This is what I have
Firewall (ISA) connected to GSM 7312(layer 3 switch)
On GSM 7312(layer 3 switch):
Port1 – 192.168.50.1 connected to firewall
Port 2 – 192.168.60.1 connected to a 5 port Linksys switch
Port 3 – 192.168.59.1 connected to a 5 port Linksys switch
Port 4 – 192.168.0.1 connected to a 5 port Linksys switch
Port 5 – 192.168.61.1 connected to a 5 port Linksys switch
I want to get rid of those 5 port switches. I got a layer 2 switch GSM7248 which I want to connect it to the GSM7312 and create vlan


Thank you

chuckhole

Are you running a 16-bit or 24-bit subnet?

VLANs are generally created to compartmentalize your network for application traffic such as computers and VOIP. Another reason would be to isolate specific areas for security reasons. What is your goal? What are your reasons for creating these logical network segments?

xxxx77024

i have 24-bit subnet.
I like to connect the servers to one vlan and users to another vlan and so on..
so I can say both to manage the traffic and security.

chuckhole

Since they are all on a separate network ID, you will have to set up VLAN routes.

If you have enough ports in your Layer 3 switch, you can group your ports into VLANS. Do not use the default VLAN0. Create new VLANS for each port grouping.

For example:
Port 1 is a monitoring port set to VLAN0
Ports 2-6 is VLAN1 - IP 192.168.0.1/24
Ports 7-11 is VLAN2 - IP 192.168.50.1/24
Ports 12-16 is VLAN3 - IP 192.168.59.1/24
Ports 17-21 is VLAN4 - IP 192.168.60.1/24
Ports 22-26 is VLAN5 - IP 192.168.61.1/24

xxxx77024

Thank you for your help so far.

my layer 3 has 12 ports and my layer 2 has 48 ports. what about the configuration on the layer 2?

chuckhole

Your Layer 3 switch can perform the routing between VLANs for the Layer 2 switch. It is likely that your L2 switch can only bridge the connections and can not perform routing so the L3 switch will act as a "one arm router" for the VLANs instead of having to use a router. Also, it is likely that the L2 switch will not recognize VLAN tags but this should not be a problem. As a general rule, you will want to enable STP (Spanning Tree Protocol) on all switches. Your L2 switch should support this.

You also mentioned the use of an ISA Server. Are you using a dual NIC setup on this box? One for the LAN and the other for the ISP's dirty side of the network? If so, take a look at the TCP/IP configuration on the NIC connected to the DMZ. Make sure you have disabled Microsoft Networking, File and Print Sharing, DDNS registrations and NetBIOS.

You may need to add persistent static routes on the ISA server for each of the network ID's since a gateway address is not used on the LAN NIC configuration. This will also help when configuring the Local Networks in the ISA configuration. It will need to be aware of all of your internal network ID's if you are using Windows Proxy Auto-Discovery (WPAD) and have configured a WPAD entry for either DHCP or DNS. This allows you to set the ISA Firewall Client to auto-configure your client browser settings.

Your ISA Server should be also be running DNS as a DNS cache server. The DNS should be configured to forward all non-local domain requests out to your ISP's DNS server and the external NIC should not be configured for DNS. Also, the NIC on the LAN should be configured to point to itself for DNS and your Active Directory DNS servers use the ISA Server DNS as the forwarder. You can add the AD DNS domains as Secondary Zones that get their copies from your internal DNS servers. For more information on setting up WPAD or DNS on ISA Server, refer to some very helpful articles on Microsoft ISA Server Firewall Resource Site: Articles & Tutorials.

xxxx77024

Thank you for the information