Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX and VLANs

Reply
Thread Tools

PIX and VLANs

 
 
ST MS
Guest
Posts: n/a
 
      12-04-2003
Scenario: Designing a small network... less than 100 nodes, but many
workstations have to be isolated from each other. About 35 VLANs are
needed. All hosts need to get an address with DHCP. All hosts in
certain VLANs (1- need public IP addresses, the rest of the hosts
inside the remaining VLANs (9-35) can have private addresses. All
hosts in all VLANs need an access to the Internet. Routing might be
needed between some of the VLANs. VPN connections from outside world
are needed into three VLANs (33-35). A firewall is naturally required.

Available equipment: A variety of 2950 switches and a PIX 515E
Restricted licence firewall (with two interfaces: one for the
Internet and the other for the inside network).

How many VLANs can PIX handle? Could it be used as a DHCP server for
all the planned VLANs / subnets? If we understand correct, all hosts
behind all of the switch ports that belong to the same VLAN will get
their IP addresses from the same pool of addresses that the logical
interface address of the VLAN is from. So, could we configure 35
scopes into the PIX, and have all the 2950's ask IP addresses from
there? With DHCP relay?

Someone has proposed that we need a Layer 3 switch somewhere to do
all this, because of some (logical / VLAN) interface limits in PIX.
Does PIX even have to be aware of all these VLANs in order to share
IP address into them? Cisco's Layer 3 switches could be used as
DHCP servers too. Can they do what PIX can't?

Then, also... PIX can't send packets back to the same interface that
they came from, so it probably can't do the routing between VLANs?
L3 switch needed again. 3550, 4500?

What about the planned VPN connections to VLANs? Any problems there?
And finally: what's the best way to arrange NAT in this scenario? We
of course have to NAT the private addresses of VLANs 9-35 somewhere.

Any thoughts, hints, pointers, suggestions and examples are much
appreciated. Thank you in advance.

- ST MS
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-04-2003
In article <(E-Mail Removed)>,
ST MS <(E-Mail Removed)> wrote:
:Available equipment: A variety of 2950 switches and a PIX 515E
:Restricted licence firewall (with two interfaces: one for the
:Internet and the other for the inside network).

:How many VLANs can PIX handle?

Not enough for your purposes.

For information as to which PIX model supports what, please see my
analysis at
http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt


:Could it be used as a DHCP server for
:all the planned VLANs / subnets?

No, because no current PIX model supports that many VLANs.

:If we understand correct, all hosts
:behind all of the switch ports that belong to the same VLAN will get
:their IP addresses from the same pool of addresses that the logical
:interface address of the VLAN is from.

No, you configure a dhcp address pool per interface; the pool does not
have to hand out IP addresses in the same subnet as the interface address.


:Then, also... PIX can't send packets back to the same interface that
:they came from, so it probably can't do the routing between VLANs?

The restriction is that it cannot send back to the same -logical-
interface. PIX can route between -different- logical interfaces on
the same physical interface.
--
And the wind keeps blowing the angel / Backwards into the future /
And this wind, this wind / Is called / Progress.
-- Laurie Anderson
 
Reply With Quote
 
 
 
 
Jason Kau
Guest
Posts: n/a
 
      12-05-2003
ST MS <(E-Mail Removed)> wrote:
> Scenario: Designing a small network... less than 100 nodes, but many
> workstations have to be isolated from each other. About 35 VLANs are
> needed. All hosts need to get an address with DHCP. All hosts in
> certain VLANs (1- need public IP addresses, the rest of the hosts
> inside the remaining VLANs (9-35) can have private addresses. All
> hosts in all VLANs need an access to the Internet. Routing might be
> needed between some of the VLANs. VPN connections from outside world
> are needed into three VLANs (33-35). A firewall is naturally required.


> Available equipment: A variety of 2950 switches and a PIX 515E
> Restricted licence firewall (with two interfaces: one for the
> Internet and the other for the inside network).


As Walter has pointed out, no PIX model supports that many VLANs. A
Firewall Services Module in Cat 6500 chassis does but that's pretty
darn expensive.

Do you really need that many VLANs to achieve your desired isolation?

You can isolate people on a 2950 switch using "Protected Ports":
http://www.cisco.com/univercd/cc/td/...fc.htm#1029319

You can also do ACLs on 2950s:
http://www.cisco.com/univercd/cc/td/...0scg/swacl.htm
Although you need an EI image to do ACLs on physical ports.

So, you could so some of the routing/ACLs on the 2950s instead of doing
it all on the PIX, thus requiring fewer VLANs to the PIX. The 2950
can be used as a L3 switch.

Of course none of this may work given your specific requirements and
certainly IOS extended ACLs are not as secure as PIX ACLs.

If you can purchase new hardware, I'd recommend a NetScreen, especially
since its virtual firewall stuff is pretty decent. But, you'd need a
NetScreen 500 or larger to handle 35 VLANs. I believe the 200 series
only handles 32 VLANs and the 50/25 series only handles 8 VLANs.

--
Jason Kau
http://www.cnd.gatech.edu/~jkau
 
Reply With Quote
 
ST MS
Guest
Posts: n/a
 
      12-05-2003
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<bqoh3c$js4$(E-Mail Removed)>...
> For information as to which PIX model supports what, please see my
> analysis at
> http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt


Well, this is certainly a useful document. Thank you.

> :If we understand correct, all hosts
> :behind all of the switch ports that belong to the same VLAN will get
> :their IP addresses from the same pool of addresses that the logical
> :interface address of the VLAN is from.
> No, you configure a dhcp address pool per interface; the pool does not
> have to hand out IP addresses in the same subnet as the interface address.


So, 35 VLANs means 35 pools. But if the interface's address doesn't
matter in the pool selection process, then what does? How do you tell
the DHCP server to hand out an IP address from pool X, Y or Z based
on the VLAN number where the DHCP request originated from?

If we want DHCP to give addresses from the first pool to the hosts in
VLAN1, from the second pool to the hosts in VLAN2, and from the third
pool to the hosts in VLAN3, etc., how do we accomplish that?

We've already seen answers saying "depens on the DHCP server". We are
going to use the Cisco's built-in DHCP server found on PIX or bigger
switches (maybe a 3550), so any config examples with that would be great.

- ST MS
 
Reply With Quote
 
ST MS
Guest
Posts: n/a
 
      12-05-2003
Jason Kau <(E-Mail Removed)> wrote in message news:<bqov8g$eki$(E-Mail Removed)>...

> Do you really need that many VLANs to achieve your desired isolation?
> You can isolate people on a 2950 switch using "Protected Ports":


Protected Ports could be used, but we would probably also want
Port Blocking: "By default, the switch floods packets with unknown
destination MAC addresses to all ports. If unknown unicast and
multicast traffic is forwarded to a protected port, there could
be security issues." And the problem? Not all of the 2950-models
seem to support Port Blocking only 2950G's.

Thanks for the answers,

- ST MS
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-05-2003
In article <(E-Mail Removed)> ,
ST MS <(E-Mail Removed)> wrote:
|(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<bqoh3c$js4$(E-Mail Removed)>...

|> No, you configure a dhcp address pool per interface; the pool does not
|> have to hand out IP addresses in the same subnet as the interface address.

|So, 35 VLANs means 35 pools. But if the interface's address doesn't
|matter in the pool selection process, then what does?

The interface the bootp packet hits.

|How do you tell
|the DHCP server to hand out an IP address from pool X, Y or Z based
|on the VLAN number where the DHCP request originated from?

You would configure a different pool for each logical interface -- i.e.,
a different pool for each VLAN. Your hosts are going to send out
broadcasts to IP address 255.255.255.255, MAC address ff:ff:ff:ff:ff
which thus will reach any DHCP server in their subnet -- but because
you are using port-based VLANs, the subnet includes only a few hosts
and the PIX logical interface for that VLAN.

You don't -always- want a DHCP server to be restricted to selecting
IPs in the same subnet as the interface IP address; in particular,
if you happen to have multiple subnets on the same segment and a LAN
router, then you might want to hand out IPs from a different subnet
than the interface is on. That would not be useful in your situation
where you are intending to use a PIX for intra-VLAN access control,
but it could be useful to us, in which we trust all our routable
VLANs equally.


:If we want DHCP to give addresses from the first pool to the hosts in
:VLAN1, from the second pool to the hosts in VLAN2, and from the third
ool to the hosts in VLAN3, etc., how do we accomplish that?

dhcpd address ipA1-ipA2 vlan1
dhcpd address ipB1-ipB2 vlan2
etc.

--
Live it up, rip it up, why so lazy?
Give it out, dish it out, let's go crazy, yeah!
-- Supertramp (The USENET Song)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 525 and Version 7.0(4) Transparent mode and vlans alsgto Cisco 0 07-18-2006 08:38 PM
Windows - Browsing across vlans and also DC's on separate vlans punisher Cisco 2 11-17-2005 03:41 PM
question about Mapping 802.1Q VLANs to ISL VLANs ilya@3ka.mipt.ru Cisco 0 01-11-2005 02:42 PM
Pix and VLANs - what the F? Irakli Natsvlishvili Cisco 1 07-18-2004 06:35 AM
PIX and VLANs continued ST MS Cisco 0 01-15-2004 07:37 PM



Advertisments