PIX and VLANs

Discussion in 'Cisco' started by ST MS, Dec 4, 2003.

  1. ST MS

    ST MS Guest

    Scenario: Designing a small network... less than 100 nodes, but many
    workstations have to be isolated from each other. About 35 VLANs are
    needed. All hosts need to get an address with DHCP. All hosts in
    certain VLANs (1-8) need public IP addresses, the rest of the hosts
    inside the remaining VLANs (9-35) can have private addresses. All
    hosts in all VLANs need an access to the Internet. Routing might be
    needed between some of the VLANs. VPN connections from outside world
    are needed into three VLANs (33-35). A firewall is naturally required.

    Available equipment: A variety of 2950 switches and a PIX 515E
    Restricted licence firewall (with two interfaces: one for the
    Internet and the other for the inside network).

    How many VLANs can PIX handle? Could it be used as a DHCP server for
    all the planned VLANs / subnets? If we understand correct, all hosts
    behind all of the switch ports that belong to the same VLAN will get
    their IP addresses from the same pool of addresses that the logical
    interface address of the VLAN is from. So, could we configure 35
    scopes into the PIX, and have all the 2950's ask IP addresses from
    there? With DHCP relay?

    Someone has proposed that we need a Layer 3 switch somewhere to do
    all this, because of some (logical / VLAN) interface limits in PIX.
    Does PIX even have to be aware of all these VLANs in order to share
    IP address into them? Cisco's Layer 3 switches could be used as
    DHCP servers too. Can they do what PIX can't?

    Then, also... PIX can't send packets back to the same interface that
    they came from, so it probably can't do the routing between VLANs?
    L3 switch needed again. 3550, 4500?

    What about the planned VPN connections to VLANs? Any problems there?
    And finally: what's the best way to arrange NAT in this scenario? We
    of course have to NAT the private addresses of VLANs 9-35 somewhere.

    Any thoughts, hints, pointers, suggestions and examples are much
    appreciated. Thank you in advance.

    - ST MS
    ST MS, Dec 4, 2003
    #1
    1. Advertising

  2. In article <>,
    ST MS <> wrote:
    :Available equipment: A variety of 2950 switches and a PIX 515E
    :Restricted licence firewall (with two interfaces: one for the
    :Internet and the other for the inside network).

    :How many VLANs can PIX handle?

    Not enough for your purposes.

    For information as to which PIX model supports what, please see my
    analysis at
    http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt


    :Could it be used as a DHCP server for
    :all the planned VLANs / subnets?

    No, because no current PIX model supports that many VLANs.

    :If we understand correct, all hosts
    :behind all of the switch ports that belong to the same VLAN will get
    :their IP addresses from the same pool of addresses that the logical
    :interface address of the VLAN is from.

    No, you configure a dhcp address pool per interface; the pool does not
    have to hand out IP addresses in the same subnet as the interface address.


    :Then, also... PIX can't send packets back to the same interface that
    :they came from, so it probably can't do the routing between VLANs?

    The restriction is that it cannot send back to the same -logical-
    interface. PIX can route between -different- logical interfaces on
    the same physical interface.
    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
    Walter Roberson, Dec 4, 2003
    #2
    1. Advertising

  3. ST MS

    Jason Kau Guest

    ST MS <> wrote:
    > Scenario: Designing a small network... less than 100 nodes, but many
    > workstations have to be isolated from each other. About 35 VLANs are
    > needed. All hosts need to get an address with DHCP. All hosts in
    > certain VLANs (1-8) need public IP addresses, the rest of the hosts
    > inside the remaining VLANs (9-35) can have private addresses. All
    > hosts in all VLANs need an access to the Internet. Routing might be
    > needed between some of the VLANs. VPN connections from outside world
    > are needed into three VLANs (33-35). A firewall is naturally required.


    > Available equipment: A variety of 2950 switches and a PIX 515E
    > Restricted licence firewall (with two interfaces: one for the
    > Internet and the other for the inside network).


    As Walter has pointed out, no PIX model supports that many VLANs. A
    Firewall Services Module in Cat 6500 chassis does but that's pretty
    darn expensive.

    Do you really need that many VLANs to achieve your desired isolation?

    You can isolate people on a 2950 switch using "Protected Ports":
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swtrafc.htm#1029319

    You can also do ACLs on 2950s:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swacl.htm
    Although you need an EI image to do ACLs on physical ports.

    So, you could so some of the routing/ACLs on the 2950s instead of doing
    it all on the PIX, thus requiring fewer VLANs to the PIX. The 2950
    can be used as a L3 switch.

    Of course none of this may work given your specific requirements and
    certainly IOS extended ACLs are not as secure as PIX ACLs.

    If you can purchase new hardware, I'd recommend a NetScreen, especially
    since its virtual firewall stuff is pretty decent. But, you'd need a
    NetScreen 500 or larger to handle 35 VLANs. I believe the 200 series
    only handles 32 VLANs and the 50/25 series only handles 8 VLANs.

    --
    Jason Kau
    http://www.cnd.gatech.edu/~jkau
    Jason Kau, Dec 5, 2003
    #3
  4. ST MS

    ST MS Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bqoh3c$js4$>...
    > For information as to which PIX model supports what, please see my
    > analysis at
    > http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt


    Well, this is certainly a useful document. Thank you.

    > :If we understand correct, all hosts
    > :behind all of the switch ports that belong to the same VLAN will get
    > :their IP addresses from the same pool of addresses that the logical
    > :interface address of the VLAN is from.
    > No, you configure a dhcp address pool per interface; the pool does not
    > have to hand out IP addresses in the same subnet as the interface address.


    So, 35 VLANs means 35 pools. But if the interface's address doesn't
    matter in the pool selection process, then what does? How do you tell
    the DHCP server to hand out an IP address from pool X, Y or Z based
    on the VLAN number where the DHCP request originated from?

    If we want DHCP to give addresses from the first pool to the hosts in
    VLAN1, from the second pool to the hosts in VLAN2, and from the third
    pool to the hosts in VLAN3, etc., how do we accomplish that?

    We've already seen answers saying "depens on the DHCP server". We are
    going to use the Cisco's built-in DHCP server found on PIX or bigger
    switches (maybe a 3550), so any config examples with that would be great.

    - ST MS
    ST MS, Dec 5, 2003
    #4
  5. ST MS

    ST MS Guest

    Jason Kau <> wrote in message news:<bqov8g$eki$>...

    > Do you really need that many VLANs to achieve your desired isolation?
    > You can isolate people on a 2950 switch using "Protected Ports":


    Protected Ports could be used, but we would probably also want
    Port Blocking: "By default, the switch floods packets with unknown
    destination MAC addresses to all ports. If unknown unicast and
    multicast traffic is forwarded to a protected port, there could
    be security issues." And the problem? Not all of the 2950-models
    seem to support Port Blocking – only 2950G's.

    Thanks for the answers,

    - ST MS
    ST MS, Dec 5, 2003
    #5
  6. In article <>,
    ST MS <> wrote:
    |-cnrc.gc.ca (Walter Roberson) wrote in message news:<bqoh3c$js4$>...

    |> No, you configure a dhcp address pool per interface; the pool does not
    |> have to hand out IP addresses in the same subnet as the interface address.

    |So, 35 VLANs means 35 pools. But if the interface's address doesn't
    |matter in the pool selection process, then what does?

    The interface the bootp packet hits.

    |How do you tell
    |the DHCP server to hand out an IP address from pool X, Y or Z based
    |on the VLAN number where the DHCP request originated from?

    You would configure a different pool for each logical interface -- i.e.,
    a different pool for each VLAN. Your hosts are going to send out
    broadcasts to IP address 255.255.255.255, MAC address ff:ff:ff:ff:ff
    which thus will reach any DHCP server in their subnet -- but because
    you are using port-based VLANs, the subnet includes only a few hosts
    and the PIX logical interface for that VLAN.

    You don't -always- want a DHCP server to be restricted to selecting
    IPs in the same subnet as the interface IP address; in particular,
    if you happen to have multiple subnets on the same segment and a LAN
    router, then you might want to hand out IPs from a different subnet
    than the interface is on. That would not be useful in your situation
    where you are intending to use a PIX for intra-VLAN access control,
    but it could be useful to us, in which we trust all our routable
    VLANs equally.


    :If we want DHCP to give addresses from the first pool to the hosts in
    :VLAN1, from the second pool to the hosts in VLAN2, and from the third
    :pool to the hosts in VLAN3, etc., how do we accomplish that?

    dhcpd address ipA1-ipA2 vlan1
    dhcpd address ipB1-ipB2 vlan2
    etc.

    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
    Walter Roberson, Dec 5, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ST MS

    PIX and VLANs continued

    ST MS, Jan 15, 2004, in forum: Cisco
    Replies:
    0
    Views:
    361
    ST MS
    Jan 15, 2004
  2. Irakli Natsvlishvili

    Pix and VLANs - what the F?

    Irakli Natsvlishvili, Jul 18, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,892
    Walter Roberson
    Jul 18, 2004
  3. Replies:
    0
    Views:
    550
  4. punisher
    Replies:
    2
    Views:
    2,055
    Charles Deling
    Nov 17, 2005
  5. alsgto
    Replies:
    0
    Views:
    704
    alsgto
    Jul 18, 2006
Loading...

Share This Page