PIX 515 and Switch 2950 VLAN

Discussion in 'Cisco' started by Edward Voermans, Feb 27, 2005.

  1. Hi there,

    We have a PIX 515E connected to the Internet and one interface connected to
    the internal network.
    The internal network has just one IP subnet over two 2950EI switches. At the
    moment we don't use any VLAN's.
    We are thinking of implementing 3 subnets each with a different task as
    production, management and vpn.
    What would be the best way to implement this architecture? I understand that
    the PIX supports VLAN.
    Do I need a router in this setup? Can any one provide me with some
    configuration examples on how to
    setup the VLAN's and things like trunking?

    Thnx in advance,
    Edward
     
    Edward Voermans, Feb 27, 2005
    #1
    1. Advertisements

  2. Hi Edward,

    Yes, the PIX will be able to do exactly what you want. But keep in mind the
    PIX is not a router and offers a limited set of functionality compared to a
    real router.
    To setup the three internal subnets:
    - Create the VLANs on the switches (with or without VTP)
    - Setup a VLAN trunk between the two switches
    - Setup a VLAN trunk between one of the switches and the PIX
    - Configure the PIX with the correct addresses in the corresponding subnets
    - Setup default gateways on the clients to match the subnet (pix) address.
    - Configure PIX security.
    - You should be fine now.

    Erik Tamminga
     
    Erik Tamminga, Feb 27, 2005
    #2
    1. Advertisements

  3. Edward,
    It is my understanding that new versions of the PIX firmware will
    support 802.1q trunking, however if you need for the different VLANs
    to talk to one another (i.. have hosts one VLANA communicate with
    hosts on VLAB) then you will need a router to handle the inter-VLAN
    routing. The PIX will not let a packet leave the same interface it was
    received on,nor does it route, so you will need to inter-VLAN route
    either via a standalone router or a multilayer switch like the 3550 or
    4500s.

    Good luck,
    Robert
     
    Robert B. Phillips, II, Feb 27, 2005
    #3
  4. : It is my understanding that new versions of the PIX firmware will
    :support 802.1q trunking, however if you need for the different VLANs
    :to talk to one another (i.. have hosts one VLANA communicate with
    :hosts on VLAB) then you will need a router to handle the inter-VLAN
    :routing.

    No, that is not correct.


    :The PIX will not let a packet leave the same interface it was
    :received on,nor does it route, so you will need to inter-VLAN route
    :either via a standalone router or a multilayer switch like the 3550 or
    :4500s.

    Both clauses of that are incorrect.

    PIX 6.3 supports "logical" interfaces, where a "logical" interface
    is a VLAN tag over a physical interface. Logical interfaces have
    their own IP address and have their own security level: you can do
    nearly everything with them that you could do with a physical
    interface, with the notable exception being that you cannot
    change the interface speed of the logical interface [it will use the
    speed assigned to the physical interface.]

    As far as the PIX is concerned, once the logical interface is
    created and assigned a security level then it follows the logic
    rules the same as the physical interfaces: in the absence of
    an access-group, new flows can be created to lower security interfaces
    but not to higher security interfaces.

    The mechanism for deciding which logical or physical interface that
    a packet should go to is to consult the routing tables. Which is why
    I say that it is wrong to say that the PIX does not route. The PIX
    routes all the time: routing is fundamental to its operation.
    It just won't allow you to route back to the same [logical] interface
    that the packet came in on.... which is different from saying that
    it does not route.
     
    Walter Roberson, Feb 28, 2005
    #4
  5. Ah, it has been awhile since I have worked with PIX boxes, back in the
    6.1 days. I was not aware of that the PIX would inter-VLAN route now,
    got some Cisco documentation you can point me to that shows this and
    provides some sample configs?

    My apologies to the original poster for steering you wrong, from now
    on I will leave all PIX related posts for Walter to handle. :)

    Good Luck,
    Robert
     
    Robert B. Phillips, II, Feb 28, 2005
    #5
  6. Erik,

    Can you perhaps provide me the detailed steps or IOS commands on how to
    achive
    your previous answer?

    Thnx in advance,
    Edward
     
    Edward Voermans, Feb 28, 2005
    #6
  7. Walter Roberson, Feb 28, 2005
    #7
  8. Robert B. Phillips, II, Feb 28, 2005
    #8
  9. Hi Edward,

    Did the links provided by Walter help you, or do you still need the IOS
    command syntaxes?

    Erik
     
    Erik Tamminga, Feb 28, 2005
    #9
  10. Erik,

    Any help is apriciated, but maybe we can take this offline, you've got me
    e-mail..

    This is what I've figured out to do on the PIX:
    interface ethernet1 100full

    interface ethernet1 vlan10 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan30 logical

    nameif ethernet1 PRODUCTION security90
    nameif vlan20 MANAGEMENT security80
    nameif vlan30 BOARD security70

    ip address PRODUCTION 192.168.230.1 255.255.255.0
    ip address MANAGEMENT 192.168.220.1 255.255.255.0
    ip address BOARD 192.168.210.1 255.255.255.0

    But now I've to setup a trunk to the 2950.

    Regards,
    Edward
     
    Edward Voermans, Mar 2, 2005
    #10
  11. Erik,

    I think I figured out how to do it:
    interface ethernet1 100full

    interface ethernet1 vlan10 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan30 logical

    nameif ethernet1 PRODUCTION security90
    nameif vlan20 MANAGEMENT security80
    nameif vlan30 BOARD security70

    ip address PRODUCTION 192.168.230.1 255.255.255.0
    ip address MANAGEMENT 192.168.220.1 255.255.255.0
    ip address BOARD 192.168.210.1 255.255.255.0


    !--- Proceed with Switch commands
    !--- In this case Cisco 2970

    !--- Create VLANS
    vlan database
    vlan 10
    vlan 20
    vlan 30
    exit

    !--- Assign IP's
    interface vlan10
    ip address 192.168.230.2 255.255.255.0
    no shutdown
    exit
    interface vlan20
    ip address 192.168.220.2 255.255.255.0
    no shutdown
    exit
    interface vlan30
    ip address 192.168.210.2 255.255.255.0
    no shutdown
    exit

    !--- Setup Trunking
    interface GigabitEthernet0/1
    switchport trunk encapsulation dot1q
    !--- switchport trunk allowed vlan 10,20,30
    switchport mode trunk
    switchport nonegotiate
    no spanning-tree portfast

    interface range GigabitEthernet 0/3 - 6
    spanning-tree portfast
    switchport access vlan 10

    interface range GigabitEthernet 0/7 - 10
    spanning-tree portfast
    switchport access vlan 20

    interface range GigabitEthernet 0/11 - 14
    spanning-tree portfast
    switchport access vlan 30

    Is this correct???
    Any advise on connecting the second switch (probably also a trunk?)
    How about broadcasts in this scenario?

    Regards,
    E
     
    Edward Voermans, Mar 2, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.