08-07-2003 07:21 PM - edited 02-20-2020 10:55 PM
Hi,
This new PIX VLAN stuff is really cool but I have one quick question. Lets say you have configured the inside interface with 2 VLAN's 20 and 21. Now, does the same hold true about a packet entering an interface cannot leave the same interface? I just want to get this straight that this does not turn the PIX into a router or MSFC if you will. Will it only forward packets entering the inside interface on these VLAN's, out another interface say the outside or the DMZ?
Thanks in advance.
08-07-2003 08:51 PM
Nope, the old limitation doesn't hold true with VLAN interfaces. You'll be able to send a packet in VLAN 20 and out VLAN 21, even though physically these are the same interface. Logically within the PIX they're completely separate interfaces and treated as such.
08-08-2003 03:33 AM
Thanks for the responce..
I wish this did hold true but there are probably 100 reasons why it does not. OK, if thats the case can you apply in-bound and out-bound access lists to the VLAN interface? Can you apply an access list at all to the VLAN?
Thanks..
08-08-2003 01:18 PM
Or, if you cannot apply access lists to the logical interfaces, can you control the communication between the vlan's with the security level? I'm going to have to set this up in a lab and let everyone know.
08-10-2003 06:49 PM
Yes definately, that's the whole point of the PIX thinking they're separate interfaces. Assign security levels just like you would for any dmz interface and assign nat/global or statics/ACL's accordingly to control access between them.
08-11-2003 05:05 AM
Thanks for the info!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide