Solved: Configuring VLANs in PIX

ovieira · ‎07-01-2003

Hi!

Here goes 3 questions:

1) Does anyone have a link to some VLAN samples?

2) Doesn't the fact of having logical interfaces makes the solution less secure tha having physical interfaces?

3) What's is the diference between physical VLAN and logical VLAN?

Thanks and regards,

ovieira

r.crist · ‎07-01-2003

Ovieira:

Config sample:

PIX:

interface ethernet1 100full

interface ethernet1 vlan10 physical

interface ethernet1 vlan20 logical

interface ethernet1 vlan30 logical

!

nameif ethernet1 DMZ security10

nameif vlan20 MailSvrs security15

nameif vlan30 WWWsvrs security20

!

ip address DMZ 192.168.0.1 255.255.255.0

ip address MailSvrs 192.168.1.1 255.255.255.0

ip address WWWsvrs 192.168.2.1 255.255.255.0

Catalyst (port that PIX ethernet1 is connected to):

set vlan1

set port channel mode off

set spantree portfast enable

clear trunk 1-1005

set trunk on dot1q 1,10,20,30

set port speed 100

set port duplex full

2) From a security perspective, Cisco claims that using vlans is actually more secure. With no vlans configured, the PIX sends untagged packets to any connected switch port. If the switch port is trunking, the switch forwards the packet on the native vlan - vlan1 - making the switch vulnerable to a hacker injecting packets into another vlan from the native vlan. As a rule, I never use the default vlan anyway. Assign physical interfaces on the PIX to any vlan other than vlan1. Actually, assign the physical interface to any vlan that is NOT the native vlan for the switch port and you should be good.

3) Logical and physical interfaces are both software objects - but the actual physical object is the NIC. Physical interfaces operate at both layer-2 and layer-3; logical interfaces only operate at layer-3. With that in mind, you can't configure 'failover link' or 'failover lan' on logical interfaces because they don't operate at layer-2.

Hope this helps,

Rich

View solution in original post

r.crist · ‎07-01-2003

Ovieira:

Config sample:

PIX:

interface ethernet1 100full

interface ethernet1 vlan10 physical

interface ethernet1 vlan20 logical

interface ethernet1 vlan30 logical

!

nameif ethernet1 DMZ security10

nameif vlan20 MailSvrs security15

nameif vlan30 WWWsvrs security20

!

ip address DMZ 192.168.0.1 255.255.255.0

ip address MailSvrs 192.168.1.1 255.255.255.0

ip address WWWsvrs 192.168.2.1 255.255.255.0

Catalyst (port that PIX ethernet1 is connected to):

set vlan1

set port channel mode off

set spantree portfast enable

clear trunk 1-1005

set trunk on dot1q 1,10,20,30

set port speed 100

set port duplex full

2) From a security perspective, Cisco claims that using vlans is actually more secure. With no vlans configured, the PIX sends untagged packets to any connected switch port. If the switch port is trunking, the switch forwards the packet on the native vlan - vlan1 - making the switch vulnerable to a hacker injecting packets into another vlan from the native vlan. As a rule, I never use the default vlan anyway. Assign physical interfaces on the PIX to any vlan other than vlan1. Actually, assign the physical interface to any vlan that is NOT the native vlan for the switch port and you should be good.

3) Logical and physical interfaces are both software objects - but the actual physical object is the NIC. Physical interfaces operate at both layer-2 and layer-3; logical interfaces only operate at layer-3. With that in mind, you can't configure 'failover link' or 'failover lan' on logical interfaces because they don't operate at layer-2.

Hope this helps,

Rich