Re: PIX 515E and Routing

bsisco · ‎06-07-2005

I would like to confirm that I can use the inside interface of a PIX 515E with the appropriate route commands to support a stack of 3550 switches running both (802.1Q) tagged and untagged VLANs without the need for any other equipment.

3 networks 55,56, and 57

inside int ip 55.1

55 and 56 are tagged and can communicate without the PIX. 57 is untagged and should require a route command on the PIX.

Each network can have it's own access lists and all share the default security of the inside interface provided by the PIX.

See Attachment for layout picture.

Thank You.

thisisshanky · ‎06-07-2005

Ben,

PIX is not a true router. It does not send a packet received on its interface back through the same interface. So if you plan to use the PIX as default gateway for these networks, its probably not a good idea. Even though PIX has support for multiple vlans that can be bound to a physical interface, i would not recommend such a design! The 3550s are layer 3, so they should be able to route between these 3 vlans without any intervention from the PIX. All the PIX need is three static routes to communicate to 57, 55, and 56 for traffic coming from the DMZ as well as internet traffic (return) going to these networks.

route inside x.x.55.0 255.255.255.0

route inside x.x.56.0 255.255.255.0

route inside x.x.57.0 255.255.255.0

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

bsisco · ‎06-07-2005

Thank you!

What if we are doing port based VLANs where each switch could be hosting 1, 2, or all 3 of the VLANs? Will this same configuration still hold up? Essentially the management IPs of the 3550s will all be in the .55 range and the other two VLANs would only host clients (which I ssume leaves the inside interface of the PIX to be the default gateway - and does that make them .56.1 and .57.1 respectively?)

It was so clear when I first started thinking about it but seems to have become a bit more complicated.