Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
3
Replies

Multi-VLAN routing on RSM

dmcushing
Level 1
Level 1

‎05-30-2002 07:51 AM - edited ‎03-01-2019 09:57 PM

I have a Catalyst 5500 with an RSM with a specific routing need.

VLAN 200 - Our ISP provider (Y.Y.Y.Y)

VLAN 202 - External Network (X.X.X.X)

VLAN 201 - Internal Network (10.0.0.0)

VLANS 10-15 - Various other Internal Networks (192.168.X.X)

Between our external and internal networks is a PC based Firewall whose internal NIC is set for 10.0.0.2, external NIC is X.X.X.226.

RSM is set up with all VLANS (internal/external/ISP) - default (0.0.0.0) gateway is set to our ISP (Y.Y.Y.Y)

What I need to do is point all my internal addresses to a default gateway of 10.0.0.2 (our Firewall Internal Interface) and our External Addressing to come in via our Firewall (X.X.X.226) with no bleed-over. Our Firewall handles all the NAT etc..

I thought this would be fairly simple to set up on the RSM - but I can't seem to figure it out - an example would be really helpful!

Thanks in advance for any help.

Labels:
0 Helpful
3 Replies 3

MickPhelps
Level 1
Level 1

‎05-30-2002 08:04 AM

If what I'm reading is correct, I would say that the larger issue is security.

I read that you have one 5500 with several VLANs. Two of the VLANs (200 & 202) that connect to the 5500 are outside the firewall. The firewall is between two ports on the same 5500, each in a different VLAN.

The problem is that your 5500 is not protected and if it is compromised, your entire internal network is at risk.

I would suggest that the firewall be physically set between your ISP CPE device and your 5500. Also, that your DMZ (VLAN 202) be on a physically separate switch than your 5500 and connected through your firewall as a DMZ network.

Does this sound correct?

Mick.

0 Helpful

dmcushing
Level 1
Level 1
In response to MickPhelps

‎05-30-2002 09:05 AM

Yes, that is correct, although our exterior feed is via ATM on our 5500 (we also have a WAN link to a remote campus via PVC over the same ATM blade) - the 5500 and RSM have a foot in both worlds. I realize that this is a less than secure setting, but with educational budgets being what they are, I have to try to make the best of this situation (security wise).

What I am trying to do is to prevent traffic from flowing inside to the outside without going through the Firewall and vice versa.

0 Helpful

george.banaszak
Level 1
Level 1
In response to dmcushing

‎06-04-2002 11:23 AM

You should think of the 5500 as two switches. An external switch (VLAN 202) supporting the ISP, the exterior interface of the firewall and the RSM router. These devices should be on the y.y.y.y address range. Use a secondary if 216.223.88.x is a requirement. The interior switch (VLAN201) supports the interior interface of the firewall and the RSM router. Setting the default route to 10.0.0.2 will force all vlan10,11 and 12 Internet traffic through the firewall.

0 Helpful
Customers Also Viewed These Support Documents