IOS Firewall With VLANs

I already do this with a single subnet without VLANs using the router as a firewall. I just bridge the interfaces together.

What I'm asking is, if I want to do this with VLANs do I have to look into the "VLAN Routing" stuff that I've been seeing around or do I just create a seperate bridge for each VLAN sub interface? I want the VLANs to remain seperate.

You are using VLANs and sub interfaces on a Router? If so, wouldn't you just need to setup your ACLs? I'm confused.

I think you are talking about a "Router on a Stick" setup. You can use the Router to connect to a Trunk Port on the switch and then the router will route between the VLAN's like Skepticals siad using Sub Interfaces. Basically, for this setup you are using the router to de-encapsulate the VLAN Tags, and re-encapsulate with the correct VLAN to send it back to the switch for it to then go into the correct VLAN.

Its much simpler however if you buy a Layer 3 switch, then you can assign the VLAN IP ADdresses and route at the Switch Level.

Hope this answers your question.

Wayne

Ok, I'll have a look at some router on a stick info

Would a layer 3 switch have all the firewall functionality that the routers have (with the appropriate IOS of course)? And would it be powerful enough? I've been told in the past not to overdo it with ACLs and things on switches because they can't handle too many?

Some of the newer Cisco Switches are very good at it. If you go to the Catalysts, you can get Firewall (Pix) modules to give them Firewall Functionality on the backplane.

(Not sure about the new advancements since ASA was introduced though)

The ASA 5505 is pretty cheap.