[geeks] Strange VLAN question
Andrew Weiss
ajwdsp at cloud9.net
Mon Sep 8 11:04:57 CDT 2003
I have a project where a customer has bought a set of switches and
wants to isolate port traffic using VLANs for security purposes...
unfortunately they need inter-VLAN routing, and they need access to the
internet. They HAVE no router. Can one do untagged overlapped VLANS
with one level of VLANS if one uses only one subnet... i.e. The WAN
port is a member of all vlans, and then the other ports are members of
only one vlan and the only thing that distinguishes them are non
overlapping scopes of IP addresses on the same subnet. So if
192.168.1.7 is on VLAN 1, and 192.168.1.207 is on another... if one
tries to ping the other they can't, however... if they both try to ping
192.168.1.1 which is the shared port they'd both see it?
I know this reeks of bad style but I was wondering if this would work.
I think tagging the port would make it unintelligible to the device on
the other end (the router), but I'm not sure...
The switches are 3com... the router belongs to the ISP... Also present
is a 3com NBX (on a separated VLAN with no connectivity required to the
LAN for now), and two Cisco Aironet 1220's.
Thoughts?
My gut impulse is this might work but it would be screwy and bad style.
Andrew
More information about the geeks
mailing list