On 2/9/06, person <blankinvites plus m0n0 at gmail dot com> wrote:
>
> I have investigated the switching structure at the sights and they are all
> pre IOS 12.0x and most can only take the latest IOS 11.x. So no, they do not
> have VLAN Trunking, but they DO have Multi-VLAN ports which would allow
> multiple Vlans out on one port,a sudo-trunking port. (or am I missing
> something?)
>

I don't know if that's actually true or not.  I don't have an IOS 11.x
switch handy at the moment, but from what I recall, you assign VLAN's
normally with 'switchport access vlan ...', which IIRC, doesn't let
you assign multiple VLAN's to a port.

Regardless, since you don't know where a particular outside user is
going to plug in at any given time, that won't help.


>
> What I was envisioning, is to have all the internal switches on one
> switchport and assign it to its own VLAN, then have another switchport
> assigned to the same Vlan and put that going into an OPT1 (3rd nic in the
> m0n0wall box). Then have the m0n0wall box make a rule on the fly after
> authentication to pass traffic from authenticated host to LAN.
>

That would work, but it won't achieve the stated goal you had earlier.
 With this type of scenario, you would have to know in advance which
ports will be used by untrusted machines, and you stated that was not
a possibility.


> Is something like this possible, am I going down the right road? What would
> be the useable limits of this type of routing, say if we needed to move many
> 600mb files from internal machine -> internal media server but obviouslly
> would have to go through the m0n0wall routing to do so int his case.
>

Depends on what kind of hardware you're looking at.  To achieve 100 Mb
throughput with some power to spare for Internet connectivity, you'll
want at least a 700 MHz with good quality NIC's (read: Intel).

-Chris