• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Multiple VLANs ISA 2006 enterprise

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Multiple VLANs ISA 2006 enterprise Page: [1]
Login
Message << Older Topic   Newer Topic >>
Multiple VLANs ISA 2006 enterprise - 27.Mar.2008 3:46:15 PM   
Carew

 

Posts: 3
Joined: 27.Mar.2008
Status: offline
Hi beeing new to ISA I have not read an article explaining my question sufficently.

Say that you have mutiple Vlans on the inside of your network ex:
-Guests on vlan 8 IP:10.8.0.0 255.255.0.0
-Users on vlan 16 IP 10.16.0.0 255.255.0.0 and so forth ( I have 5 others), all represented by a dedicated virtual NIC on the ISA 2006 server (with 2 physical NICS).

Should then all of these vlans/networks be included in the INTERNAL network ?
Then I guess I have to create subnet/address range objects to base my FW rules on.

Or should each vlan be created as a separate network, but what network should I include in the INTERNAL network then?

Any help or other helpful pointers will be greatly appreciated

< Message edited by Carew -- 27.Mar.2008 4:00:26 PM >
Post #: 1
RE: Multiple VLANs ISA 2006 enterprise - 27.Mar.2008 5:38:52 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Firstly, what are you trying to achieve with your design?

Is ISA being used to firewall between all VLANs or do the VLANs represent the "internal network" that then needs access to the Internet via ISA?

I assume you are thinking of using a physcial trunk connection and then using VLAN tagging for each individual VLAN? If not, can you explain this a bit more?

Dependent on the above you will have different options, so let us know and we can help some more

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Carew)
Post #: 2
RE: Multiple VLANs ISA 2006 enterprise - 28.Mar.2008 3:58:58 AM   
Carew

 

Posts: 3
Joined: 27.Mar.2008
Status: offline
Many thanks for your reply Mr. Jones.

I guess what I am trying to achieve is high availability, Vlan separation and clear and logical FW rules based on this separation. I have two ASA´s in front of the planned ISA EE array. My problem is that I am given the mentioned network design and have to get ISA to work with this design.

Your assumption regarding the physical trunk and tagging is correct. I guess what I would like is the ISA to act as a FW between all VLANs,and base my FW on that, but at the same time all these VLANs reside on the "inside" of my network, I have no DMZ needs etc.

If I created one network for servers and one for users and guests, this is more like what I am used to, but then I am unsure of what network should be included in the INTERNAL network.
So far I have included all the VLANs and their adapters in the INTERNAL network, and then made subnet objects for the VLANs to base any future FW rules on, but as I have said I am not sure I am on the correct path here.

Sure hopes this clears things up abit.


(in reply to Jason Jones)
Post #: 3
RE: Multiple VLANs ISA 2006 enterprise - 28.Mar.2008 5:48:55 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi,

If you use VLAN tagging, it is my understanding that Windows will see each VLAN as a individual network interface in Network Connections. Is this what you see?

As ISA can only define one ISA network per network interface, you will need to create ISA network objects for each of your VLANs. I would recommend that you keep using the default "Internal" network and use the VLAN that hosts your network infrastrcutrue servers like Domain Controllers, DNS servers etc as the Internal network. You can then create ISA networks for all the other VLANs and create appropriate network rules for traffic flow between each VLAN (if required). Once you have these defined, you will then be able to define firewall policies to control traffic flow between networks. The above model assumes that your switches are not providing the routing between each of the VLANs as ISA would need to do this to firewall it properly.

This is the approach I would use (and have used in the past) for customers looking at intra-VLAN firewalling.

The only downside to this architecture is that if someone is able to perform 'VLAN hopping' (hard but theoretically possible) and move between the VLAN it is possible to bypass ISA.

Hope this helps?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Carew)
Post #: 4
RE: Multiple VLANs ISA 2006 enterprise - 28.Mar.2008 6:28:43 AM   
Carew

 

Posts: 3
Joined: 27.Mar.2008
Status: offline
Thanks again Mr. Jones

I see each VLAN as a individual network interface in Network Connections.

And I will follow your advice on creating a network for each VLAN. You see I read the part on creating subnet objects and including all VLANs in INTERNAL in another post and that confused me alot.

Thanks for your advice.

(in reply to Jason Jones)
Post #: 5
RE: Multiple VLANs ISA 2006 enterprise - 28.Mar.2008 6:49:39 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yeah, but you are trying to do something different with your setup as it really acting as an intra-VLAN firewall.

The other approach you mention is more if you were using ISA as a forward proxy and you would then include all your VLANs within the Internal network definition. Subnets could then be used to differentiate between VLAN in access rules as you would only have one ISA network.

Hope it works out for you and please feedback when you have it up and running

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Carew)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Multiple VLANs ISA 2006 enterprise Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts