«

Hi there. I'm trying to set up a 3550-series
switch for use as a "DMZ" with a firewall.

The idea is that the switch has a number of VLANs
but inter-VLAN routing [and routing from the VLANs
to the rest-of-the-world] is carried out by the
firewall, which has one DMZ interface.

Each VLAN will be an IP-subnet of its own, with
the switch itself doing *no* IP-routing.

Seems the firewall is understanding-impaired about
things like ISL or 802.1Q trunking, so what I need
to do is set up *one* port on the switch which is
actually a member of all the VLANs, and then set
up multiple secondary IP-addresses on the firewall
itself so it can do the routing.

[yes I know it's kludgy but I don't control the
firewall side!].

Is this possible? I guess it's a bit like a
very primitive router-on-a-stick setup, but
all the ROASes I've seen have had the "router"
side configured as a trunk device using the
traditional approach of subinterfaces.

I basically just want a switch-port to be
non-trunked but a member of multiple VLANs.

-Pete L.

set up one switch port as trunk port - that will do the trick.
(did this on a PIX and C2950)

"PJML" <> wrote in message
news:402b9a47$...
> Hi there. I'm trying to set up a 3550-series
> switch for use as a "DMZ" with a firewall.
>
> The idea is that the switch has a number of VLANs
> but inter-VLAN routing [and routing from the VLANs
> to the rest-of-the-world] is carried out by the
> firewall, which has one DMZ interface.
>
> Each VLAN will be an IP-subnet of its own, with
> the switch itself doing *no* IP-routing.
>
> Seems the firewall is understanding-impaired about
> things like ISL or 802.1Q trunking, so what I need
> to do is set up *one* port on the switch which is
> actually a member of all the VLANs, and then set
> up multiple secondary IP-addresses on the firewall
> itself so it can do the routing.
>
> [yes I know it's kludgy but I don't control the
> firewall side!].
>
> Is this possible? I guess it's a bit like a
> very primitive router-on-a-stick setup, but
> all the ROASes I've seen have had the "router"
> side configured as a trunk device using the
> traditional approach of subinterfaces.
>
> I basically just want a switch-port to be
> non-trunked but a member of multiple VLANs.
>
> -Pete L.
>

Thanks - bus turely if I set up a port as a trunk
it will need an encapsulation [ISL or 802.1] and I'm
pretty sure the firewall won't understand this {I can
find nothing about 802.1Q or ISL in the firewall docs]

-PeteL


Martin Bilgrav wrote:
> set up one switch port as trunk port - that will do the trick.
> (did this on a PIX and C2950)
>
> "PJML" <> wrote in message
> news:402b9a47$...
>
>>Hi there. I'm trying to set up a 3550-series
>>switch for use as a "DMZ" with a firewall.
>>
>>The idea is that the switch has a number of VLANs
>>but inter-VLAN routing [and routing from the VLANs
>>to the rest-of-the-world] is carried out by the
>>firewall, which has one DMZ interface.
>>
>>Each VLAN will be an IP-subnet of its own, with
>>the switch itself doing *no* IP-routing.
>>
>>Seems the firewall is understanding-impaired about
>>things like ISL or 802.1Q trunking, so what I need
>>to do is set up *one* port on the switch which is
>>actually a member of all the VLANs, and then set
>>up multiple secondary IP-addresses on the firewall
>>itself so it can do the routing.
>>
>>[yes I know it's kludgy but I don't control the
>>firewall side!].
>>
>>Is this possible? I guess it's a bit like a
>>very primitive router-on-a-stick setup, but
>>all the ROASes I've seen have had the "router"
>>side configured as a trunk device using the
>>traditional approach of subinterfaces.
>>
>>I basically just want a switch-port to be
>>non-trunked but a member of multiple VLANs.
>>
>>-Pete L.
>>
>
>
>

PJML wrote:

> Thanks - bus turely if I set up a port as a trunk
> it will need an encapsulation [ISL or 802.1] and I'm
> pretty sure the firewall won't understand this {I can
> find nothing about 802.1Q or ISL in the firewall docs]

A 3550 can't do what you want. A port can be either a trunk (with an
encapsulation that your firewall won't understand) or a member of a
single VLAN (with some extra bells & whistles that don't concern us here).

What you want is a multi-vlan port. The 2900XL & 3500XL series for
instance can do this ('switchport mode multi'). The 3550 can't.

Regards,

Marco.

"M.C. van den Bovenkamp" <> wrote in message
news:402ca141$0$142
> A 3550 can't do what you want. A port can be either a trunk (with an
> encapsulation that your firewall won't understand) or a member of a
> single VLAN (with some extra bells & whistles that don't concern us here).
>

or a router port


> What you want is a multi-vlan port. The 2900XL & 3500XL series for
> instance can do this ('switchport mode multi'). The 3550 can't.

That can not be true.
The port can belong to several VLANs on a c3550
switchmode access VLAN#



>
> Regards,
>
> Marco.
>

Martin Bilgrav wrote:

> or a router port

That's for multicast only, and isn't what he wants.

> That can not be true.
> The port can belong to several VLANs on a c3550
> switchmode access VLAN#

Don't you mean 'switchport access VLAN#'? (Or 'switchport mode access',
which just disables all trunking).

That makes it a member of 'VLAN#' *only*. See
http://www.cisco.com/univercd/cc/td/...i2.htm#2422643

I can't find a way to make a 3550 port a member of more than a single
VLAN without making it a trunk port and using an encapsulation his
firewall won't understand.

But I guess he would like me to be wrong. And I may be; I'm just reading
the docs here. Never actually seen a 3550 myself.

Regards,

Marco.

Pete,

This is an abbreviated config so I could document the important stuff for
you. Comments are for the line after the comment.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
! This is the physical interface that provides the 802.1q trunking
interface ethernet2 vlan1 physical
! This is a VLAN trunking interface
interface ethernet2 vlan2 logical
! This is a VLAN interface
interface ethernet2 vlan3 logical
! This is a VLAN interface
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmzphy security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
! Security level for VLAN DMZ2
nameif vlan3 dmz2 security60
! Security level for VLAN DMZ3 (all security levels must be different)
nameif vlan2 dmz3 security40
hostname pix-bcait-515
names
! Stop NAT translating addresses (inside to global) to both DMZ interfaces
access-list nonat0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
! Permit PING back inside from the DMZ2 to inside but deny all other traffic inside
access-list dmz2in permit icmp 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz2in deny ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
! Permit PING back inside from the DMZ3 to inside but deny all other traffic inside
access-list dmz3in permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz3in deny ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmzphy 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside dhcp setroute retry 16
ip address inside 192.168.1.111 255.255.255.0
no ip address dmzphy
no ip address intf3
no ip address intf4
no ip address intf5
!Assign DMZ2 an IP Address
ip address dmz2 192.168.3.1 255.255.255.0
!Assign DMZ3 an IP Address
ip address dmz3 192.168.2.1 255.255.255.0
arp timeout 14400
global (outside) 1 interface
!Stop NAT of internal addresses
nat (inside) 0 access-list nonat0
! Nat to Outside world
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
! Stattically translate to the DMZ2
static (inside,dmz2) 192.168.1.0 182.168.1.0 netmask 255.255.255.0 0 0
! Stattically translate to the DMZ3
static (inside,dmz3) 192.168.1.0 182.168.1.0 netmask 255.255.255.0 0 0
! Allow ping to return into our network
access-group dmz2in in interface dmz2
! Allow ping to return into our network
access-group dmz3in in interface dmz3

----------- Swicth configuration ------------

version 12.0
no service pad
service password-encryption
!
hostname c2912
!
interface FastEthernet0/10
desctiption *** DMZ2 192.168.2.2 interface ***
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/11
desctiption *** DMZ3 192.168.3.2 interface ***
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/12
description *** PIX 802.1Q interface ***
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface VLAN1
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN2
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN3
no ip directed-broadcast
no ip route-cache
shutdown

Scott.
!

Regards,

Scott.
\|/
(o o)
---------------------oOOO--(_)--OOOo----------------------
Out the 100Base-T, off the firewall, through the router, down
the T1, over the leased line, off the bridge, nothing but Net.
(Use ROT13 to see my email address)
.oooO Oooo.
----------------------( )---( )-----------------------
\ ( ) /
\_) (_/




PJML wrote:

> Hi there. I'm trying to set up a 3550-series
> switch for use as a "DMZ" with a firewall.
>
> The idea is that the switch has a number of VLANs
> but inter-VLAN routing [and routing from the VLANs
> to the rest-of-the-world] is carried out by the
> firewall, which has one DMZ interface.
>
> Each VLAN will be an IP-subnet of its own, with
> the switch itself doing *no* IP-routing.
>
> Seems the firewall is understanding-impaired about
> things like ISL or 802.1Q trunking, so what I need
> to do is set up *one* port on the switch which is
> actually a member of all the VLANs, and then set
> up multiple secondary IP-addresses on the firewall
> itself so it can do the routing.
>
> [yes I know it's kludgy but I don't control the
> firewall side!].
>
> Is this possible? I guess it's a bit like a
> very primitive router-on-a-stick setup, but
> all the ROASes I've seen have had the "router"
> side configured as a trunk device using the
> traditional approach of subinterfaces.
>
> I basically just want a switch-port to be
> non-trunked but a member of multiple VLANs.
>
> -Pete L.
>

I do not believe the firewall is a PIX....
but ok...

An inspiration it is.


"Scott Enwright" <> wrote in message
news:sERXb.60111$...
> Pete,
>
> This is an abbreviated config so I could document the important stuff for
> you. Comments are for the line after the comment.
>
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> ! This is the physical interface that provides the 802.1q trunking
> interface ethernet2 vlan1 physical
> ! This is a VLAN trunking interface
> interface ethernet2 vlan2 logical
> ! This is a VLAN interface
> interface ethernet2 vlan3 logical
> ! This is a VLAN interface
> interface ethernet3 auto shutdown
> interface ethernet4 auto shutdown
> interface ethernet5 auto shutdown
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmzphy security50
> nameif ethernet3 intf3 security6
> nameif ethernet4 intf4 security8
> nameif ethernet5 intf5 security10
> ! Security level for VLAN DMZ2
> nameif vlan3 dmz2 security60
> ! Security level for VLAN DMZ3 (all security levels must be different)
> nameif vlan2 dmz3 security40
> hostname pix-bcait-515
> names
> ! Stop NAT translating addresses (inside to global) to both DMZ interfaces
> access-list nonat0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
> access-list nonat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
> ! Permit PING back inside from the DMZ2 to inside but deny all other
traffic inside
> access-list dmz2in permit icmp 192.168.3.0 255.255.255.0 192.168.1.0
255.255.255.0
> access-list dmz2in deny ip 192.168.3.0 255.255.255.0 192.168.1.0
255.255.255.0
> ! Permit PING back inside from the DMZ3 to inside but deny all other
traffic inside
> access-list dmz3in permit icmp 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0
> access-list dmz3in deny ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0
> pager lines 24
> logging on
> logging monitor debugging
> logging buffered debugging
> mtu outside 1500
> mtu inside 1500
> mtu dmzphy 1500
> mtu intf3 1500
> mtu intf4 1500
> mtu intf5 1500
> ip address outside dhcp setroute retry 16
> ip address inside 192.168.1.111 255.255.255.0
> no ip address dmzphy
> no ip address intf3
> no ip address intf4
> no ip address intf5
> !Assign DMZ2 an IP Address
> ip address dmz2 192.168.3.1 255.255.255.0
> !Assign DMZ3 an IP Address
> ip address dmz3 192.168.2.1 255.255.255.0
> arp timeout 14400
> global (outside) 1 interface
> !Stop NAT of internal addresses
> nat (inside) 0 access-list nonat0
> ! Nat to Outside world
> nat (inside) 1 192.168.1.0 255.255.255.0 0 0
> ! Stattically translate to the DMZ2
> static (inside,dmz2) 192.168.1.0 182.168.1.0 netmask 255.255.255.0 0 0
> ! Stattically translate to the DMZ3
> static (inside,dmz3) 192.168.1.0 182.168.1.0 netmask 255.255.255.0 0 0
> ! Allow ping to return into our network
> access-group dmz2in in interface dmz2
> ! Allow ping to return into our network
> access-group dmz3in in interface dmz3
>
> ----------- Swicth configuration ------------
>
> version 12.0
> no service pad
> service password-encryption
> !
> hostname c2912
> !
> interface FastEthernet0/10
> desctiption *** DMZ2 192.168.2.2 interface ***
> switchport access vlan 2
> spanning-tree portfast
> !
> interface FastEthernet0/11
> desctiption *** DMZ3 192.168.3.2 interface ***
> switchport access vlan 3
> spanning-tree portfast
> !
> interface FastEthernet0/12
> description *** PIX 802.1Q interface ***
> switchport trunk encapsulation dot1q
> switchport mode trunk
> spanning-tree portfast
> !
> interface VLAN1
> ip address 192.168.1.2 255.255.255.0
> no ip directed-broadcast
> no ip route-cache
> !
> interface VLAN2
> no ip directed-broadcast
> no ip route-cache
> shutdown
> !
> interface VLAN3
> no ip directed-broadcast
> no ip route-cache
> shutdown
>
> Scott.
> !
>
> Regards,
>
> Scott.
> \|/
> (o o)
> ---------------------oOOO--(_)--OOOo----------------------
> Out the 100Base-T, off the firewall, through the router, down
> the T1, over the leased line, off the bridge, nothing but Net.
> (Use ROT13 to see my email address)
> .oooO Oooo.
> ----------------------( )---( )-----------------------
> \ ( ) /
> \_) (_/
>
>
>
>
> PJML wrote:
>
> > Hi there. I'm trying to set up a 3550-series
> > switch for use as a "DMZ" with a firewall.
> >
> > The idea is that the switch has a number of VLANs
> > but inter-VLAN routing [and routing from the VLANs
> > to the rest-of-the-world] is carried out by the
> > firewall, which has one DMZ interface.
> >
> > Each VLAN will be an IP-subnet of its own, with
> > the switch itself doing *no* IP-routing.
> >
> > Seems the firewall is understanding-impaired about
> > things like ISL or 802.1Q trunking, so what I need
> > to do is set up *one* port on the switch which is
> > actually a member of all the VLANs, and then set
> > up multiple secondary IP-addresses on the firewall
> > itself so it can do the routing.
> >
> > [yes I know it's kludgy but I don't control the
> > firewall side!].
> >
> > Is this possible? I guess it's a bit like a
> > very primitive router-on-a-stick setup, but
> > all the ROASes I've seen have had the "router"
> > side configured as a trunk device using the
> > traditional approach of subinterfaces.
> >
> > I basically just want a switch-port to be
> > non-trunked but a member of multiple VLANs.
> >
> > -Pete L.
> >