You can move the VLANs one hop away from your firewall. You'll need a
device that has policy based routing. There are some layer three
switches that Cisco provides that can do this, or you can use something
like a Cisco 2621 that has 2 Fast-Ethernet ports... You'll need the IP
plus featureset, and then a switch on the otherside configured for the
VLANs
Firewall---Router---Switch-[ VLANS
For purpose of this example:
The network between the firewall and router is 192.168.20.0/24.
There are two VLAN networks 192.168.100.0/24 and 192.168.150.0/24
Sample router config:
Setup your VLANs and apply the policy based routing
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 192.168.100.20 255.255.255.0
ip policy route-map filter
!
interface FastEthernet0/0.2
encapsulation dot1Q 150
ip address 192.168.150.20 255.255.255.0
ip policy route-map filter
!
Access-list 50 defines what source networks ill have the PBR applied.
With the ip policy route-map filter above, if the host IP matches the
list, then it will be automatically sent to the next-hop, that should be
the IP address of your firewall. This causes routing between VLANs to
have the rules of the firewall applied rather than the ACL on the
router.
!
access-list 50 permit 192.168.100.0 0.0.0.255
access-list 50 permit 192.168.150.0 0.0.0.255
route-map filter permit 10
match ip address 50
set ip next-hop 192.168.20.10
!
You could also add:
ip route 0.0.0.0 0.0.0.0 null0
This essentially will ensure that any traffic not part of the route map
filter and not on a directly connected network will not be able to get
through...
T. Brian Granier
GCIA, CCNA, CCSE, CHP, MCSE (NT4&W2K), MCP+I, N+, A+
Information Security Architect
Zebec Data Systems, Inc.
-----Original Message-----
From: Dryburgh, Andrew [mailto:ADryburgh AT SCOTBORDERS.GOV DOT UK]
Sent: Friday, June 27, 2003 6:16 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] VLANs and W2k
Hello,
We are currently running Checkpoint NG FP2 on a Windows 2000 server. We
now have a requirement to use VLANs but after investigation have
discovered that Checkpoint do not support VLANs on Windows 2000. Has
anyone had a similar problem and found a work around? Can anyone suggest
any alternatives?
Any help would be much appreciated,
Regards
Andy Dryburgh
**********************************************************************
This email is privileged, confidential and subject to copyright. Any
unauthorised use or disclosure of its content is prohibited. The views
expressed in this communication may not necessarily be the views held by
Scottish Borders Council
**********************************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
