VLAN on 2950T-24 (Newbie Question)

Discussion in 'Cisco' started by Raymondo, Aug 3, 2004.

  1. Raymondo

    Raymondo Guest

    Hi there,

    I am new to Cisco. I'm trying to setup a Cisco 2950T switch with two
    Gigabit port. I want to patch one gigabit port to my Firewall's DMZ
    interface and have all my servers in the DMZ (Port 1-8) in 8 different
    VLAN for security purpose.

    I don't want the servers in the DMZ to communicate to each other,
    except to the firewall (Shorewall running on Debian)

    I understand server cannot communicate to each other in different
    VLAN. But is there a way to configure the Gigabit port to communicate
    to all servers (Port 1-8 in 8 different VLAN)


    Thanks in advance!

    Raymond
     
    Raymondo, Aug 3, 2004
    #1
    1. Advertising

  2. Raymondo

    Peter Guest

    Hi Raymond,

    Raymondo wrote:
    > I am new to Cisco. I'm trying to setup a Cisco 2950T switch with two
    > Gigabit port. I want to patch one gigabit port to my Firewall's DMZ
    > interface and have all my servers in the DMZ (Port 1-8) in 8 different
    > VLAN for security purpose.
    >
    > I don't want the servers in the DMZ to communicate to each other,
    > except to the firewall (Shorewall running on Debian)
    >
    > I understand server cannot communicate to each other in different
    > VLAN. But is there a way to configure the Gigabit port to communicate
    > to all servers (Port 1-8 in 8 different VLAN)


    I can see a couple of different ways to do this, 1 using multiple
    VLANS and trunking, and the other using "protected" ports -

    1. Place ports fa0/1 - fa0/8 into each VLAN and the Gig port into
    trunking mode, passing only those VLANS you want. This method requires
    the Firewall to be able to do trunking.

    2. Or my preference would be to place ports fa0/1 - fa0/8 into the
    same VLAN, but include "Port Protected" on each interface. Then
    configure the Gig port in the same VLAN for the firewall, but do NOT
    include "Port Protected on that interface. This only uses 1 VLAN, but
    provides the same isolation as multiple VLANs and it does not require
    trunking on the Firewall and port.

    "Port Protected ports can only talk to a port that is NOT protected,
    but is in the same VLAN. This method allows each protected port to
    ONLY talk to the (non-protected) Firewall port, while the Firewall can
    talk to any other port in the same VLAN. This does not require
    trunking on the Firewall, conserves VLANS, and is easier to
    configure. It is also very easy to just add a new (protected) port
    as/when its needed without adding new vlans to the trunk port as well.

    Cheers..........pk.

    --
    *** Replace SOMEONE with prk ***
     
    Peter, Aug 4, 2004
    #2
    1. Advertising

  3. Raymondo

    Hansang Bae Guest

    In article <>,
    says...
    > Hi there,
    >
    > I am new to Cisco. I'm trying to setup a Cisco 2950T switch with two
    > Gigabit port. I want to patch one gigabit port to my Firewall's DMZ
    > interface and have all my servers in the DMZ (Port 1-8) in 8 different
    > VLAN for security purpose.
    >
    > I don't want the servers in the DMZ to communicate to each other,
    > except to the firewall (Shorewall running on Debian)
    >
    > I understand server cannot communicate to each other in different
    > VLAN. But is there a way to configure the Gigabit port to communicate
    > to all servers (Port 1-8 in 8 different VLAN)


    What you're after is "switchport protected" Fa0/1 through fa0/8.

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Aug 5, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Terry Baranski

    Re: Cat 2950T vlan

    Terry Baranski, Jul 18, 2003, in forum: Cisco
    Replies:
    2
    Views:
    486
    Alexander Ottl
    Jul 20, 2003
  2. No Spam
    Replies:
    3
    Views:
    4,008
    No Spam
    Jun 7, 2004
  3. Raymondo

    Cisco 2950T switch - VLAN

    Raymondo, Aug 3, 2004, in forum: Cisco
    Replies:
    2
    Views:
    2,722
    Erik Tamminga
    Aug 5, 2004
  4. novice03
    Replies:
    5
    Views:
    4,970
    Doug McIntyre
    Jan 31, 2005
  5. CJ

    Multi-VLAN on 2950T

    CJ, Mar 9, 2005, in forum: Cisco
    Replies:
    0
    Views:
    537
Loading...

Share This Page