I guess policy routing is what I'd recommend, or put a firewall in front of the servers and set up the appropriate controls. Policy routing is what that type of application was inteded for, so you are along the right track, although it's far from secure. If security isn't an issue, then check out a firewall. If you got the cash, get the firewall blade for the 6500, and implement the controls there. Then you have optimal control over all aspects of the network that pass through it.
""Robert Edmonds"" wrote in message news:200210181926.TAA13264@;groupstudy.com... > First, the 300 line access-list was a bit of an exageration, more to make > the point that I don't want an ungodly long access-list. > Well, basically every floor in each building has its own /24 subnet. > Unfortunately the real problem is that to get to the Internet, traffic must > traverse VLAN 1, which also houses all my servers. That's the real problem. > Is it possible to force traffic from one VLAN to go only out through my PIX > and not be able to browse the servers on that subnet? > Not being really familiar with the concept, I was thinking along the lines > of policy routing. Is this the type of application it is intended for? I'm > still trying to find good information on it. > ""Steven A. Ridder"" wrote in message > news:200210181920.TAA12300@;groupstudy.com... > > Not sure I understand how you are running your network, but if you deny > the > > lawyers VLAN from accessing the other VLAN's in your network, you should > be > > all set. That way you only have one deny statement to add to each VLAN. > I > > think what's throwing me is the 300 line access-list statement. There's a > > ton of solutions out there for you, but you need to be more clear in terms > > of describing your internal network. > > > > > > ""Robert Edmonds"" wrote in message > > news:200210181908.TAA09447@;groupstudy.com... > > > I work for a county government. As part of building a new courthouse, I > > am > > > tasked with providing attorneys in courtrooms with Internet access > through > > > my network. Of course, I would like to provide them access to what they > > > need while blocking access to our internal network. > > > My network is setup in the following manner: > > > In the new courthouse, the MDF has a 3550-12G acting as the root switch > > for > > > the building, and has the layer 3 image. It connects directly to my > core, > > > with a 6506 with Sup2 and MSFC2, which in turn connects to my PIX 515 > for > > > Internet access. I plan on creating a separate VLAN for the public > > Internet > > > access, but beyond that I'm left a bit short. Obviously I don't want to > > > create a 300 line access-list that would deny them access to each > internal > > > VLAN, then each of our servers in turn. Can someone give me some > > > suggestions to get this done? Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55902&t=55898 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
