Re: PIX 6.3(3) VLAN errors

jrahl · ‎07-18-2004

I am running PIX 525 6.3(3)

4 interfaces 2 FE, 2 GE

1 FE used for stateful failover

1 FE will be used for DMZ

1 GE inside

1 GE outside

Attached to 6509

I set GE-outside to VLAN 201 on the 6509 the fiber port it is plugged into is VLAN 201

I set GE-inside to VLAN 216 on the 6509 the fiber port it is plugged into is VLAN 216

Put my laptop on VLAN 216

With a static NAT in place, ICMP allowed, route in place from my client I can not ping or hit the internet. I get VLAN errors on the inside interface and it keeps incrementing anytime I try to do anything. I can not ping the inside interface either and when I try the VLAN errors increment.

Do I need to set up a trunk on the GE ports to get it to work? I wouldnt think so but...

I read somewhere someone got their VLAN to work by putting the opposite VLAN on the switch. So to get VLAN 216 to work on the inside interface I need to put VLAN 201 on the switch port. Doesnt make sense but that is what the party claimed.

Thanks

Jason

ehirsel · ‎07-18-2004

If you have logical interfaces already configured on the pix or you specified a vlan when you setup the phy interfaces (which is still a logical interface even if it is the only one defined on the phy intf) then, yes you do need to configure the 6509 port as a trunk port. The pix will not send or process STP BPDU's, so you can still use the portfast or bpdu guard feature on the 6509 port.

You do not configure opposite vlans on the switch, what you do is create a mismatch on the native vlans between the 6509 and pix. Do not use a vlan that is one that has a non-pix active end-station, instead create a dummy vlan, do not place any ports in it and tell the 6509 that that is the native vlan on the pix port. On the pix the vlan assigned to the phy interface is considered the native vlan.

For example using the outside GE intf you would do this:

1. On the 6509 create the dummy vlan, say vlan 255.

2. On the 6509 modify the port that the ouside GE intf plugs into as a trunk port and set the native vlan to 255.

3. On the pix, the inside intf is already assigned to vlan 201, so all you need is to make sure that the pix default gateway is assigned properly (either the 6509 MSFC intf on vlan 201, or whatever router address is on vlan 201 (note the gw does not reside on vlan 255).

4. Do the same on for the inside GE pix intf. Maybe use VLAN 256 on the 6509 or some other dummy vlan other than the outside GE int native vlan (in this case, 255).

5. I assume that you have a MSFC or NFFC card in the 6509. If this is the case and vlans 201 and 216 are new vlans created for the pix, then you will need to insure that those vlans can be reached via the msfc. If you are pruning vlans to the msfc interface, then you need to exmaine the 6509 layer 2 config and add those to the allowed vlans to connect to the msfc interface.

Let me know if you need more help.

jrahl · ‎07-20-2004

Could I assign native vlan 201 to the inside interface and native vlan 216 to the outside? Does it have to be a dummy VLAN for any reason in particular?

jrahl · ‎07-20-2004

Sorry for the confusion if I caused any. What I mean is could I assign native vlan 201 to the port that the inside interface is plugged into?

ehirsel · ‎07-21-2004

The native vlan defined on the switch needs to be a dummy vlan and the reason is that for security reasons the pix will tag every packet with an IEEE 802.1Q vlan header. The way switches operate, cisco cats in particular, is that they do NOT tag packets if they are destined for a station in the native vlan. However there was a security advisory that cisco addressed a vulerability caused by "vlan jumping" - an issue seen usually when there are two switches involved, however that vulnerability also existed when vlan 1 (the default native vlan) is used as well.

So I would create a dummy vlan that is not vlan 1, not vlan 201, and not vlan 216 for the inside, say vlan 299. I would also create another dummy vlan that is not vlan 1, 201, 216, or 299, for the outside, as the same pix cannot use the same native vlan on both the inside and outside interfaces; maybe vlan 298 would work.