09-24-2007 09:56 AM - edited 03-05-2019 06:40 PM
Ok, this is alot of info attached. Not that I want a person to show me step by step on what to do. I would just like some of the questions answered. This switch was configured before I came on board. I guess I want to make sure this is a good design and that I am knowledgeable about the logic. Thanks in advance.
Solved! Go to Solution.
09-27-2007 08:14 AM
Hi
Apologies for delay in replying, been a bit busy.
1) the pix needs to know how to route back to your vlans on the 4500. So using your drawing the pix is connected to the 4500 via a point to point link. Pix end 10.10.99.2, 4500 end 10.10.99.1. So on pix
route (inside) 10.10.11.0 255.255.255.0 10.10.99.1
route (inside) 10.10.12.0 255.255.255.0 10.10.99.1
etc... for all vlans on 4500 switch.
2) nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
says to NAT any inside private address to the public IP address of the outside interface so yes if you want all inside clients to be able to access the Internet you need this.
3) 3560. You need one vlan for all the devices you are connecting in ie.
ISP inside interface
pix outside interface
vid units
Remember that this switch will not connect back to the 4500 switch so you can use any vlan you like. Do not use vlan 1.
4) Because wireless is less secure i would recommend having a separate vlan for these. So i would have at a minimum
i) server vlan
ii) wireless ap vlan
iii) client vlan(s) - depends how many clients you have.
I would only use vlan 99 for connecting pix to 4500 so don't put any other devices on this vlan.
5) You need to put ip helper-addresses on any vlan with clients that use DHCP to get an address. So assuming you have a DHCP server on your server vlan you will need to add the ip helper-address under each client vlan interface.
Don't worry about asking questions that's what NetPro is for and you'll find a lot of knowledgeable people on these forums.
Jon
09-24-2007 02:14 PM
Looks like a decent config to me... I'm not really sure what you're asking, as it's a bit vague. I mean, the config is a good general config, yet I'm not sure what the box should be doing either. If you want to give some more details, I may be able to help you out some more.
09-24-2007 04:58 PM
Yeah, I figured I wasnt too clear, but that was after posting it.
Ok, first things first, I need a little education here.
1. What is vlan 2? It has a public ip, but its not a routing vlan b/c ip routing isnt enable. Am I right? I use it to login remotely and allow access for public ip video conf units.
2. I know the basics of creating vlans, but how do I get the vlans to communicate with each other?
-Do I need an intervlan on the 4503, does this require a public ip or can it use a private ip
-Do I need to enable ip routing
-Do I need to enter static routes in the route table, for some reason, now when I do a sh ip route it says default gateway 206.x.x.57 and ICMP redirects cache is empty, thats just great.
3. Now on to the pix 501. That too, is on the default vlan 1 with IP 10.10.10.2 and public of 206.x.x.59. The hosts use this as the default gateway, but when I implement more vlans, I wont be able to use that ip for hosts on different vlans. Would I use the the vlan ip as the default gateway. What is the solution for this, cant I get it to work if I do my routing on the 4503?
4. And NAT. Should I keep doing this on the pix or should I do this on the 4503? Not sure how I would do it, does the pix only accept 2 inside nat statements?
I hope this is a bit clearer and not a repeat, let me know what else you need. As you can probably tell, I am a rookie at this. But I do appreciate the help.
09-24-2007 11:50 PM
Your plans look OK. At the moment the switch is routing between VLAN1 & VLAN2, so your users are on VLAN1 and your ISP on VLAN2, beyond the PIX.
My comments - you don't say how many users - I would keep the number of users below 256.
If running a guest VLAN, consider making it a private VLAN - that way users can talk to the router, but not each other.
I would consider separate VLANs for wireless. Really nail those down with access lists. Your internal wired can be quite open.
09-25-2007 05:30 AM
This is what I am stumped on from a logical and cmd standpoint:
-What would I need to do to get the vlans to talk with each other?
-What would I use as the default gateway, since the pix 501 will be on a different vlan?
-How would I nat on the pix 501 since there will be 3-4 internal networks now?
Thanks for the tips Paul.
09-25-2007 05:48 AM
The 4503 can handle the intervlan routing
int vlan 10
des internal wired
ip address 10.10.10.1 255.255.255.0
int vlan 20
des internal wireless
ip address 10.10.20.1 255.255.255.0
int vlan 30
des guest wired
ip address 10.10.30.1 255.255.255.0
int vlan 40
des guest wireless
ip address 10.10.40.1 255.255.255.0
would route between those VLANS
int vlan 99
des To ISP VIA PIX
ip add
ip route 0.0.0.0 0.0.0.0
All devices would use the 10.10.n.1 address as their default gateway, where n is the VLAN number - please note I am using these addresses purely as ilustration, you are free to do as you wish.
I am not familiar with the PIX config, but simply including all the subnets in the list of match addresses for NAT should do the trick.
09-25-2007 06:27 AM
I think Im starting to get it. Hopefully this will be the last of questions, for awhile at least. Just to reiterate, so you want have to look back, here is my setup:
206.x.x.57 - isp router
206.x.x.58 - my cat 4503 vlan 2
206.x.x.59 - my outside in pix 501
206.x.x.60 - free to use
206.x.x.61 - vid conf unit
206.x.x.62 - vid conf unit
10.10.10.0 - vlan 1, all host are part
10.10.10.1 - vlan 1 ip
10.10.10.2 - pix inside int
What would you suggest vlan 99 to look like? For vlan 99, can I still allow access for the vid units? For the pix, would the new inside int be 10.10.14.2(my net and sys vlan)? Also, do I need to add static routes in the route table? How will my internal vlans know to use the pix inside int to get out, since it will not be the hosts default gateway anymore?
Hope Im not asking too much. Thanks again Paul.
09-25-2007 06:14 AM
Hi
Paul has covered the vast majority of this but just to add.
On the original config it seemed a bit worrying that you have a vlan 1 interface and a vlan 2 interface at Layer 3. The clients DG was set to the pix but as i understand it if one of your users could change their DG to be the vlan 1 interface on the 4500 they have effectively bypassed the firewall.
I agree with all Paul has said, i'm just not clear on the following info for the pix.
int vlan 99
des To ISP VIA PIX
ip add
ip route 0.0.0.0 0.0.0.0
I think the inside interface of the pix should be a private ip address ie.
4500
int vlan 99
ip address 172.16.5.1 255.255.255.252
no shut
Then allocate the port that connects to the pix inside interface into vlan 99 and allocate the pix inside IP address as 172.16.5.2 255.255.255.252.
Your default route on the 4500 would be
ip route 0.0.0.0 0.0.0.0 172.16.5.2
On the pix your default route would be the upstream ISP router. You need to add routes to the pix for the networks on the 4500.
The NAT could just be
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
assuming the pix has a public ip on the outside.
Jon
09-25-2007 08:31 AM
Good eye on the default gateway issue, I had no idea about that. Are saying that I should use a private ip for vlan 99? So if I draw this out, would it look something like this:
206.x.x.57-isp router
|
|
206.x.x.58-pix outside int
|
|
10.10.99.2-pix inside int(vlan 99)
|
|
10.10.99.1-vlan 99 ip
__________|_____________
| | |
guest vlan user vlan server vlan
10.10.11.1 10.10.12.1 10.10.14.1
-what should my ip route show? by default will the vlans know how to communicate with
each other, or is this where the ip route 0.0.0.0 0.0.0.0 10.10.99.2 comes in to play.
-should my servers and networking devices ie switches ap's, be on a different vlan than 99, ie 14.
-lastly, how could I keep my vid conf units with public ip's so they can bypass the firewall.
And again, thanks for all the help, and hopefully I will get it sooner or later.
09-25-2007 08:42 AM
Hi
Yes the way you have drawn it is the way i would configure it.
The vlans on the 4500 will know how to communciate with each other. The "ip route 0.0.0.0 0.0.0.0 10.10.99.2 is to allow your internal clients to get to the Internet.
Yes, only use vlan 99 for the link between the 4500 and the pix.
If you only have one switch ie the 4500 then you can use vlan 2 if you want. In this vlan would be
inside interface of isp router
outside interface of pix
vid units
The key thing here is to delete the Layer 3 SVI for vlan 2 off the 4500 or you can route round your pix. Note it doesn't have to be vlan 2, it cna be any unused vlan. As long as it only exists at layer 2 on your 4500 you will be okay.
In an ideal world you would not use your internal switch for this purpose ie. you would have a separate switch for the outside of the pix etc.
Hope this answers your'e questions.
Jon
09-25-2007 09:28 AM
Jon makes an important comment there - ideally a second switch would be outside. If the switch is carrying "raw internet" secure it as best you can, even if it does not have an "outside" IP address - access lists for telnet, if using snmp access list on that, and do not even consider using public or private as communities! turn off any non-essential services (no ip http server etc)
09-25-2007 10:13 AM
Now when you say delete the L3 svi, is that the public ip address. So I would add my "link to internet" port on the 4503 as the isp rtr int? And give my vid units public ip's, would I use the isp router as the default gateway? Now I did just purchase a cat3560_8pc, could I use this as the outside switch? If so, how would this change things? I surely appreciate all the help.
09-25-2007 10:51 AM
Hi
Yes you would be better to use the separate switch. You do not want to connect your ISP router into your 4500 or you are effectively bypassing the firewall. All traffic between the Internet and your internal network needs to go through the pix.
So
1) delete vlan 2 interface from 4500
2) Setup 4500 as previously discussed. Make sure the default route points to the IP address of the inside interface of the pix.
3) Use your 3560 to connect
pix outside interface
ISP router inside interface
vid units (this is assuming you do not want to protect the vid units with your firewall)
Each of these devices will have a public IP address.
4) On the pix have a default route pointing to the ISP router.
Also add routes on the pix for all your vlans on the 4500 pointing to the other end of the p2p link between the pix and the 4500.
One last thing. You should look to put your ap's on a separate vlan than your servers just for segregation.
HTH
Jon
09-25-2007 12:43 PM
Thanks everyone for the help! Im gonna try to take this all in and start working this out. Im afraid to say, Im sure I will be posting more questions when I get in the mix of this. I'll end up screwing something up. Alright then. RT.
09-25-2007 07:24 PM
Hey Jon, well Ive been studying my butt off, but Ive managed to get stumped already.
-What do you mean by adding routes on my pix to point to the vlan on the 4500? Can you give me a couple example cmds?
-Also, will I still use the nat (inside) 1 0.0.0.0 0.0.0.0?
-On my 3560, are there certain vlans I need to create on this, ie vlan 99 and or vlan 2 with public ip.
-Your last statement about separating ap's and servers, what would you suggest? Would my ap's and internal switches be on vlan 99 or create a new one, then servers on another vlan?
-Where would ip helper addresses come in to play with all this?
Wow, im getting myself in a bigger mess than I thought. I didnt intend to have you all walk me step by step. But thanks again and I owe you one somehow, hope Im not spamming you too bad with emails either.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide