolated on this switch - so any trunk links coming off this switch should be prevented from carrying vlan 666.

c) Switch VTP OFF so that 666 isn't even visible inside

d) obviously no Vlan Interface for 666.

Hope this helps,

Nick

zebranutz80 Wed, 04/22/2009 - 05:24

Nick,

I completely agree with you. Unfortunately, this ASA device is managed by another company for us. We were told that that using one of the ASA ports to plug in the Medtech VPN would not be possible. Were we miss-informed? I would like to use one of the ASA ports for the other VPN. It would simplify the entire design.

Actions

This Discussion