I was asked to segregate the testing environment in our network to improve our security.
Our structure includes:
- 1 switch Dell Power Connect 3448
- 1 switch Dell Power Connect 2748
- A few 5 ports Star Tech switches (work around to expand our cabling structure)
- 1 ISA Server 2006 firewall
To accomplish this task I am planning to do the following:
- Create a VLAN for the testing environment and include the necessary ports on that VLAN
- Let all the other ports in the default VLAN 1 (keep the packets Untagged), except the port where ISA Server is plugged
- Configure the port where ISA Server is plugged as Trunk
- Configure a virtual interface on ISA Server network card to allow it to communicate with the VLAN
- Configure firewall rules on ISA Server to allow only the desired traffic between the LANs, Internet, and VPN Clients.
Is what I've planned the best way to do what I was asked to?
The method you planned will work great. One item I would recommend you research first is if the network card in your five year old ISA server can support VLAN tagging. If it cannot, an alternative would be to install a second network card in the server and plug that into an access port on the testing environment VLAN.
One other point to consider is if you plan on having the ISA server and all of the new VLAN ports spread across multiple switches the links between the switches should be configured as Trunks as well. If the Star Tech switches do not support VLAN tagging, you could either make the port going to one of the Star Tech switches an access port on the new VLAN, and therefore every device plugged into that Star Tech would be on the test VLAN, or you would need to ensure testing lab ports are all going into the Dell switches.
Hope this helps!