Re: Network Design with 4500 and PIX

paulsa3598 · ‎11-01-2006

I have been wrestling with the best design for my network. I would like to take advantage of the MLS features of a 4506 but want to pass the traffic through my PIX. I would like to minimize the vlans needed off the PIX and have the routing take place at the switch to pass through the firewall and then back down to the various vlans.

I have 7 vlans all one one physical switch. I would like to use the switch to route but I need the traffic to go to the firwall. In other words when 2 vlans on the same switch need to talk to each other I want to control access through the FW.

Does anyone have any suggestions?

gpulos · ‎11-01-2006

one solution here would be to put the firewall inside interface in its own VLAN.

then put a firewall dmz interface into each of the seven data vlans. (requires a firewall with at at least 7 dmz interfaces)

have the 4500 default route for each vlan be the firewall dmz interface for that respective vlan.

NOTE: this may not be the optimal solution for interVLAN access control but will provide what you are requesting.

perhaps you should look at VACLs on the 4500 switch and ACLs on the 4500 L3 for access control between vlans.

i believe it would be easier to manage, easier to troubleshoot and less impact on packet forwarding. (as there is no deep packet inspection)

amit-singh · ‎11-01-2006

Hi Friend,

In an ideal situation I would suggest to upgrade your pix to the latest 7.x ver IOS and use a trunk link to 4506. Create dot1q vlan interfaces on the pix and have the control over the trafiic passing through the PIX. this is the only optimal design that i can suggest and think for you.

Please lok at the link below for the same :

HTH, Please rate if it does.

-amit singh