[ previous ] [ next ] [ threads ]
 
 From:  person <blankinvites+m0n0 at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] CAP Portal / VLAN's how to - InterVLAN routing?
 Date:  Thu, 9 Feb 2006 18:32:56 -0500
Hey guys - thanks for some of your replies.

I have investigated the switching structure at the sights and they are all
pre IOS 12.0x and most can only take the latest IOS 11.x. So no, they do not
have VLAN Trunking, but they DO have Multi-VLAN ports which would allow
multiple Vlans out on one port,a sudo-trunking port. (or am I missing
something?)

But, I want to refocus the goal here. While there are other options I have
to focus on using only what is currently availiable at the sights. My
proposal for changing all offices to m0n0wall is going well and I think it
may be approved.

What I was envisioning, is to have all the internal switches on one
switchport and assign it to its own VLAN, then have another switchport
assigned to the same Vlan and put that going into an OPT1 (3rd nic in the
m0n0wall box). Then have the m0n0wall box make a rule on the fly after
authentication to pass traffic from authenticated host to LAN.

Is something like this possible, am I going down the right road? What would
be the useable limits of this type of routing, say if we needed to move many
600mb files from internal machine -> internal media server but obviouslly
would have to go through the m0n0wall routing to do so int his case.

Ideas?

Thank you!



On 1/31/06, Chris Buechler <cbuechler at gmail dot com> wrote:
>
> On 1/31/06, person <blankinvites plus m0n0 at gmail dot com> wrote:
> >
> > Locally there are many internal webservers (not patched, containing info
> you
> > wouldn't want any outsider to access, etc.), video/media servers,
> wiki's,
> > shared drives, etc. etc. Given the nature of the offices, there are many
> > places someone can, and even places people are allowed to, simply plug
> into
> > a jack and get internet access (confrence rooms/guests, etc.). Not
> uncommon
> > for someone using someones office to unplug the ehternet cable and plug
> it
> > in to their laptop.
>
> Wow, really asking for trouble there.  You definitely need to be
> looking for a solution aside from the firewall.  No firewall is going
> to be able to help you in this situation.
>
> 802.1X would be a good solution, but that's not an option on any
> Catalyst 2924.  dot1q trunking isn't even an option on the old 2924's
> that you're talking about.  They do support VLAN's, but no trunking,
> so its usefulness is very limited.  To accomplish this, you're going
> to be stuck replacing all the switches.
>
> For more info on 802.1x on Cisco gear, Google "802.1x site:cisco.com"
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>