«

Hi,

I have a network configuration as follows:

(A) DSL service coming in from a Westell 2200 DSL modem with integrated NAT
firewall / router. Unfortunately it only has a single Ethernet port.

(B) Secure office PC's

(C) Publicly accessible computer lab PC's.

I would like to set up each of the above on separate VLAN's, so that (A) can be
seen by both (B) and (C), but (C) cannot see (B) and vice versa.

I am considering the purchase of a 2950 24-port switch.

However, I'm under the impression that a port can belong to only 1 VLAN, unless
I turn on trunking. Correct? I'm not sure what the implications of trunking are
- I'm a newbie.

Is there a simple way to do what I want to do on a 2950?

Thanks

On Mon, 07 Jun 2004 11:46:49 GMT, wrote:

>I have a network configuration as follows:
>
>(A) DSL service coming in from a Westell 2200 DSL modem with integrated NAT
>firewall / router. Unfortunately it only has a single Ethernet port.
>
>(B) Secure office PC's
>
>(C) Publicly accessible computer lab PC's.
>
>I would like to set up each of the above on separate VLAN's, so that (A) can be
>seen by both (B) and (C), but (C) cannot see (B) and vice versa.
>
>I am considering the purchase of a 2950 24-port switch.
>
>However, I'm under the impression that a port can belong to only 1 VLAN, unless
>I turn on trunking. Correct? I'm not sure what the implications of trunking are
>- I'm a newbie.
>
>Is there a simple way to do what I want to do on a 2950?

The Protected Port feature is a possibility
(http://www.cisco.com/en/US/products/...tml#wp1158863),
though this will prevent B hosts from talking to each other and C
hosts from talking to each other -- but they could all talk to A. If
this is acceptable, you'd make all the B and C ports protected and
leave the A port unprotected.

Other than that I can't think of a good way to do this with a 2950
unless the DSL modem supports trunking.

-Terry

Hi,

Thanks for your reply.

I am really surprised that the 2950 can't do multi-VLAN ports without trunking.
I was just reading the description for the Netgear FS526T
(http://www.netgear.com/products/prod...hp?prodID=216), and making a port
a member of more than one VLAN is a piece of cake.

Unfortunately, the Westell 2200 doesn't support trunking, and the ports within
VLANs (B) and (C) do need to talk to their peers.

Given that the 2950 can't do this easily, you'd have to move up the line to the
router, and tell the router that DSL port (A) can talk to the port connected to
VLANs (B) and (C), but (B) can't talk to (C) and vice versa... right?

I'm not that familiar with Cisco equipment. What would be the lowest end Cisco
router that can do this?

Thanks again...


Terry Baranski <> wrote:

>On Mon, 07 Jun 2004 11:46:49 GMT, wrote:
>
>>I have a network configuration as follows:
>>
>>(A) DSL service coming in from a Westell 2200 DSL modem with integrated NAT
>>firewall / router. Unfortunately it only has a single Ethernet port.
>>
>>(B) Secure office PC's
>>
>>(C) Publicly accessible computer lab PC's.
>>
>>I would like to set up each of the above on separate VLAN's, so that (A) can be
>>seen by both (B) and (C), but (C) cannot see (B) and vice versa.
>>
>>I am considering the purchase of a 2950 24-port switch.
>>
>>However, I'm under the impression that a port can belong to only 1 VLAN, unless
>>I turn on trunking. Correct? I'm not sure what the implications of trunking are
>>- I'm a newbie.
>>
>>Is there a simple way to do what I want to do on a 2950?
>
>The Protected Port feature is a possibility
>(http://www.cisco.com/en/US/products/...tml#wp1158863),
>though this will prevent B hosts from talking to each other and C
>hosts from talking to each other -- but they could all talk to A. If
>this is acceptable, you'd make all the B and C ports protected and
>leave the A port unprotected.
>
>Other than that I can't think of a good way to do this with a 2950
>unless the DSL modem supports trunking.
>
>-Terry

On Tue, 08 Jun 2004 10:17:58 GMT, wrote:

>Hi,
>
>Thanks for your reply.
>
>I am really surprised that the 2950 can't do multi-VLAN ports without trunking.

Older Cisco switches can do this -- I'm also confused as to why this
functionality was done away with.

>Unfortunately, the Westell 2200 doesn't support trunking, and the ports within
>VLANs (B) and (C) do need to talk to their peers.
>
>Given that the 2950 can't do this easily, you'd have to move up the line to the
>router, and tell the router that DSL port (A) can talk to the port connected to
>VLANs (B) and (C), but (B) can't talk to (C) and vice versa... right?

This is an option. The router would have ACLs in place to prevent B
and C from talking to each other.

>I'm not that familiar with Cisco equipment. What would be the lowest end Cisco
>router that can do this?

2600 series routers with 100Mbit interfaces can do trunking, and the
10Mbit ones may be able to do it as well with recent IOS versions.
Certain 1700 series routers may also support trunking, but I've never
used them so I don't know. An issue to concern yourself with for this
type of router-on-a-stick scenario is inter-vlan bandwidth
requirements -- the router can potentially end up being a bottleneck.

A better solution for your situation may be a layer-3 switch such as
the 3550. You can create three VLANs (A, B, and C), and use ACLs to
restrict traffic flowing between them as necessary. The benefits here
are simplicity (one device instead of two), bandwidth (no router
bottleneck), and potentially cost (depends).

-Terry

[wtown46333]

you could get a 2948G switch and use private vlans to secure your traffic.
http://www.cisco.com/warp/public/473...#private_vlans




Wayne

CCNP,CCDP,MCSE