PIX and dot1Q trunking

Hello All, I have seen the responses of pplz here about troubleshooting problems, & that give me boost to share one of my thought with you.

I have to insert a PIX (wth FO chasis) in between a dot1Q trunk of 6509 and 3550 . I know PIX support dot1Q trunk, but I'm confused about the PIX and switch concerns (some sound stupid though ;) )

1. If i define a trunk b/w inside interface and switch PIX will understand the different VLANs packets (i mean is PIX will be intelligent enough to sort out differnt packet tags)

2. As far as I know PIX interface has to has a IP associated with it, so should I define IP on physical level and VLAN trunk on logical level?

3. when sending traffic out from outside interface ,can i do TRUNK with outside switch..? how do my ACL filter goes through inside the pix? does ACL can filter packets according to their different VLAN tags from different vlans?

4. when outside traffic comi'n inside?? how does my PIX will see it (as it's comi'n thru trunk)

basically..i need to clear how PIX see the data packets inside trunk and how it handles it

any prompt reply will be greatly appericated



The PIX can have a *limited* number of VLANs defined on it, so you have to be carefull that you don't have two many VLANs running on it. You'll need to define an interface on the PIX for each VLAN, and traffic will need to come in one one VLAN and out on another. I'd try and avoid the config you are leading to, and make it simple. Go layer 3, don't use VLANs - stick with physical interfaces (one in, one out).

The PIX does have a layer 2 mode so you don't need new IP addresses, but I have never used it. I prefer to stick with layer 3 and give it IP addresses.

ACL's are attached to interfaces. Yes, can can filter by VLAN as a result.

