https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613298#M497275 <HTML><HEAD></HEAD><BODY><P>i m not sure of what you re trying to accomplish but i ll explain what you did here and what will happen to the packets as they pass accross the interface </P><P></P><P></P><P>*first you are working with a pix under 6.x version, (configuring vlan is simplified a little bit under 7.x specialy when dealing with untagged packets)</P><P></P><P>*we suppose the port of switch in front of your pix is configured correctly as trunk with dot1q the only supported method for pix, also remember that the switch will send untagged packet within the native vlan </P><P>that default to one 1 and can be changed to whatever value within the range.</P><P></P><P></P><P>*so here every packet that hits the interface ethernet3 of your pix for both direction </P><P>(toward the switch or from the switch toward the pix) that are untagged or in the native vlan will be dropped (if the native vlan is diffrent from 4), because you forced the pix to do that by specifying the PHYSICAL keyword and assigning a vlan id of 4 , which mean every packet must be tagged and in the expected defined vlan in order to pass accross the interface otherwise it will be dropped.</P><P></P><P>(your idea here is to use only VLANs that are defined specifically to pass data to and from the firewall while eliminating the possibility that an unexpected VLAN appears on the trunk).</P><P></P><P>(NOW your physical ethernet3 100full ovelay with the the logical VLAN4)</P><P></P><P>HTH</P><P></P></BODY></HTML> Thu, 28 Sep 2006 02:58:06 GMT kamal-learn 2006-09-28T02:58:06Z https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613295#M497270 <P>I would to like clarify if what would the effect if I am to create a logical VLAN interface on a existing and working physical interface?</P><P></P><P>What would be the effects of this configuration? Would the physical interface be shutdown?</P><P></P><P>Thanks</P> Fri, 21 Feb 2020 09:11:48 GMT https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613295#M497270 terblac 2020-02-21T09:11:48Z https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613296#M497272 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm not sure I exactly understand what you want to do, but logical interfaces require the physical interface to be up - if the physical interface is down then all your logical interfaces will also be down. The act of creating a logical interface does not shutdown the physical interface.</P><P></P><P>Maybe you could clarify exactly what you want to accomplish?</P><P></P><P>HTH</P><P>Andrew.</P><P></P></BODY></HTML> Wed, 27 Sep 2006 09:42:20 GMT https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613296#M497272 andrew.burns 2006-09-27T09:42:20Z https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613297#M497274 <HTML><HEAD></HEAD><BODY><P>Andrew,</P><P></P><P>Yes, the act of creating a logical interface is what I am asking about if it would affect the physical interface, just like below:</P><P></P><P>interface ethernet3 100full</P><P>interface ethernet3 vlan4 physical</P><P>interface ethernet3 vlan4020 logical</P><P></P><P>If ethernet 100full was already connected to a switch and was already in procution. And if I was to create ethernet3 vlan4020 logical, would if affect the ethernet 100full or ethernet vlan4 physical?</P><P></P><P>I will try to do it here on our PIX. </P><P></P><P>Thanks</P><P></P></BODY></HTML> Thu, 28 Sep 2006 00:05:33 GMT https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613297#M497274 terblac 2006-09-28T00:05:33Z https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613298#M497275 <HTML><HEAD></HEAD><BODY><P>i m not sure of what you re trying to accomplish but i ll explain what you did here and what will happen to the packets as they pass accross the interface </P><P></P><P></P><P>*first you are working with a pix under 6.x version, (configuring vlan is simplified a little bit under 7.x specialy when dealing with untagged packets)</P><P></P><P>*we suppose the port of switch in front of your pix is configured correctly as trunk with dot1q the only supported method for pix, also remember that the switch will send untagged packet within the native vlan </P><P>that default to one 1 and can be changed to whatever value within the range.</P><P></P><P></P><P>*so here every packet that hits the interface ethernet3 of your pix for both direction </P><P>(toward the switch or from the switch toward the pix) that are untagged or in the native vlan will be dropped (if the native vlan is diffrent from 4), because you forced the pix to do that by specifying the PHYSICAL keyword and assigning a vlan id of 4 , which mean every packet must be tagged and in the expected defined vlan in order to pass accross the interface otherwise it will be dropped.</P><P></P><P>(your idea here is to use only VLANs that are defined specifically to pass data to and from the firewall while eliminating the possibility that an unexpected VLAN appears on the trunk).</P><P></P><P>(NOW your physical ethernet3 100full ovelay with the the logical VLAN4)</P><P></P><P>HTH</P><P></P></BODY></HTML> Thu, 28 Sep 2006 02:58:06 GMT https://community.cisco.com/t5/network-security/effects-of-creating-a-logical-interface-vlan-on-pix-535-os-6-3-5/m-p/613298#M497275 kamal-learn 2006-09-28T02:58:06Z