Router-on-a-stick without VLANs.

Discussion in 'Cisco' started by PJML, Feb 12, 2004.

  1. PJML

    PJML Guest

    Hi there. I'm trying to set up a 3550-series
    switch for use as a "DMZ" with a firewall.

    The idea is that the switch has a number of VLANs
    but inter-VLAN routing [and routing from the VLANs
    to the rest-of-the-world] is carried out by the
    firewall, which has one DMZ interface.

    Each VLAN will be an IP-subnet of its own, with
    the switch itself doing *no* IP-routing.

    Seems the firewall is understanding-impaired about
    things like ISL or 802.1Q trunking, so what I need
    to do is set up *one* port on the switch which is
    actually a member of all the VLANs, and then set
    up multiple secondary IP-addresses on the firewall
    itself so it can do the routing.

    [yes I know it's kludgy but I don't control the
    firewall side!].

    Is this possible? I guess it's a bit like a
    very primitive router-on-a-stick setup, but
    all the ROASes I've seen have had the "router"
    side configured as a trunk device using the
    traditional approach of subinterfaces.

    I basically just want a switch-port to be
    non-trunked but a member of multiple VLANs.

    -Pete L.
     
    PJML, Feb 12, 2004
    #1
    1. Advertising

  2. set up one switch port as trunk port - that will do the trick.
    (did this on a PIX and C2950)

    "PJML" <> wrote in message
    news:402b9a47$...
    > Hi there. I'm trying to set up a 3550-series
    > switch for use as a "DMZ" with a firewall.
    >
    > The idea is that the switch has a number of VLANs
    > but inter-VLAN routing [and routing from the VLANs
    > to the rest-of-the-world] is carried out by the
    > firewall, which has one DMZ interface.
    >
    > Each VLAN will be an IP-subnet of its own, with
    > the switch itself doing *no* IP-routing.
    >
    > Seems the firewall is understanding-impaired about
    > things like ISL or 802.1Q trunking, so what I need
    > to do is set up *one* port on the switch which is
    > actually a member of all the VLANs, and then set
    > up multiple secondary IP-addresses on the firewall
    > itself so it can do the routing.
    >
    > [yes I know it's kludgy but I don't control the
    > firewall side!].
    >
    > Is this possible? I guess it's a bit like a
    > very primitive router-on-a-stick setup, but
    > all the ROASes I've seen have had the "router"
    > side configured as a trunk device using the
    > traditional approach of subinterfaces.
    >
    > I basically just want a switch-port to be
    > non-trunked but a member of multiple VLANs.
    >
    > -Pete L.
    >
     
    Martin Bilgrav, Feb 12, 2004
    #2
    1. Advertising

  3. PJML

    PJML Guest

    Thanks - bus turely if I set up a port as a trunk
    it will need an encapsulation [ISL or 802.1] and I'm
    pretty sure the firewall won't understand this {I can
    find nothing about 802.1Q or ISL in the firewall docs]

    -PeteL


    Martin Bilgrav wrote:
    > set up one switch port as trunk port - that will do the trick.
    > (did this on a PIX and C2950)
    >
    > "PJML" <> wrote in message
    > news:402b9a47$...
    >
    >>Hi there. I'm trying to set up a 3550-series
    >>switch for use as a "DMZ" with a firewall.
    >>
    >>The idea is that the switch has a number of VLANs
    >>but inter-VLAN routing [and routing from the VLANs
    >>to the rest-of-the-world] is carried out by the
    >>firewall, which has one DMZ interface.
    >>
    >>Each VLAN will be an IP-subnet of its own, with
    >>the switch itself doing *no* IP-routing.
    >>
    >>Seems the firewall is understanding-impaired about
    >>things like ISL or 802.1Q trunking, so what I need
    >>to do is set up *one* port on the switch which is
    >>actually a member of all the VLANs, and then set
    >>up multiple secondary IP-addresses on the firewall
    >>itself so it can do the routing.
    >>
    >>[yes I know it's kludgy but I don't control the
    >>firewall side!].
    >>
    >>Is this possible? I guess it's a bit like a
    >>very primitive router-on-a-stick setup, but
    >>all the ROASes I've seen have had the "router"
    >>side configured as a trunk device using the
    >>traditional approach of subinterfaces.
    >>
    >>I basically just want a switch-port to be
    >>non-trunked but a member of multiple VLANs.
    >>
    >>-Pete L.
    >>

    >
    >
    >
     
    PJML, Feb 13, 2004
    #3
  4. PJML wrote:

    > Thanks - bus turely if I set up a port as a trunk
    > it will need an encapsulation [ISL or 802.1] and I'm
    > pretty sure the firewall won't understand this {I can
    > find nothing about 802.1Q or ISL in the firewall docs]


    A 3550 can't do what you want. A port can be either a trunk (with an
    encapsulation that your firewall won't understand) or a member of a
    single VLAN (with some extra bells & whistles that don't concern us here).

    What you want is a multi-vlan port. The 2900XL & 3500XL series for
    instance can do this ('switchport mode multi'). The 3550 can't.

    Regards,

    Marco.
     
    M.C. van den Bovenkamp, Feb 13, 2004
    #4
  5. "M.C. van den Bovenkamp" <> wrote in message
    news:402ca141$0$142
    > A 3550 can't do what you want. A port can be either a trunk (with an
    > encapsulation that your firewall won't understand) or a member of a
    > single VLAN (with some extra bells & whistles that don't concern us here).
    >


    or a router port


    > What you want is a multi-vlan port. The 2900XL & 3500XL series for
    > instance can do this ('switchport mode multi'). The 3550 can't.


    That can not be true.
    The port can belong to several VLANs on a c3550
    switchmode access VLAN#



    >
    > Regards,
    >
    > Marco.
    >
     
    Martin Bilgrav, Feb 13, 2004
    #5
  6. Martin Bilgrav wrote:

    > or a router port


    That's for multicast only, and isn't what he wants.

    > That can not be true.
    > The port can belong to several VLANs on a c3550
    > switchmode access VLAN#


    Don't you mean 'switchport access VLAN#'? (Or 'switchport mode access',
    which just disables all trunking).

    That makes it a member of 'VLAN#' *only*. See
    http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/3550cr/cli2.htm#2422643

    I can't find a way to make a 3550 port a member of more than a single
    VLAN without making it a trunk port and using an encapsulation his
    firewall won't understand.

    But I guess he would like me to be wrong. And I may be; I'm just reading
    the docs here. Never actually seen a 3550 myself.

    Regards,

    Marco.
     
    M.C. van den Bovenkamp, Feb 13, 2004
    #6
  7. Pete,

    This is an abbreviated config so I could document the important stuff for
    you. Comments are for the line after the comment.

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    ! This is the physical interface that provides the 802.1q trunking
    interface ethernet2 vlan1 physical
    ! This is a VLAN trunking interface
    interface ethernet2 vlan2 logical
    ! This is a VLAN interface
    interface ethernet2 vlan3 logical
    ! This is a VLAN interface
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmzphy security50
    nameif ethernet3 intf3 security6
    nameif ethernet4 intf4 security8
    nameif ethernet5 intf5 security10
    ! Security level for VLAN DMZ2
    nameif vlan3 dmz2 security60
    ! Security level for VLAN DMZ3 (all security levels must be different)
    nameif vlan2 dmz3 security40
    hostname pix-bcait-515
    names
    ! Stop NAT translating addresses (inside to global) to both DMZ interfaces
    access-list nonat0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list nonat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    ! Permit PING back inside from the DMZ2 to inside but deny all other traffic inside
    access-list dmz2in permit icmp 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list dmz2in deny ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    ! Permit PING back inside from the DMZ3 to inside but deny all other traffic inside
    access-list dmz3in permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list dmz3in deny ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    logging on
    logging monitor debugging
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu dmzphy 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    ip address outside dhcp setroute retry 16
    ip address inside 192.168.1.111 255.255.255.0
    no ip address dmzphy
    no ip address intf3
    no ip address intf4
    no ip address intf5
    !Assign DMZ2 an IP Address
    ip address dmz2 192.168.3.1 255.255.255.0
    !Assign DMZ3 an IP Address
    ip address dmz3 192.168.2.1 255.255.255.0
    arp timeout 14400
    global (outside) 1 interface
    !Stop NAT of internal addresses
    nat (inside) 0 access-list nonat0
    ! Nat to Outside world
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    ! Stattically translate to the DMZ2
    static (inside,dmz2) 192.168.1.0 182.168.1.0 netmask 255.255.255.0 0 0
    ! Stattically translate to the DMZ3
    static (inside,dmz3) 192.168.1.0 182.168.1.0 netmask 255.255.255.0 0 0
    ! Allow ping to return into our network
    access-group dmz2in in interface dmz2
    ! Allow ping to return into our network
    access-group dmz3in in interface dmz3

    ----------- Swicth configuration ------------

    version 12.0
    no service pad
    service password-encryption
    !
    hostname c2912
    !
    interface FastEthernet0/10
    desctiption *** DMZ2 192.168.2.2 interface ***
    switchport access vlan 2
    spanning-tree portfast
    !
    interface FastEthernet0/11
    desctiption *** DMZ3 192.168.3.2 interface ***
    switchport access vlan 3
    spanning-tree portfast
    !
    interface FastEthernet0/12
    description *** PIX 802.1Q interface ***
    switchport trunk encapsulation dot1q
    switchport mode trunk
    spanning-tree portfast
    !
    interface VLAN1
    ip address 192.168.1.2 255.255.255.0
    no ip directed-broadcast
    no ip route-cache
    !
    interface VLAN2
    no ip directed-broadcast
    no ip route-cache
    shutdown
    !
    interface VLAN3
    no ip directed-broadcast
    no ip route-cache
    shutdown

    Scott.
    !

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/




    PJML wrote:

    > Hi there. I'm trying to set up a 3550-series
    > switch for use as a "DMZ" with a firewall.
    >
    > The idea is that the switch has a number of VLANs
    > but inter-VLAN routing [and routing from the VLANs
    > to the rest-of-the-world] is carried out by the
    > firewall, which has one DMZ interface.
    >
    > Each VLAN will be an IP-subnet of its own, with
    > the switch itself doing *no* IP-routing.
    >
    > Seems the firewall is understanding-impaired about
    > things like ISL or 802.1Q trunking, so what I need
    > to do is set up *one* port on the switch which is
    > actually a member of all the VLANs, and then set
    > up multiple secondary IP-addresses on the firewall
    > itself so it can do the routing.
    >
    > [yes I know it's kludgy but I don't control the
    > firewall side!].
    >
    > Is this possible? I guess it's a bit like a
    > very primitive router-on-a-stick setup, but
    > all the ROASes I've seen have had the "router"
    > side configured as a trunk device using the
    > traditional approach of subinterfaces.
    >
    > I basically just want a switch-port to be
    > non-trunked but a member of multiple VLANs.
    >
    > -Pete L.
    >
     
    Scott Enwright, Feb 15, 2004
    #7
  8. I do not believe the firewall is a PIX....
    but ok...

    An inspiration it is.


    "Scott Enwright" <> wrote in message
    news:sERXb.60111$...
    > Pete,
    >
    > This is an abbreviated config so I could document the important stuff for
    > you. Comments are for the line after the comment.
    >
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > ! This is the physical interface that provides the 802.1q trunking
    > interface ethernet2 vlan1 physical
    > ! This is a VLAN trunking interface
    > interface ethernet2 vlan2 logical
    > ! This is a VLAN interface
    > interface ethernet2 vlan3 logical
    > ! This is a VLAN interface
    > interface ethernet3 auto shutdown
    > interface ethernet4 auto shutdown
    > interface ethernet5 auto shutdown
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 dmzphy security50
    > nameif ethernet3 intf3 security6
    > nameif ethernet4 intf4 security8
    > nameif ethernet5 intf5 security10
    > ! Security level for VLAN DMZ2
    > nameif vlan3 dmz2 security60
    > ! Security level for VLAN DMZ3 (all security levels must be different)
    > nameif vlan2 dmz3 security40
    > hostname pix-bcait-515
    > names
    > ! Stop NAT translating addresses (inside to global) to both DMZ interfaces
    > access-list nonat0 permit ip 192.168.1.0 255.255.255.0 192.168.3.0

    255.255.255.0
    > access-list nonat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0

    255.255.255.0
    > ! Permit PING back inside from the DMZ2 to inside but deny all other

    traffic inside
    > access-list dmz2in permit icmp 192.168.3.0 255.255.255.0 192.168.1.0

    255.255.255.0
    > access-list dmz2in deny ip 192.168.3.0 255.255.255.0 192.168.1.0

    255.255.255.0
    > ! Permit PING back inside from the DMZ3 to inside but deny all other

    traffic inside
    > access-list dmz3in permit icmp 192.168.2.0 255.255.255.0 192.168.1.0

    255.255.255.0
    > access-list dmz3in deny ip 192.168.2.0 255.255.255.0 192.168.1.0

    255.255.255.0
    > pager lines 24
    > logging on
    > logging monitor debugging
    > logging buffered debugging
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmzphy 1500
    > mtu intf3 1500
    > mtu intf4 1500
    > mtu intf5 1500
    > ip address outside dhcp setroute retry 16
    > ip address inside 192.168.1.111 255.255.255.0
    > no ip address dmzphy
    > no ip address intf3
    > no ip address intf4
    > no ip address intf5
    > !Assign DMZ2 an IP Address
    > ip address dmz2 192.168.3.1 255.255.255.0
    > !Assign DMZ3 an IP Address
    > ip address dmz3 192.168.2.1 255.255.255.0
    > arp timeout 14400
    > global (outside) 1 interface
    > !Stop NAT of internal addresses
    > nat (inside) 0 access-list nonat0
    > ! Nat to Outside world
    > nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    > ! Stattically translate to the DMZ2
    > static (inside,dmz2) 192.168.1.0 182.168.1.0 netmask 255.255.255.0 0 0
    > ! Stattically translate to the DMZ3
    > static (inside,dmz3) 192.168.1.0 182.168.1.0 netmask 255.255.255.0 0 0
    > ! Allow ping to return into our network
    > access-group dmz2in in interface dmz2
    > ! Allow ping to return into our network
    > access-group dmz3in in interface dmz3
    >
    > ----------- Swicth configuration ------------
    >
    > version 12.0
    > no service pad
    > service password-encryption
    > !
    > hostname c2912
    > !
    > interface FastEthernet0/10
    > desctiption *** DMZ2 192.168.2.2 interface ***
    > switchport access vlan 2
    > spanning-tree portfast
    > !
    > interface FastEthernet0/11
    > desctiption *** DMZ3 192.168.3.2 interface ***
    > switchport access vlan 3
    > spanning-tree portfast
    > !
    > interface FastEthernet0/12
    > description *** PIX 802.1Q interface ***
    > switchport trunk encapsulation dot1q
    > switchport mode trunk
    > spanning-tree portfast
    > !
    > interface VLAN1
    > ip address 192.168.1.2 255.255.255.0
    > no ip directed-broadcast
    > no ip route-cache
    > !
    > interface VLAN2
    > no ip directed-broadcast
    > no ip route-cache
    > shutdown
    > !
    > interface VLAN3
    > no ip directed-broadcast
    > no ip route-cache
    > shutdown
    >
    > Scott.
    > !
    >
    > Regards,
    >
    > Scott.
    > \|/
    > (o o)
    > ---------------------oOOO--(_)--OOOo----------------------
    > Out the 100Base-T, off the firewall, through the router, down
    > the T1, over the leased line, off the bridge, nothing but Net.
    > (Use ROT13 to see my email address)
    > .oooO Oooo.
    > ----------------------( )---( )-----------------------
    > \ ( ) /
    > \_) (_/
    >
    >
    >
    >
    > PJML wrote:
    >
    > > Hi there. I'm trying to set up a 3550-series
    > > switch for use as a "DMZ" with a firewall.
    > >
    > > The idea is that the switch has a number of VLANs
    > > but inter-VLAN routing [and routing from the VLANs
    > > to the rest-of-the-world] is carried out by the
    > > firewall, which has one DMZ interface.
    > >
    > > Each VLAN will be an IP-subnet of its own, with
    > > the switch itself doing *no* IP-routing.
    > >
    > > Seems the firewall is understanding-impaired about
    > > things like ISL or 802.1Q trunking, so what I need
    > > to do is set up *one* port on the switch which is
    > > actually a member of all the VLANs, and then set
    > > up multiple secondary IP-addresses on the firewall
    > > itself so it can do the routing.
    > >
    > > [yes I know it's kludgy but I don't control the
    > > firewall side!].
    > >
    > > Is this possible? I guess it's a bit like a
    > > very primitive router-on-a-stick setup, but
    > > all the ROASes I've seen have had the "router"
    > > side configured as a trunk device using the
    > > traditional approach of subinterfaces.
    > >
    > > I basically just want a switch-port to be
    > > non-trunked but a member of multiple VLANs.
    > >
    > > -Pete L.
    > >
     
    Martin Bilgrav, Feb 15, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    577
  2. punisher
    Replies:
    2
    Views:
    2,091
    Charles Deling
    Nov 17, 2005
  3. jwv

    Sony Memory Stick Pro vs Standard Memory Stick

    jwv, Jul 17, 2003, in forum: Digital Photography
    Replies:
    13
    Views:
    1,042
    Godfrey DiGiorgi
    Jul 19, 2003
  4. zxcvar
    Replies:
    3
    Views:
    888
    Joe Hotchkiss
    Nov 28, 2004
  5. Bangadrum5

    VLANS and Router on a Stick Help

    Bangadrum5, Aug 31, 2010, in forum: Cisco
    Replies:
    0
    Views:
    1,031
    Bangadrum5
    Aug 31, 2010
Loading...

Share This Page