I originally asked a question about a month ago regarding forwarding broadcast traffic across a firewall and it was determined that that this was not a feasible or recommended option.
Because the hardware/software involved in this project is proprietary and ancient, we are trying another route that I hope will be successful, but I would like some advice regarding this configuration.
We have 3 VLANs, lets call them VLAN 101, 102, and 103. VLANS 101 and 102 are considered more critical and are on the "inside" of our firewall with no direct outside access. VLAN 103 is a DMZ on the "outside" of our firewall. All three have direct connections to the firewall. We have broadcast traffic on VLAN 101 that needs to get to a computer on VLAN 103. As a proof of concept, we installed a Cisco router between VLAN 101 and VLAN 103 and used the iphelper command to convert the broadcast stream into a unicast stream. This was successful, but by doing this we have now made our router an access point into our critical networks.
I would like to move the router behind the firewall and use ACLs on the firewall to direct traffic to this 103 VLAN. What I wanted to propose was putting a router between VLANS 101 and 102, use iphelper to send a unicast stream to a VLAN 102 address, and then use a NAT and an access rule to get that traffic across the firewall. So in summary,
VLAN 101 broadcast --> VLAN 102 unicast --> VLAN 103 nat to 102 --> udp ACL.
Is this possible? Thanks
No comments:
Post a Comment