DMZ 3500XL Switch

Answered Question
May 21st, 2007

Hi,

I have a PIX 515E and also a PIX520. Basically this might be a really stupid question but...

How do I give the switch VLAN 1 and a VLAN 2 without a router? I mean I want the management IP to be on the vlan 1 and then all other traffic for the DMZ will be on the second vlan ??

How does one do this on the switch without a router ?

Thanks

Ed

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 6 months ago

Ed

Lets assume vlan 1 is 192.168.1.0/24

vlan 2 is 192.168.2.0/24

Your switch vlan 1 interface is 192.168.1.2

First to create vlan 2 on the switch (assuming IOS)

switch(config)# vlan 2

switch(config-vlan)# name servers

Next make the switchport that the pix connects to a trunk

switch(config)# int fa0/24

switch(config-if)# switchport encapsulation dot1q

switch(config-if)# switchport mode trunk

NOTE: depending on your IOS you may or may need all the above commands for the trunk setup.

On the pix lets assume you use the inside interface for vlan 1 and vlan 2 and that you will use the .1 address out of each subnet for the pix interfaces.

interface ethernet1 100full

interface ethernet1 vlan1 physical

interface ethernet1 vlan2 logical

** ethernet1 is the inside interface - i have only included this in the confi **

nameif ethernet1 inside security100

nameif vlan2 servers security95

ip address inside 192.168.1.1 255.255.255.0

ip address servers 192.168.2.1 255.255.255.0

Your default gateway on the switch should be the address of vlan 1 on the pix ie. 192.168.1.1

Your default gateway on your servers/clients should be 192.168.2.1

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 05/21/2007 - 04:35

Hi Ed

You need one vlan interface on your switch which will be vlan 1 which should be used for management. Note that cisco recommend not using vlan 1 for managament - you should use a separate vlan for management.

It's unclear how you are connecting your pix firewalls to your switch.

Your switch can have multiple layer 2 vlans and the inter-vlan routing can be done via the pix firewalls. You can either have a trunk link from the switch to one of your pix firewalls and have logical dot1q interfaces on the pix firewall interface or you could dedicate one of your pix firewall interfaces for the management vlan and one for the user vlan.

Could you fill a few of the details

HTH

Jon

edw Mon, 05/21/2007 - 04:41

Hi,

Sorry its just one PIX firewall I'm moving off of a PIX 520 to PIX515E in the next week. But I want to get the DMZ working first.

I didn't release VLAN 1 shouldn't be used for management. Our infrastructure was installed by HP Cisco Engineers many years ago - and as thats how the rest is setup... Is there a reason or is it a security thing ?

I was thinkign of doing the switching in the PIX however how do I send the traffic to the switch as when I create a sub interface its shutdown and I can't get it up....?

Thanks

Ed

Jon Marshall Mon, 05/21/2007 - 04:49

Ed

Yes it is a security thing with vlan 1. Attached is a link to a Cisco white paper which goes into some depth on vlan security.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

As for your connectivity problem. Have you made the link from the switch to the pix interface a trunk link on the switch.

If possible could you post configs of the pix (minus any sensitive information ) and the switch.

HTH

Jon

edw Mon, 05/21/2007 - 05:58

Hi,

Thanks for the fast reply the switch currently has:

interface VLAN1

ip address 10.10.10.1 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

ip default-gateway 10.10.10.25 (PIX interface)

no ip http server

the sub interface isnt showing in config - not sure why, no errors when its entered?

and the PIX has

ip address dmz 10.10.10.25 255.255.255.0

obviously it has the relavant route and access lists - so I can get a ping from the device on the switch to my machine on the inside. However the device is on the vlan 1 range and I want them to be seperate ??

Thanks

Ed

Jon Marshall Mon, 05/21/2007 - 06:42

Ed

When you say the subinterface isn't showing where are yout trying to configure the subinterface. It should be on the pix interface. The switch will only have one vlan interface and that will be for management.

Taken from one of our production pix firewalls

=============================================

interface ethernet0 100full

interface ethernet1 100full

interface ethernet1 vlan191 physical

interface ethernet1 vlan171 logical

interface ethernet1 vlan190 logical

NOTE:- 2 logical interfaces on ethernet1 + the physical interface

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 state-fail security10

nameif vlan171 app-layer-inside security95

nameif vlan190 oracle-dev security90

ip address inside 10.231.197.81 255.255.255.240

ip address state-fail 10.231.197.17 255.255.255.252

ip address app-layer-inside 10.231.197.33 255.255.255.224

ip address oracle-dev 10.231.197.129 255.255.255.248

=============================================

And the switchport that the pix is connected to needs to be a trunk link.

HTH

Jon

edw Mon, 05/21/2007 - 06:48

Okay so I just configure 1 vlan on the switch and then trunk a port to the pix interface. Add a second route to that switch which will work for the server traffic ?? I just point the route to the ip address of the switch even if it s a different range ?

But by default isnt all ports on vlan 1 ? How would I tell the switch that the machine on port 10 say, is actually 10.10.50.1 not 10.10.10.0 range ?

IE not 10.10.10.0 traffic which is management.

Thanks for the help

Ed

Jon Marshall Mon, 05/21/2007 - 06:59

Ed

1) You need to configure both vlans at layer 2 on the switch but you only configure one "interface vlan x" on the switch. This will be vlan 1

2) You don't need routes on the switch. Make the default gateway of the switch the vlan 1 address on the pix.

For any machines you put into vlan 2 set the default gateway to be the vlan 2 IP address on the pix firewall.

3) Vlan 2 which will be used for users willl just have layer 2 ports on your switch.

4) To allocate a port into vlan 2 assuming your switch is IOS

switch(config)# int fa0/5

switch(config)# switchport mode access

switch(config-if)# switchport access vlan 2

Hope this makes sense.

Jon

edw Mon, 05/21/2007 - 07:03

Hi,

Yep I think my question is how do I create vlans at layer 2 on the switch ? Also can PIXs have more than one ip address on a card ?

Thanks

Ed

Correct Answer
Jon Marshall Mon, 05/21/2007 - 09:56

Ed

Lets assume vlan 1 is 192.168.1.0/24

vlan 2 is 192.168.2.0/24

Your switch vlan 1 interface is 192.168.1.2

First to create vlan 2 on the switch (assuming IOS)

switch(config)# vlan 2

switch(config-vlan)# name servers

Next make the switchport that the pix connects to a trunk

switch(config)# int fa0/24

switch(config-if)# switchport encapsulation dot1q

switch(config-if)# switchport mode trunk

NOTE: depending on your IOS you may or may need all the above commands for the trunk setup.

On the pix lets assume you use the inside interface for vlan 1 and vlan 2 and that you will use the .1 address out of each subnet for the pix interfaces.

interface ethernet1 100full

interface ethernet1 vlan1 physical

interface ethernet1 vlan2 logical

** ethernet1 is the inside interface - i have only included this in the confi **

nameif ethernet1 inside security100

nameif vlan2 servers security95

ip address inside 192.168.1.1 255.255.255.0

ip address servers 192.168.2.1 255.255.255.0

Your default gateway on the switch should be the address of vlan 1 on the pix ie. 192.168.1.1

Your default gateway on your servers/clients should be 192.168.2.1

HTH

Jon

edw Tue, 05/22/2007 - 03:24

Hi,

Brilliant - this makes sense now. I didnt realise you could make virtual interfaces on the PIX 6.3 OS.

Now I have configure the switch up but I'm not getting any connectivity from vlan 2. Plus if I change vlan 2 the management vlan I'm not able to ping the PIX.

Switch Config:

interface FastEthernet0/24

switchport trunk encapsulation dot1q

switchport mode trunk

.

.

.

interface VLAN1

ip address 10.10.10.2 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

interface VLAN2

no ip directed-broadcast

no ip route-cache

shutdown

!

ip default-gateway 10.10.10.1

PIX card is 10.10.10.1

and vlan2 on PIX card is 10.10.11.1

Thanks

Ed

edw Tue, 05/22/2007 - 03:49

Ignore my last - it works beatifully!!!

Thanks

Ed

Actions

This Discussion