We have a resident student network, which coexists with the rest of the campus network. I want to keep the students behind the firewall (less likely that machines get comprimised) but I also want to keep them isolated from the rest of the internal fac/staff network (like in the DMZ off the PIX).
We have Cat6500s on the core (w/router on a stick), 6500s on distrobution layers, and Cat3500XLs at the access layer. We are currently using dynamic vlan assignments. Can I take the 6 Resnet VLANs and somehow route them through the DMZ on the PIX (without having to change the physical design of the network or pull additional links out of these buildings). Or can I use access lists to prevent the Resnet from accessing the fac/staff vlans (I would prefer to run it through the PIX because I would have a more granular control - I want restrict the residents access to particular internal servers over particular ports).
Considering the implementation of dynamic vlans, what is the easiest way to put our resnet a) behind the firewall and b) isolated from the rest of the internal campus network