This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I work for a small financial institution and inherited some infrastructure in a state of disrepair. Ports were failing on one of our main switches (an old unmanaged Dell). The previous IT guy just hung smaller 5 or 8 port switches off of it to compensate for the bad ports.
I decided to buy two (2) GS324TPs and have since connected them to the infrastrutcure. But I've discovered I got a little overzealous removing the smaller switches as one of them was sitting between our ISP and the WAN interface of our firewalls. There's a single ethernet run from our ISP to our server room, and our FWs are setup in an HA configuration. To eliminate a small switch between our ISP and the FWs, I'd actually need two ethernet runs, but it's not practical from a cost perspective -- ISP comes in at the other side of the building so I'd need to hire a wiring vendor, but I digress...
I made the mistake of plugging everything into the new switches, and now our FW provider is seeing spoofing (LAN addresses on the WAN interface). Because I'm the genius (sarcasm) who thought the switch would take care of this all for me. Our FW guys are saying the interfaces need to be separate, which I understand what he's getting at, I'm just wondering if I can solve this with VLANs on the switch I just bought? If not, I reckon I'll just reinsert a 5 port switch between the ISP and FWs, and then connect both of the Netgear switches downstream on the FW LAN ports.
To substitute the previous 5-port switch, you could create an additional VLAN, like VLAN 123 on on fo these switches, "remove" five [why not right a block of four, six eight ...?] (not having these as a member for the VLAN 1, just [-], and then make these ports [u]ntagged members of the VLAN 123, and also set the PVID to 123 on these ports..
Now you have the VLAN 1 for your internal network, and VLAN 123 for the Internet side. Very simlpe.
Keep in mind that this might be not the smartest decision having VLANs of your in-house LAN and Internet on the same device from the security prospective.
To substitute the previous 5-port switch, you could create an additional VLAN, like VLAN 123 on on fo these switches, "remove" five [why not right a block of four, six eight ...?] (not having these as a member for the VLAN 1, just [-], and then make these ports [u]ntagged members of the VLAN 123, and also set the PVID to 123 on these ports..
Now you have the VLAN 1 for your internal network, and VLAN 123 for the Internet side. Very simlpe.
Keep in mind that this might be not the smartest decision having VLANs of your in-house LAN and Internet on the same device from the security prospective.
