How can I redirect traffic going to switch based on IP?

[gsklick]

So basically we have an existing environment in which all internet traffic comes to us, first reaches a PIX - which filters it - then goes to our servers.

We wanted to add a smaller environment separate environment.

So it basically looks like

-----------------------------Internet
------------------------------- |
------------------------------Switch
---------------------------- /______\
-------------------current env ---- new enviroment

My question is, how can I sort it so that when a specific ip hits the switch, then it goes to the environment it has access too... is it possible for the switch to distinguish where the IP should be routed to?

 

[EmuDan]

Yes. A layer 3 switch with VLANS should be able to do this. The other option is to use a router with a layer 2 switch and VLAN trunks (router-on-a-stick).

Dan

 

[gsklick]

Thanks for the reply.

Lets say we stick with option one, and use a layer 3 Switch.

My next question is, how would I be able to make it so that the new environment is unable to communicate with the present environment.. but still able to connect to the same switch?

Is there any simple straight forward way to configure this? or anything I could follow in helping me with figuring out how to set this up.

 

[iolair]

When you configure the VLANs, just make sure you don't configure a way for the two subnets to communicate. If you set up the VLANs without any additional configuration, they shouldn't be able to communicate. Or even see each other.

If you used the router configuration, you could put an access list in place to stop all traffic.

Iolair MacWalter
Network Engineer

 

[VinceWhirlwind]

Let me expand on EmuDan's advice:

Option 2 - Layer 2 switch, routing done elsewhere.

Option2a - Firstly, what kind of PIX is it? It's been an age since I played with PIXs, so I have to ask - do they support subinterfaces and .1q trunking? If not, replace the Pix with an ASA5505 - cheap as chips, and it can route to your two different environments. Create virtual interfaces for each VLAN, configure a physical interface for both VLANs (or one for each VLAN, if available) and connect it to your switch. Configure the switch link to the PIX for the appropriate VLANs. If your routing is done in this way, firewalling the two environments is obviously going to be easy.

Option 2b - buy any old cheap router, patch it into your switch. On the Switch, configure the router connection to be a .1q trunk port with VLAN10, 20 & 30 tagged and allowed; configure the pix connection to be an access port in VLAN10. Configure routing on the two so that the PIX knows your internal subnets are on the router, and your router knows the default route is on the PIX. On the PIX, configure it's router-connected interface with 10.1.10.1. On the router, configure your switch-connected interface to have no IP address and a subinterface .10 with encapsulation dot1q 10 and 10.1.10.2. Create two more similar subinterfaces with VLAN 20/.20/10.1.20.1 and 30/.30/10.1.30.1.

Option1 - Layer 3 switch. This means the switch will do your routing. Create a point-point link from switch to the PIX with the default route pointing out that interface. Put a route on your PIX for your internal subnest pointing back at the switch. Create a VLAN interface for each of your two subnets, put the router address on each one, and put all your switchports as access ports in the correct VLAN. The switch will automatically route between the two subnets, so create access lists to filter access between the two.