Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
10
Helpful
2
Replies

using vlans in PIX

bklawson
Level 1
Level 1

‎12-20-2004 11:29 AM - edited ‎02-20-2020 11:49 PM

More specifically I have a DMZ segment that i would like to move our vendors connections (routers) over to- Currently the vendors (partners) routers are connected on my corp network- i just started here, not my config, but it is foolish - i absolutely agree!

I am coming from a Checkpoint NG environment- and we had no use for vlans on our switched network so this is somewhat new to me.

I have a PIX 515 w/ failover implementation in production at this time. My DMZ segment is connected via a 2950 using only 5 ports out of 24 available.

My thinking is to create 2 vlans on the 2950 switch- 12 ports for DMZ, 12 ports for vendors - to start with anyway.

I believe i understand how to create the logical int on the PIX, but if you want to expand on that please feel free. It appears straight forward...

My question is what has to be done to the 2950 switch config.

-Trunk the PIX physical int ports on the switch and then create the vlans on the switch ports and it will just take off? Or do i have to make any other config changes...

If so, does the PIX act as the layer 3 intervlan routing device? Just like to know why something works...

What would be the most un-disruptive way to go about implementing this config?

If this is painless i will probably try to segment even more of our network...My Checkpoint Nokia box had 12 NIC interfaces- segmenting was not a problem... as w/ PIX 515 only allowing 6.

Thanks for your help

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎12-20-2004 02:40 PM

The interface between the PIX and the 2950 will be configured as a trunk port on the 2950. Trunk ports by default will carry all VLAN traffic. On the other switch ports on the 2950 just assign them to specific VLAN's for your vendors or dmz.

On the PIX, all you should need to do is something like the following:

interface ethernet2 vlan10 physical

interface ethernet2 vlan20 logical

...

nameif vlan10 dmz security50

nameif vlan20 vendors security30

...

ip address dmz x.x.x.x netmask .....

ip address vendors y.y.y.y netmask .....

So the dmz physical NIC (ethernet2) is now basically two interfaces, one called "dmz" which maps to the vlan10 ports you have configured on the 2950. The other is called "vendors" and it maps to all the vlan20 ports you have on the 2950. Traffic between vlan10 and vlan20 will be routed to the PIX and back out. For this reason make sure the appropriate PIX interface IP address is the default gateway on all the hosts.

This is a major change to the config and will cause outages, so you'll have to plan accordingly. Since you're doing failover you'll have to assign a failover IP address to any new interface you create, logical or physical. Keep in mind your "failover link" or "failover lan interface" cannot be a logical interface. I would suggest you organise an outage, turn off failover for the duration of the change, make all the necessary changes on the primary, ensure it's all working as expected, then put the failover unit back on line.

bklawson
Level 1
Level 1
In response to gfullage

‎12-21-2004 08:19 AM

"Since you're doing failover you'll have to assign a failover IP address to any new interface you create, logical or physical. Keep in mind your "failover link" or "failover lan interface" cannot be a logical interface"

Just so i am on the same page- we are using the cisco "cable" technique for failover. Not lan-based, is this what you are talking about in the above paragraph?

I still create failover ips for both physical and logical interfaces-- correct?

failover ip address dmz 192.168.10.X

failover ip address vendors 192.168.20.X

I have used all my 6 interfaces, unfortunately so i have to use the vlan technique.

thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card