Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Separating traffic within the same VLAN

Status
Not open for further replies.

chieftan

MIS
Dec 18, 2002
292
GB
I shall try and describe this as best I can.

Servers on VM all assigned to VLAN 102.
2 x new servers also within the same VLAN (102) - this is due to VM network card availability.

On the core switches VLAN102 routes to a particular firewall for N3 internet access. There is a second firewall for dedicated internet access.

The 2 x radius servers that are in VM within the same VLAN need to route to the second firewall for authentication and accounting.

Is it possible to separate traffic for routing within the same VLAN on the switch so that the traffic from these two servers goes to one firewall while the rest of the servers still access the other firewall for internet access?

There is currently no possibility of separating the servers from the same VLAN.... Unfortunately, or it would be easy.....

Thanks
 
is it a cisco switch ?

if yes YOU COULD maybe put them in private vlan mode and mess around with the promiscuous mode on the firewall ports,
then maybe put a mac address access-list on the firewall ports to block some servers from going to one....


**above is a horrible idea..


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
How about Policy Based Routing determining the next hop? If this is a Layer 3 switch it may be doable.
 
not unless he moves the gateway down to the switch .. what i understood that the servers are hitting a FW as their first hop .... but who knows..


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Hi

Thank you for the responses.

I was thinking along the lines of policy based routing but there was always a secondary issue there.... so, what we have done now is the following with same setup....

Found 2 individual boxes that I have installed CentOS6.5 and FreeRADIUS..... These can now sit on their own VLAN.

They are being utilised for proxying authentication requests from a WiFi network. Because of this proxying the packets cannot go out of the normal firewall. So we still have a routing problem, even if they are on a separate VLAN and we use policy based routing (set up an extended ACL and a route map) to point to the secondary firewall, won't the return information (authentication packets) end up in a loop? The packets will come back to the RADIUS boxes and then when they hit the core switches again, to go back to the WiFi, the policy will then send them out of the firewall unless in the extended ACL we can state specific destination addresses?

Our way around this, we think, and will test during the week, is to create a new DMZ on the dedicated fireweall, place the RADIUS boxes in this and then allow the internal network WiFi VLAN be run at Layer 2 only. Routing can be completed at the firewall. That should resolve the issue.... I hope :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top