05-21-2007 04:18 AM - last edited on 03-25-2019 03:15 PM by ciscomoderator
Hi,
I have a PIX 515E and also a PIX520. Basically this might be a really stupid question but...
How do I give the switch VLAN 1 and a VLAN 2 without a router? I mean I want the management IP to be on the vlan 1 and then all other traffic for the DMZ will be on the second vlan ??
How does one do this on the switch without a router ?
Thanks
Ed
Solved! Go to Solution.
05-21-2007 09:56 AM
Ed
Lets assume vlan 1 is 192.168.1.0/24
vlan 2 is 192.168.2.0/24
Your switch vlan 1 interface is 192.168.1.2
First to create vlan 2 on the switch (assuming IOS)
switch(config)# vlan 2
switch(config-vlan)# name servers
Next make the switchport that the pix connects to a trunk
switch(config)# int fa0/24
switch(config-if)# switchport encapsulation dot1q
switch(config-if)# switchport mode trunk
NOTE: depending on your IOS you may or may need all the above commands for the trunk setup.
On the pix lets assume you use the inside interface for vlan 1 and vlan 2 and that you will use the .1 address out of each subnet for the pix interfaces.
interface ethernet1 100full
interface ethernet1 vlan1 physical
interface ethernet1 vlan2 logical
** ethernet1 is the inside interface - i have only included this in the confi **
nameif ethernet1 inside security100
nameif vlan2 servers security95
ip address inside 192.168.1.1 255.255.255.0
ip address servers 192.168.2.1 255.255.255.0
Your default gateway on the switch should be the address of vlan 1 on the pix ie. 192.168.1.1
Your default gateway on your servers/clients should be 192.168.2.1
HTH
Jon
05-21-2007 04:35 AM
Hi Ed
You need one vlan interface on your switch which will be vlan 1 which should be used for management. Note that cisco recommend not using vlan 1 for managament - you should use a separate vlan for management.
It's unclear how you are connecting your pix firewalls to your switch.
Your switch can have multiple layer 2 vlans and the inter-vlan routing can be done via the pix firewalls. You can either have a trunk link from the switch to one of your pix firewalls and have logical dot1q interfaces on the pix firewall interface or you could dedicate one of your pix firewall interfaces for the management vlan and one for the user vlan.
Could you fill a few of the details
HTH
Jon
05-21-2007 04:41 AM
Hi,
Sorry its just one PIX firewall I'm moving off of a PIX 520 to PIX515E in the next week. But I want to get the DMZ working first.
I didn't release VLAN 1 shouldn't be used for management. Our infrastructure was installed by HP Cisco Engineers many years ago - and as thats how the rest is setup... Is there a reason or is it a security thing ?
I was thinkign of doing the switching in the PIX however how do I send the traffic to the switch as when I create a sub interface its shutdown and I can't get it up....?
Thanks
Ed
05-21-2007 04:49 AM
Ed
Yes it is a security thing with vlan 1. Attached is a link to a Cisco white paper which goes into some depth on vlan security.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
As for your connectivity problem. Have you made the link from the switch to the pix interface a trunk link on the switch.
If possible could you post configs of the pix (minus any sensitive information ) and the switch.
HTH
Jon
05-21-2007 05:58 AM
Hi,
Thanks for the fast reply the switch currently has:
interface VLAN1
ip address 10.10.10.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
ip default-gateway 10.10.10.25 (PIX interface)
no ip http server
the sub interface isnt showing in config - not sure why, no errors when its entered?
and the PIX has
ip address dmz 10.10.10.25 255.255.255.0
obviously it has the relavant route and access lists - so I can get a ping from the device on the switch to my machine on the inside. However the device is on the vlan 1 range and I want them to be seperate ??
Thanks
Ed
05-21-2007 06:42 AM
Ed
When you say the subinterface isn't showing where are yout trying to configure the subinterface. It should be on the pix interface. The switch will only have one vlan interface and that will be for management.
Taken from one of our production pix firewalls
=============================================
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan191 physical
interface ethernet1 vlan171 logical
interface ethernet1 vlan190 logical
NOTE:- 2 logical interfaces on ethernet1 + the physical interface
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 state-fail security10
nameif vlan171 app-layer-inside security95
nameif vlan190 oracle-dev security90
ip address inside 10.231.197.81 255.255.255.240
ip address state-fail 10.231.197.17 255.255.255.252
ip address app-layer-inside 10.231.197.33 255.255.255.224
ip address oracle-dev 10.231.197.129 255.255.255.248
=============================================
And the switchport that the pix is connected to needs to be a trunk link.
HTH
Jon
05-21-2007 06:48 AM
Okay so I just configure 1 vlan on the switch and then trunk a port to the pix interface. Add a second route to that switch which will work for the server traffic ?? I just point the route to the ip address of the switch even if it s a different range ?
But by default isnt all ports on vlan 1 ? How would I tell the switch that the machine on port 10 say, is actually 10.10.50.1 not 10.10.10.0 range ?
IE not 10.10.10.0 traffic which is management.
Thanks for the help
Ed
05-21-2007 06:59 AM
Ed
1) You need to configure both vlans at layer 2 on the switch but you only configure one "interface vlan x" on the switch. This will be vlan 1
2) You don't need routes on the switch. Make the default gateway of the switch the vlan 1 address on the pix.
For any machines you put into vlan 2 set the default gateway to be the vlan 2 IP address on the pix firewall.
3) Vlan 2 which will be used for users willl just have layer 2 ports on your switch.
4) To allocate a port into vlan 2 assuming your switch is IOS
switch(config)# int fa0/5
switch(config)# switchport mode access
switch(config-if)# switchport access vlan 2
Hope this makes sense.
Jon
05-21-2007 07:03 AM
Hi,
Yep I think my question is how do I create vlans at layer 2 on the switch ? Also can PIXs have more than one ip address on a card ?
Thanks
Ed
05-21-2007 09:56 AM
Ed
Lets assume vlan 1 is 192.168.1.0/24
vlan 2 is 192.168.2.0/24
Your switch vlan 1 interface is 192.168.1.2
First to create vlan 2 on the switch (assuming IOS)
switch(config)# vlan 2
switch(config-vlan)# name servers
Next make the switchport that the pix connects to a trunk
switch(config)# int fa0/24
switch(config-if)# switchport encapsulation dot1q
switch(config-if)# switchport mode trunk
NOTE: depending on your IOS you may or may need all the above commands for the trunk setup.
On the pix lets assume you use the inside interface for vlan 1 and vlan 2 and that you will use the .1 address out of each subnet for the pix interfaces.
interface ethernet1 100full
interface ethernet1 vlan1 physical
interface ethernet1 vlan2 logical
** ethernet1 is the inside interface - i have only included this in the confi **
nameif ethernet1 inside security100
nameif vlan2 servers security95
ip address inside 192.168.1.1 255.255.255.0
ip address servers 192.168.2.1 255.255.255.0
Your default gateway on the switch should be the address of vlan 1 on the pix ie. 192.168.1.1
Your default gateway on your servers/clients should be 192.168.2.1
HTH
Jon
05-22-2007 03:24 AM
Hi,
Brilliant - this makes sense now. I didnt realise you could make virtual interfaces on the PIX 6.3 OS.
Now I have configure the switch up but I'm not getting any connectivity from vlan 2. Plus if I change vlan 2 the management vlan I'm not able to ping the PIX.
Switch Config:
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
.
.
.
interface VLAN1
ip address 10.10.10.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN2
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 10.10.10.1
PIX card is 10.10.10.1
and vlan2 on PIX card is 10.10.11.1
Thanks
Ed
05-22-2007 03:49 AM
Ignore my last - it works beatifully!!!
Thanks
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide