Question : Cisco 2950 and Pix : VLAN security configuration help needed.

Although I am not a Cisco guru, I understand the basic concepts and configuration commands, and I thought that I had a handle on this question, but have come into a disagreement with a fellow tech. Now, I may be entirely wrong on my assumptions, and need some clarification on using VLANs for security purposes. Here is the problem:

Devices currently used:

Cisco 2950 Switch 24 port
Cisco PIX 501
IBM AS400 Database Server
18 Nodes (PCs) connecting to Switch

The client needs to segment 6 users that access the AS400 on a separate Broadcast/Security Domain, and those users are not to have internet access. All of the other 12 users will have internet access rights, but some will also need to have AS400 rights.

My proposal was to create 2 VLANs, with the 6 users and AS400 on one VLAN, with the others on the 2nd VLAN (which will also have a port connected to the PIX).

Now, I understand that you need a router to have a trunk between the two VLANs, and I could place Access Lists to permit and deny access to the first VLAN, but the client does not want to purchase a router. So my question is this:

Can you place a port in two separate VLANs within one switch? I was told at one time that you could, but need verification on this.

Or, can you configure the PIX to allow trunking with access lists on the LAN ports?

Or, is it true what my fellow tech is telling the customer. That they have to purchase an additional Switch, which as far as I know is not a solution to the problem. I would think that if additional devices are needed, it would be a router and not a switch. I really don't know what a second switch would do for them at this point, as I do not see that it would accomplish the goals of the client.

What do you think? Any suggestions? Configuration commands are always welcome! :)

Thanks,

FE

Internet
|
PIX 501
|
2950 Switch VLAN 1 <----------> VLAN2
| |
Internet Users AS400 and Security Sensitive Group

Answer : Cisco 2950 and Pix : VLAN security configuration help needed.

Correct, you can use additional VLANs to create isolated subnets on the 2950 switch.

Random Solutions

Directory Structure for Exchange 2007 Continous Cluster Replication

Visio 2000 vendor-specific stencils

WIndow Workgroups

Gray subdomains/sites in AD integrated DNS on windows 2003

Monitor NDR's generated by sendmail

load ip address on hp laserjet 5n

dynamic ip addresses

Internet speed 4 Mb 12 Mb? Whats the difference - quick answer

Convert X.509 PFX certificate to .CRT and .KEY File

HP ProCurve 4000M and HP ProCurve J4115B 100/1000T module