|
Posted by Morten Rydahl Nielsen on September 29, 2006, 5:53 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Cisco switches support a security feature known as Private VLANs (PVLANs),
> with one port used to uplink to a router or firewall port, and the
remaining
> ports configured as completely private? I'm not sure how Cisco defines
> PVLAN, but the key attribute I must have for this product is that all data
> must pass from a private port to the uplink port, with no possibility for
> broadcast, arp, or layer 3 traffic to travel between private ports.
This
> must be true even if the host attached to a private VLAN port can
> impersonate a different MAC address other than its own, and must be true
> even if the host knows the target MAC address of a host on a different
VLAN
> port.
>
> Since I will be using one of these switches for each segment attached to a
> firewall, and the number of hosts are trivially small, I have no concerns
> about density or about passing VLAN information across multiple switches.
>
> What are my product options? I would like to identify both a fast
ethernet
> and a gigabit switch.
>
> --
> Will
Hi Will.
You can use the PVID setting on the ports to get something like this
function on most Nortel ethernet switches. The PVID defines the target VLAN
for an untagged port.
For 100Mb/s you can use the 470 switch, and for Gigabit the 5510.
1. Disable the "Auto PVID" global parameter (Is disabled default).
2. All ports set to "Untagged/Access", NOT Tagged.
3. Create 1 VLAN for the firewall, and 1 for each client.
4. Assign all VLAN's to the firewall port, and set the PVID to the
firewall VLAN
5. For each "client" port assign the firewall VLAN, and the 1 VLAN for
the client. PVID set to client VLAN.
Traffic sent from the firewall will be seen by all client ports, but traffic
from a client will only be seen by the firewall.
Regards
Morten Rydahl
|