PIX VLAN Question

mike-greene · ‎08-07-2003

Hi,

This new PIX VLAN stuff is really cool but I have one quick question. Lets say you have configured the inside interface with 2 VLAN's 20 and 21. Now, does the same hold true about a packet entering an interface cannot leave the same interface? I just want to get this straight that this does not turn the PIX into a router or MSFC if you will. Will it only forward packets entering the inside interface on these VLAN's, out another interface say the outside or the DMZ?

Thanks in advance.

gfullage · ‎08-07-2003

Nope, the old limitation doesn't hold true with VLAN interfaces. You'll be able to send a packet in VLAN 20 and out VLAN 21, even though physically these are the same interface. Logically within the PIX they're completely separate interfaces and treated as such.

mike-greene · ‎08-08-2003

Thanks for the responce..

I wish this did hold true but there are probably 100 reasons why it does not. OK, if thats the case can you apply in-bound and out-bound access lists to the VLAN interface? Can you apply an access list at all to the VLAN?

Thanks..

mike-greene · ‎08-08-2003

Or, if you cannot apply access lists to the logical interfaces, can you control the communication between the vlan's with the security level? I'm going to have to set this up in a lab and let everyone know.

gfullage · ‎08-10-2003

Yes definately, that's the whole point of the PIX thinking they're separate interfaces. Assign security levels just like you would for any dmz interface and assign nat/global or statics/ACL's accordingly to control access between them.

mike-greene · ‎08-11-2003

Thanks for the info!!