I have a Cisco ASA 5505 that is right now servicing 30 or so machines all on 10.10.0.X.
I want to segregate a few of these machines to a VLAN, so that they can't initiate traffic to all the other computers that aren't part of the restricted VLAN.
Computers that are not part of the segregrated group should still be able to initiate connections with the segregated machines.
So this is pretty much like a DMZ except I am hoping that I don't have to put the segregated machines on a different subnet.
Is this possible or do I need to have each VLAN on a different subnet?
Please excuse my novice status with this stuff. I'm trying to learn.
Vlans are a by definition layer 2. It is for all intents and purposes like putting the machines on two separate networks. So in this case you would want the machines on different subnets, and on separate vlans, with the ASA acting as an intermediary router between the two "zones" You would then set up ACLs on the ASA to stop traffic from being initiated to the first subnet from the second one.
This is the correct way to handle what you are trying to do. You could do this with two separate subnets in the same vlan, but that would be less secure...
The ASA platform can be used in transparent mode, so it may be possible to do what you want (although I admit I don't know enough about ASAs to say how).
However, this would not be a recommended configuration; if you want this kind of isolation, you're best bet is to renumber them into a new subnet.