Re: How to do inter-VLAN routing involving both Pix and switch??

CSCO10662744_2 · ‎02-27-2006

Here's out setup:

1 Cisco 4500 switch connected to a 3-interface Pix 515E firewall, which then connects to a Cisco 3600 router going to ISP.

On one of the interfaces of the Pix is our DMZ network.

4500 --- 515E --- 3600 --- ISP

We're going to implement VoIP so I will set up some VLANs on 4500.

I know how to do inter-VLAN routing on the 4500 alone, but now my issue is how do I configure the link between the Pix and the 4500 switch so that the hosts on the 4500 can get to the DMZ network and Internet?? And can I implement VLAN routing on both the 4500 and Pix??

I wanna bypass the Pix for VLAN routing unless necessary to speed things up.

Should I set up a port as a routed port on the 4500, and then define a default route to the Pix?

Or will I have to rely on the Pix (router on a stick using the Pix)?

Cisco's website

indicates Pix version 6.3 and higher support VLAN, but it doesn't really give you much detail and I'm not sure how to approach the task at hand.

If anyone has any idea or suggestion, please let me know.

Thanks!

ekiriakos · ‎02-27-2006

Hi,

I assume you have a single connection from the 4500 to the pix. You suggestion to define a router port on the 4500 with a default pointing to the pix is fine. Another oprion is to define the port on which the pix connects to as an access port and assign it to a new VLAN and then have the default again towards the pix.

For your internal networks, do the intervlan routing on the 4500.

Don't forget the pix needs routes back to your internal vlans via the 4500 routed port or SVI.

Rgds

E.

jarathbu · ‎02-27-2006

Hello,

Here is a sample config for trunking between a PIX and a 3550.

PIX

interface ethernet1 100full

interface ethernet1 vlan951 physical

interface ethernet1 vlan950 logical

interface ethernet1 vlan952 logical

nameif ethernet1 inside security100

nameif vlan950 inside2 security90

nameif vlan952 inside3 security95

ip address inside 192.168.1.1 255.255.255.0

ip address inside2 192.168.11.1 255.255.255.0

no ip address inside3

=======================================

CAT3550

interface FastEthernet0/1

description PIX-1 Inside

switchport access vlan 951

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 950-952

switchport mode trunk

switchport nonegotiate

end

Some things to note when doing trunking for the DMZ

1) From less secure to more secure - (DMZ -> Inside) you will need an ACL/Static to allow traffic back

2) The FE interface is shared between all VLANs aggregated into the trunk

3) You will need routes for the Inside address spaces the DMZ interfaces will need to connect with (either Static, RIP, or OSPF can be used)

4) There are several fixup protocols that support VOIP protocols (e.g. SIP, SKINNY, H323 & H325, etc.)

5) Always keep in mind your security policy

Hope this helps.

Regards,

James

CSCO10662744_2 · ‎02-28-2006

Thank you guys for the replies.

If I choose to trunk between Pix and switch, do I need to specify the Pix port as a trunk port?? (is there a command like "switchport mode trunk" for Pix??) Or will Pix automatically pick up what type of port the other end is??

Also, James' config has "switchport access vlan 951" as part of interface fa0/1.

Should I issue that command, even though I'm specifying it to be a trunk port instead of an access port??

ekiriakos · ‎02-28-2006

Hi again,

The config given by James is to do trunking on the pix. See link:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

However if I understand your requirement correctly, you don't need multiple VLANs on the PIX i/f, however it may be a good idea if you configure a trunk anyway with a single VLAN to start with so that in the future if you need more vlans to the f/w you do not have any downtime, you just configure another vlan.

Rgds

E.