how to connect L3 switch and PIX

Discussion in 'Cisco' started by szhang3@gmail.com, Mar 27, 2007.

  1. Guest

    We newly purchased a Cisco Catalyst 3560G-24-EMI that will be a core
    layer 3 switch to route between 3 vlans (at 3 distinct locations that
    separately link to an ISP switch by fiber optics) and to use a trunk
    port to carry vlan traffic to the ISP's switch.

    The following is the basic network map:


    site1---------------ISP switch ------------- site 2
    vlan 102 | | vlan103
    192.168.1.0/24 | | 192.168.2.0/24
    | | trunk (dot1q)
    | |
    | | native vlan101;
    | | vlan104 - 192.168.3.0/24

    Site 3(Headquarter)
    Core L3 switch 3560G (192.168.3.1)
    |
    PIX 506E (192.168.3.2)

    We also have a PIX 506E available in site 3 to control the Internet
    traffic.

    My questions lie in the two areas:
    1. Physically where should I install the PIX? --my understanding is I
    should link both interfaces of the PIX to two ports of the 3560G, one
    interface for inbound and the other for outbound. The two ports on the
    switch that connect to the PIX should not be assigned to any vlan.
    Thus I don't need to configure anything about vlan on the PIX to allow
    vlan tagging traffic.
    2. Do site 1 and site 2 have to be configured vlan information on
    their access layer switches? Regarding the ISP engineer's opinion, we
    don't need configure vlan on switches on site 1 and site 2 because the
    ISP switch has already assigned two ports to vlans that belong to the
    two sites. Is this true? If not, we have to consider purchasing two
    layer 2 switches (such as 2960) to fulfill the task.

    Thank you so much for your help on the two questions.
     
    , Mar 27, 2007
    #1
    1. Advertising

  2. Guest

    In article <>, "" <> writes:
    > We newly purchased a Cisco Catalyst 3560G-24-EMI that will be a core
    > layer 3 switch to route between 3 vlans (at 3 distinct locations that
    > separately link to an ISP switch by fiber optics) and to use a trunk
    > port to carry vlan traffic to the ISP's switch.
    >
    > The following is the basic network map:
    >
    >
    > site1---------------ISP switch ------------- site 2
    > vlan 102 | | vlan103
    > 192.168.1.0/24 | | 192.168.2.0/24
    > | | trunk (dot1q)
    > | |
    > | | native vlan101;
    > | | vlan104 - 192.168.3.0/24
    >
    > Site 3(Headquarter)
    > Core L3 switch 3560G (192.168.3.1)
    > |
    > PIX 506E (192.168.3.2)
    >


    Where is 192.168.1.1? Is VLAN 102 carried into site 3 on the trunk?

    Where is 192.168.2.1? Is VLAN 103 carried into site 3 on the trunk?

    Is there any equipment on 192.168.3.x on the ISP's network? If not,
    what is VLAN 104 used for? If so, at what IP address[es]?

    Is there any equipment in VLAN 101 on the ISP's network? Any associated
    IP address? If not, what is VLAN 101 used for?

    Is the ISP doing IP routing for you or just handing off layer 2
    connectivity? Are they handing you an Internet circuit as well?


    Every plausible guess that I can make as to your actual configuration
    can be ruled out based on the information in your drawing. It makes
    no sense.

    > We also have a PIX 506E available in site 3 to control the Internet
    > traffic.


    Also? You mean other than the one you already showed on the drawing?

    > My questions lie in the two areas:
    > 1. Physically where should I install the PIX? --my understanding is I
    > should link both interfaces of the PIX to two ports of the 3560G, one
    > interface for inbound and the other for outbound. The two ports on the
    > switch that connect to the PIX should not be assigned to any vlan.
    > Thus I don't need to configure anything about vlan on the PIX to allow
    > vlan tagging traffic.


    Yes, that is one way of doing it.

    > 2. Do site 1 and site 2 have to be configured vlan information on
    > their access layer switches? Regarding the ISP engineer's opinion, we
    > don't need configure vlan on switches on site 1 and site 2 because the
    > ISP switch has already assigned two ports to vlans that belong to the
    > two sites. Is this true?


    Yes, this is true.
     
    , Mar 27, 2007
    #2
    1. Advertising

  3. Guest

    > Where is 192.168.1.1? Is VLAN 102 carried into site 3 on the trunk?
    192.168.1.1 belongs to the inferface for vlan 102 on the switch 3560G
    on site 3.
    > Where is 192.168.2.1? Is VLAN 103 carried into site 3 on the trunk?

    192.168.2.1 belongs to the inferface for vlan 103 on the switch 3560G
    on site 3.

    > Is there any equipment on 192.168.3.x on the ISP's network? If not,
    > what is VLAN 104 used for? If so, at what IP address[es]?

    No. Vlan 104 is for site 3 solely. 192.168.3.1 belongs to the
    inferface for vlan 104 on the switch 3560G.

    > Is there any equipment in VLAN 101 on the ISP's network? Any associated
    > IP address? If not, what is VLAN 101 used for?
    >

    No equipment nor IP address for vlan 101. The ISP claimed vlan 101 as
    native vlan and would use it for our Internet access.

    > Is the ISP doing IP routing for you or just handing off layer 2
    > connectivity? Are they handing you an Internet circuit as well?


    The ISP handles layer 2 connectivity on their switch. They offer us
    Internet connection as well. What the ISP pre-configured on their
    layer 2 switch were: vlan 102 for site1, vlan 103 for site 2, vlan 104
    for site 3, and vlan 101 for NATIVE vlan which they claimed to let our
    network traffic go to the Internet.

    On the ISP switch the port connecting to site 3 has been configured as
    a trunk port. Therefore, on our catalyst 3560G layer 3 switch, we need
    build a trunk port too. The 3560G will do inter-vlan routing by
    assigning 192.168.1.1to interface vlan 102; 192.168.2.1 to the
    interface vlan 103; and 192.168.3.1 to interface vlan 104.

    > > We also have a PIX 506E available in site 3 to control the Internet
    > > traffic.

    We only have one PIX. Previously it controlled Internet traffic only.
    What puzzles me is where I should connect the PIX once the switch
    3560G is brought in our network. I was told by the ISP that i don't
    need to configure vlan-related change on the PIX. Then how does the
    pix carry vlan tagging packets in and out?

    Regarding site 1 and site2, currently we don't have cisco switches to
    be configured vlan information. I want to try out if the two sites can
    handle network traffic without L2 switches to be configured on site.

    Please kindly give me your suggestion if you think my design has
    shortcomings or faults. Anything unclear I'll be happy to offer more
    informaiton.

    Thanks!
     
    , Mar 27, 2007
    #3
  4. BernieM Guest

    <> wrote in message
    news:...
    > We newly purchased a Cisco Catalyst 3560G-24-EMI that will be a core
    > layer 3 switch to route between 3 vlans (at 3 distinct locations that
    > separately link to an ISP switch by fiber optics) and to use a trunk
    > port to carry vlan traffic to the ISP's switch.
    >
    > The following is the basic network map:
    >
    >
    > site1---------------ISP switch ------------- site 2
    > vlan 102 | | vlan103
    > 192.168.1.0/24 | | 192.168.2.0/24
    > | | trunk (dot1q)
    > | |
    > | | native vlan101;
    > | | vlan104 - 192.168.3.0/24
    >
    > Site 3(Headquarter)
    > Core L3 switch 3560G (192.168.3.1)
    > |
    > PIX 506E (192.168.3.2)
    >
    > We also have a PIX 506E available in site 3 to control the Internet
    > traffic.
    >
    > My questions lie in the two areas:
    > 1. Physically where should I install the PIX? --my understanding is I
    > should link both interfaces of the PIX to two ports of the 3560G, one
    > interface for inbound and the other for outbound. The two ports on the
    > switch that connect to the PIX should not be assigned to any vlan.
    > Thus I don't need to configure anything about vlan on the PIX to allow
    > vlan tagging traffic.


    Traffic going to the pix will not be vlan tagged unless those links are
    configured as trunks. The 'in' 'out' scenario you mention would have to be
    configured at layer-3 but then you're looking at asymetric routing of
    packets within the same TCP stream. You could go down the '2-link' path
    using an EtherChannel to the PIX (I'm not sure what pix platforms or
    software versions support EtherChannel) but I'd also recommend creating a
    seperate vlan for that logical link to remove the reliance on layer-2
    stability ie. spanning-tree of vlan 104, which it has with the proposed
    topology.

    > 2. Do site 1 and site 2 have to be configured vlan information on
    > their access layer switches? Regarding the ISP engineer's opinion, we
    > don't need configure vlan on switches on site 1 and site 2 because the
    > ISP switch has already assigned two ports to vlans that belong to the
    > two sites. Is this true? If not, we have to consider purchasing two
    > layer 2 switches (such as 2960) to fulfill the task.


    When traversing a third party switch you are limited as to what vlan
    assignments are available to you. If the ISP has dsesignated vlan #'s 102
    and 103 then these vlans need to be trunked between their switch and your
    3560G and they would have to configure their switch ports attached to your
    equipment as trunks using the vlan assighned to each. Without vlans 102 and
    103 being trunked to the 3560G their switch is responsible for layer-3
    switching frames between them and into vlan 104. I'm unsure about the
    requirement for a native vlan because that's typically used for
    point-to-point traffic between switches at layer-2 like UDLP for example and
    I don't think their switch is going to be interested in seeing it. Don't
    use DTP. Check with the ISP about that type of traffic. We had a problem
    with an ISP's Cabletron switch being between two Catalyst 6500's ...
    'something' was causing the cabletron switch to reset. We eventually went
    down the dark fibre path and haven't looked back.

    BernieM
     
    BernieM, Mar 28, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. praveen
    Replies:
    1
    Views:
    3,108
    Bjørn Djupvik
    Oct 22, 2003
  2. owmanstubbedmytoe
    Replies:
    2
    Views:
    695
    Doug McIntyre
    Dec 5, 2004
  3. Replies:
    3
    Views:
    6,464
    conft
    Jan 19, 2008
  4. will

    switch hub and switch

    will, Oct 16, 2003, in forum: NZ Computing
    Replies:
    6
    Views:
    790
    Shannon
    Oct 19, 2003
  5. Alex
    Replies:
    0
    Views:
    420
Loading...

Share This Page