I have an ADSL connection which has a /29 subnet allocated to it, giving me 6 usable IP addresses. Currently this has a cheap Netgear ADSL router attached, which has a built in switch. There are 3 servers attached, each with a public IP address. Each of these servers is in our DMZ, and has a second network connection to the internal firewall, but I don't think that's important for this question.
Because the Netgear router's switch is so simple, each of these 3 servers can access the other servers, via the router's switch. What I require is for each of these servers to be isolated from the others, and have no access to them.
I intend to replace the router with something more suitable, such as a Cisco 1801, which also has a built-in switch, but supports VLANs on this switch. However, I'm not sure what the best method of achieving the goal is. I'm not sure if the firewall on that router applies to connections to its switch, or only routed connections. And I get the feeling that VLANs should be involved here, but I'm not sure how!
What is the best way for me to achieve the requirement of an ADSL connection with a /29 subnet, where the attached devices have no connectivity to each other?
I don't know about the 1801, bu I use a Cisco 1811 to do exactly this. You can assign a VLAN to every port on the switch :
These VLANs are separated by default. You can also assign a switchport to access all the VLANs (for monitoring or whatever).
To link each VLAN to one public IP address you can use a few NAT rules like :
and turn on nat on Fe0 (the WAN connection) :
Make sure that you buy a cisco 18xx with built-in ADSL on Fe0, otherwise you'll spend a lot of money on a extra ADSL module.