Networking VLAN - Help configuring

Not sure if this is the correct forum, please let me know if there is
somewhere better to ask this question.

Internet
|
Router
|
Firewall - DMZ
|
Managed Switch - Wireless Lan (Cisco Aironet - allows for seperate SSID for
VLANs)
|
Lan

Domain is Windows 2003 domain, Domain Users are Windows XP SP2. Currently I
have the default VLAN and one SSID, I am using internal Windows 2003 Cert
Server to issue User certs, WLAN is using WPA with LEAP. User
authentication is with user certificates. Working well, limited deployment.

Goal is to add second VLAN with users on second VLAN having access only to
InterNet and no LAN resources.

Can someone point me to a good resource that might spell out how I would do
this.

Thank you.

It works the same no matter if it is VLANs or Regular Segments,...you have
to have a Layer3 Routing Device between the segments and the Routing Device
uses ACLs to control access between the segments. When I say "Router" I
mean a real router,...not some NAT based Internet Sharing Device.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


"Fredrick A. Zilz" <(E-Mail Removed)> wrote in message
news:uywoWY$(E-Mail Removed)...
> Not sure if this is the correct forum, please let me know if there is
> somewhere better to ask this question.
>
> Internet
> |
> Router
> |
> Firewall - DMZ
> |
> Managed Switch - Wireless Lan (Cisco Aironet - allows for seperate SSID
for
> VLANs)
> |
> Lan
>
> Domain is Windows 2003 domain, Domain Users are Windows XP SP2. Currently
I
> have the default VLAN and one SSID, I am using internal Windows 2003 Cert
> Server to issue User certs, WLAN is using WPA with LEAP. User
> authentication is with user certificates. Working well, limited
deployment.
>
> Goal is to add second VLAN with users on second VLAN having access only to
> InterNet and no LAN resources.
>
> Can someone point me to a good resource that might spell out how I would
do
> this.
>
> Thank you.
>
>

Thank you,
I appreciate your response.
Is there some information you can refer me to that would outline how the
router would be configured. I take it that I would place the router between
my switch and wireless acces points. then I would be routing vlan1 trafic
to and from my lan and vlan2 traffic to and from my dmz or internet
connection?

internet
|
router
|
Firewall - DMZ
| |
switch - router - Wireless APs
|
Lan

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> It works the same no matter if it is VLANs or Regular Segments,...you have
> to have a Layer3 Routing Device between the segments and the Routing
> Device
> uses ACLs to control access between the segments. When I say "Router" I
> mean a real router,...not some NAT based Internet Sharing Device.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
> "Fredrick A. Zilz" <(E-Mail Removed)> wrote in message
> news:uywoWY$(E-Mail Removed)...
>> Not sure if this is the correct forum, please let me know if there is
>> somewhere better to ask this question.
>>
>> Internet
>> |
>> Router
>> |
>> Firewall - DMZ
>> |
>> Managed Switch - Wireless Lan (Cisco Aironet - allows for seperate SSID
> for
>> VLANs)
>> |
>> Lan
>>
>> Domain is Windows 2003 domain, Domain Users are Windows XP SP2.
>> Currently
> I
>> have the default VLAN and one SSID, I am using internal Windows 2003 Cert
>> Server to issue User certs, WLAN is using WPA with LEAP. User
>> authentication is with user certificates. Working well, limited
> deployment.
>>
>> Goal is to add second VLAN with users on second VLAN having access only
>> to
>> InterNet and no LAN resources.
>>
>> Can someone point me to a good resource that might spell out how I would
> do
>> this.
>>
>> Thank you.
>>
>>
>
>

"Fredrick A. Zilz" <(E-Mail Removed)> wrote in message
news:%234t$(E-Mail Removed)...
> Is there some information you can refer me to that would outline how the
> router would be configured. I take it that I would place the router
between
> my switch and wireless acces points. then I would be routing vlan1 trafic
> to and from my lan and vlan2 traffic to and from my dmz or internet
> connection?

There is no way I can answer that unless I setup the VLANs and knew "how &
where" I set them. The Router goes between the segments (logical or
otherwise), how that translates into the "physical world" at your location I
have no idea.

Traffic is *never* routed between a DMZ and a LAN,...it is either "NAT'ed"
or is "proxied". This would have nothing to do with how the VLAN's are
handled. I know of no simple way to make a DMZ out of a VLAN without having
a Routing Device that is simultaneously doing all three jobs of "routing",
establishing the VLANs, and NAT'ing between the LAN and DMZ.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Thank you for your time.

"Phillip Windell" <@.> wrote in message
news:eT2au$(E-Mail Removed)...
> "Fredrick A. Zilz" <(E-Mail Removed)> wrote in message
> news:%234t$(E-Mail Removed)...
>> Is there some information you can refer me to that would outline how the
>> router would be configured. I take it that I would place the router
> between
>> my switch and wireless acces points. then I would be routing vlan1
>> trafic
>> to and from my lan and vlan2 traffic to and from my dmz or internet
>> connection?
>
> There is no way I can answer that unless I setup the VLANs and knew "how &
> where" I set them. The Router goes between the segments (logical or
> otherwise), how that translates into the "physical world" at your location
> I
> have no idea.
>
> Traffic is *never* routed between a DMZ and a LAN,...it is either "NAT'ed"
> or is "proxied". This would have nothing to do with how the VLAN's are
> handled. I know of no simple way to make a DMZ out of a VLAN without
> having
> a Routing Device that is simultaneously doing all three jobs of "routing",
> establishing the VLANs, and NAT'ing between the LAN and DMZ.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>