1- To have different subnets, you must separate them in any way, using separate switches or creating VLAN's on your existing ones. 2- Yes, you have to add one NIC for each additional subnet. Yes is a supported configuration. The only thing I don't know is: Which one is the limit on the amount of subnets ISA can handle (Tom ?) Regards Diego R. Pietruszka ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Thursday, October 05, 2006 11:31 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question re: subnet inter-communication Well, like I said, I've never done anything with VLANs. So, if I understand you right, to keep the new subnets off our main network, they need to be different physical segments (e.g., physically different switches), and then they would have to connect to our ISA server via physically separate NICs. Correct? Currently, our ISA server has two NICs--one Internal, one External. To add two (or three) subnets that we want to keep separate from our main subnet, we'd need to add two (or three) NICs, right? And is this a supported configuration? Thanks, Rob ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Thursday, October 05, 2006 11:10 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question re: subnet inter-communication Hi Rob, Don't mix up VLANs with subnets and physical segmentation. This is an increasingly common problem I'm seeing out there, though I have no idea why it's happening. If you want the ISA Firewall to control access through the subnets, then they must be different physical segments, or you can use an 802.1q compliant NIC and create virtual subnets, but I prefer not to do that since VLAN tagging is a management solution, not a security solution. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Thursday, October 05, 2006 9:36 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Question re: subnet inter-communication Hi list-- This is a fairly straightforward question, probably with a quite easy answer. But it's something I've not done before and I just want to bounce it off some others before I bank on it. I'm using ISA 2004 Standard, will probably move to ISA 2006 Standard in the next month or two. Currently I have one subnet in this building (172.17.200.0), and multiple subnets outside the building that are connected to the 172.17.200.0 subnet via VPN. The remote subnets all communicate with the 172.17.200.0 subnet, no problem. In the near future I want to add a couple of new internal subnets using VLANs. (I've never done anything with VLANs before.) These new internal VLAN subnets will go through my ISA server for Internet access, but I DO NOT want them to communicate with my 172.17.200.0 subnet, nor with any of my other current subnets. This is easily done, right? Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Help Desk: 800-500-AFSC