INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Separating traffic within the same VLAN

Separating traffic within the same VLAN

(OP)
I shall try and describe this as best I can.

Servers on VM all assigned to VLAN 102.
2 x new servers also within the same VLAN (102) - this is due to VM network card availability.

On the core switches VLAN102 routes to a particular firewall for N3 internet access. There is a second firewall for dedicated internet access.

The 2 x radius servers that are in VM within the same VLAN need to route to the second firewall for authentication and accounting.

Is it possible to separate traffic for routing within the same VLAN on the switch so that the traffic from these two servers goes to one firewall while the rest of the servers still access the other firewall for internet access?

There is currently no possibility of separating the servers from the same VLAN.... Unfortunately, or it would be easy.....

Thanks

RE: Separating traffic within the same VLAN

is it a cisco switch ?

if yes YOU COULD maybe put them in private vlan mode and mess around with the promiscuous mode on the firewall ports,
then maybe put a mac address access-list on the firewall ports to block some servers from going to one....


**above is a horrible idea..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Separating traffic within the same VLAN

How about Policy Based Routing determining the next hop? If this is a Layer 3 switch it may be doable.

RE: Separating traffic within the same VLAN

not unless he moves the gateway down to the switch .. what i understood that the servers are hitting a FW as their first hop .... but who knows..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Separating traffic within the same VLAN

(OP)
Hi

Thank you for the responses.

I was thinking along the lines of policy based routing but there was always a secondary issue there.... so, what we have done now is the following with same setup....

Found 2 individual boxes that I have installed CentOS6.5 and FreeRADIUS..... These can now sit on their own VLAN.

They are being utilised for proxying authentication requests from a WiFi network. Because of this proxying the packets cannot go out of the normal firewall. So we still have a routing problem, even if they are on a separate VLAN and we use policy based routing (set up an extended ACL and a route map) to point to the secondary firewall, won't the return information (authentication packets) end up in a loop? The packets will come back to the RADIUS boxes and then when they hit the core switches again, to go back to the WiFi, the policy will then send them out of the firewall unless in the extended ACL we can state specific destination addresses?

Our way around this, we think, and will test during the week, is to create a new DMZ on the dedicated fireweall, place the RADIUS boxes in this and then allow the internal network WiFi VLAN be run at Layer 2 only. Routing can be completed at the firewall. That should resolve the issue.... I hope :)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close