PIX 506 with VLANs

ryandibble · ‎01-10-2005

Hey guys,

I just need to make sure that I understand a couple of things correctly. The native VLAN (VLAN1) will not work with a PIX set up for VLAN support through logical interfaces, correct? Does this mean that I simply need to re-assign all of the ports that are currently members of VLAN1 to another VLAN?

Also, I have read that an IPsec VPN tunnel cannot be created on the PIX for hosts that are located on a logical PIX interface. The PIX in question is an IPsec VPN tunnel peer. I am presuming that any devices which need to pass traffic across that tunnel must be on the VLAN assigned to the physical interface on the PIX. Devices that do not need to use the tunnel can be on the logical interface - is that right?

Thanks in advance for any help!

nkhawaja · ‎01-10-2005

use physical for vlan 1 traffic, which will allow tagged packes to be listened by pix for vlan 1. change the native vlan of that port to vlan xxx something other than vlan 1 so that vlan 1 is sent as tagged traffic.

or as you said you need to assign all ports of vlan1 to another vlan. whatever you like should be ok.

VPN tunnel should be ok to terminate on the pix for hosts/networks in logical interfaces. otherwise shouldnt it be defeating a basic functionality?

Thanks

Nadeem

ryandibble · ‎01-11-2005

So basically, as long as the VLAN assigned to the PIX's physical interface is different from the native VLAN on the switch, then things are okay. Is that right?

As far as the VPN goes, it may be a limitation of the 506/506E models only. I read this on the PIX 6.3(4) release notes: "When 506 and 506E are used as VPN hardware clients, logical interfaces on the 506/506E cannot be used to initiate a VPN tunnel." That seems to indicate to me that the logical interface could not be used for a bi-directional VPN, but I could be misinterpreting something.