Also, you need to keep in mind that it isn't the router itself that's in a
VLAN, etc. Its the individual interfaces or subinterfaces. You could have a
subinterface to every VLAN on one interface, a connection to your ISP on
another interface, and other connections going elsewhere on other
interfaces. The router itself can't be said to be a member of any one VLAN.
Its a member of all of them by default.
If you're looking for best practices, have the interface to the internet be
in the same network as the interface on the ISP's router. Anything else is
dependent on the topology and requirements on your end. If you need to use a
firewall, make sure that all traffic to and from goes through the firewall.
This can be as simple as setting the default gateway to the firewall's
interface and then routing traffic to the internet from there.
HTH,
Karen
*********** REPLY SEPARATOR ***********
On 6/25/2001 at 6:01 PM Michael L. Williams wrote:
>If you have multiple VLANS, then all of their traffic has to pass through a
>router to talk between them anyway. Can't you just use that same router to
>either route to the internet or connect to a router that connects to the
>internet? There's really no need to segregate the internet traffic to
>it's own VLAN, is only traffic to/from the internet would get intermingled
>into the VLAN traffic anyway.
>
>Mike W.
>
>"Vijay Ramcharan" wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>> Thanks but not quite. I was just wondering about the actual placement
>> of the Internet router. Is it in it's own VLAN or is it part of another
>> VLAN with hosts, servers etc. In terms of security, wouldn't best
>> practice dictate that a router that is directly connected to the
>> Internet, be segregated in its own VLAN? Am I right or wrong? I know
>> how to make it work either way, but I'd just like to get an idea of what
>> the better ways are of separating Internet bound traffic from LAN based
>> traffic?
>>
>> Vijay Ramcharan
>>
>>
>> -----Original Message-----
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
>> Karen E Young
>> Sent: Saturday, June 23, 2001 2:23 AM
>> To: [EMAIL PROTECTED]
>> Subject: Re: Internet traffic in a VLAN environment [7:9318]
>>
>>
>> Vijay,
>>
>> All you need is a default gateway on the router that points to the
>> internet.
>>
>> When an Internet destined packet from a workstation on a VLAN hits the
>> switch it gets dumped off on the router or MSFC since it doesn't have a
>> destination MAC address of a device on that VLAN. The router takes a
>> look at the IP and sees if it has a route. If it doesn't recognize the
>> destination network then it dumps it out the default gateway. Any return
>> traffic will have a destination IP and MAC address that the router and
>> switch will recognize.
>>
>> Hope this helps.
>> Karen
>>
>> *********** REPLY SEPARATOR ***********
>>
>> On 6/21/2001 at 10:27 AM Vijay Ramcharan wrote:
>>
>> >Could someone enlighten me on some of the best practices for directing
>> >traffic destined for the Internet from a VLAN based environment? I
>> >mean, is it best to create a separate VLAN and direct all unknown
>> >traffic out through that VLAN and then out to the Internet? OR
>> >Do you just choose one preexisting VLAN and have that one connected to
>> >your Internet router?
>> >
>> >I'm a bit confused. (lot confused?)
>> >
>> >Vijay Ramcharan
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9938&t=9318
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
