«

Hi,
We are going to share our Internet connection feed with a WAN connection.
The ISP will do it using VLAN. My plan is to bring the feed to a swtich
which supports VLAN and then split it to ports with different VLN ID, and
take the Internet to the outside PIX (515, 6.3). My question.... Is that
doable? Do I need to change anything on PIX? Do you see any issue with
VLANing and PIX as long as I use a swith to split VLANs.
Thanks in advance for any help. Rob

You should give consideration to encrypting the WAN traffic using IPSEC.

* Rob wrote:
> doable? Do I need to change anything on PIX? Do you see any issue with
> VLANing and PIX as long as I use a swith to split VLANs.

No problems. Have fun.

In article <442982d3$>, Rob <> wrote:
>We are going to share our Internet connection feed with a WAN connection.
>The ISP will do it using VLAN. My plan is to bring the feed to a swtich
>which supports VLAN and then split it to ports with different VLN ID, and
>take the Internet to the outside PIX (515, 6.3). My question.... Is that
>doable? Do I need to change anything on PIX? Do you see any issue with
>VLANing and PIX as long as I use a swith to split VLANs.

The PIX 515 running 6.3 software can handle several 802.1Q VLANs
directly -- that is, you could trunk several VLANs to the 515
and configure "logical" interfaces and pull the VLANs off as if
they were seperate physical interfaces. Whether you want to do that
or not depends on whether you are providing security for the other VLANs
or if they belong to other organizations.

If you are just using a plain stream out the 515 and the switch
is encapsulating into a VLAN, then you *might* need to reduce
the sysopt mss and/or the MTU by a few bytes, if there is any
equipment in the path that does not know about the extended
frame size that is often allowed for 802.1Q tagged packets.