Question : Question re:506E Routing Between VLANs?

I have a decent amount of knowledge re:IP/routing/etc. but I'd like to pose a question to make sure I understand my situation and handle it correctly.

My existing topology is very, very simple: I currently have a Cisco 1720 provided by my ISP handling Internet connection. A WIC on the router goes to the ISP/Internet and this Router's Ethernet Port goes directly to the outside interface of my Cisco PIX 506E. The inside interface of the 506E is simply connected to the stacked hubs (unmanaged, no VLANs) with the rest of my network -- users and servers, etc. I have a set of 64 public IP addresses available to me from the ISP (xxx.xxx.xxx.128 /26) and the 506E is setup correctly to do what I need it to do in this configuration.

The issue at hand is that a data vendor of mine wants to "hang" his VPN-configured router off my network so that my users can have connectivity to him. (I assume that his router is preconfigured with his networks' VPN information and I just have to set up the route tables to route requests to his specific IP addresses through his router rather than my router.) The question is "How do I get this router integrated into my network?". One important piece of information is that I've got three Dell 3324 Managed Switches (stacked) awaiting deployment -- and I think their VLAN capability is needed here, so that'll work out nicely.

My best guess is that I configure a small 4 port VLAN as the INTERNET VLAN, and the rest of the ports on those switches become my USER or LOCAL or INTRANET VLAN. I'll attach 1)my Internet Router and 2)the vendors' Router (e1) and 3)the 506E (e1) all to the INTERNET VLAN. The other end of the 506E (e0), of course, will go into the USER/LOCAL/INTRANET VLAN. But I have two (and a half) big questions:

1) Does the vendors' router need to have an (e0) interface going into my USER/LOCAL/INTRANET VLAN? Or can the 506E remain the only way out of my users' network to the INTERNET VLAN? (how does the request know which router to go "out" through?) I'm guessing that if I have to connect the vendors' router into my USER VLAN then I'll have to install another Firewall between his router and my USER VLAN for protection (I don't have another Firewall right now, so that's a problem).

2) I've read something about "the 506E cannot route back through the interface which a packet came from". Does this effect me in the new config? Does this mean that I need to put a router between the 506E and the USER/LOCAL/INTRANET VLAN? (I'm guessing "no" -- it's basically the same as my previous config -- (e0) of the 506E attached to the hub (now a VLAN) -- but I'm not sure how the new INTERNET VLAN effects this -- I'm thinking that there might be an issue because I know you need to route between VLANs and I know the 506E is not a true router.

3)Lastly, if I do set up the two VLANs, do I need to do any subnetting? As you may or may not be able to tell, I'm very new to VLANs and, in general, haven't messed with network configurations (at this level) in a number of years. I need someone to give me a little brush-up and set me straight on how all of this should work...

Any help with this is greatly appreciated!

Answer : Question re:506E Routing Between VLANs?

You've got a better understanding than you probably think you do.

It is good practice to put a 3rd pary's connection to your network on the other side of a firewall. Simply adding their Ethernet interface to your internet PUBLIC VLAN will be a good solution. You don't have to worry about the PIX' restrictions on traffic flow. Traffic to / from this vendor will only flow between outside and inside interfaces of the PIX, not on the same interface.

Router
|
Switch -- Vendor Router
|
PIX outside
PIX inside
|
Switch

These two separate switches can just as easily be two VLAN's on the same switch. However it is common practice NOT to put the inside and outside on the same physical switch.

Think of VLAN's in two ways. 1, each VLAN is just like a physically separate set of switch ports, and 2, most VLAN's are separate subnets, but there is no hard/fast rule about that.
And remember that if you have multiple VLAN's that are sub-netted, then you have to have some Layer3 routing between them, and if your VLAN's span multiple switches, then you need some way to propogate that VLAN knowledge among the switches. That's where VTP trunking and VTP domains comes in.

You do have an option with the latest 6.3(4) code for the PIX 506, and that is to use VTP trunking on the inside interface to create 'virtual' interfaces on one physical port. You can assign them different security levels, traffic restrictions, etc. Pretty slick actually, but breaks all the rules about a packet not going back out an interface it came in on. Guess that one's out the window...

Random Solutions

NW6.0 Server changed name mysteriously

VLANs to connect two networks?

Disconnect telnet session

INSTALL INTERNET SERVER

Price for PRI cutover. AT&T to cBeyond

Can my Notes Administrator know what Email messages I have NOT Read using his ID?

DHCP Strangeness

computer recognizes usb but not ethernet connection to broadband modem

Where to start with setting up a DNS server based on bind9 using Ubuntu?

Help with Novell 6.5