VLAN Tags Through a PIX?

Unanswered Question
Aug 9th, 2007
User Badges:

Is it possible to pass vlan tags through either a PIX 535 or a CISCO 6503?


Scenario:


I have several switches in line with each other, all layer 2, connected to one router.


Router ----> Switch ----> Switch


I'm running a handful of different vlans from the router out to the final switch.


We have two firewalls ready to be installed, either a 6503, or a PIX 535. I need to put one or the other in between the two switches, without changing the layer two topology. In essence, I want to be able to insert the firewall without the network seeing anything different.


Is this possible?


Looking forward to any replies... I got a boss that's waiting for an answer! =)



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
purohit_810 Thu, 08/09/2007 - 04:34
User Badges:
  • Silver, 250 points or more

Hey..


How r u?


See, You can achieve this on PIX 535 by using bridge group command.


Steps:

1. enable


2. configure terminal


3. interface [Ethernet | FastEthernet | GigabitEthernet] x/0


4. ip address ip-address mask


5. interface [Ethernet | FastEthernet | GigabitEthernet] x/0.vlan-id


6. encapsulation dot1q vlan-id


7. bridge group number


8. end



And in 6503 :

You need FWSM module: You can figure it easily. I raccomand as of your scenario FWSM.


http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=VLAN+CONFIGURATION+ON+FWSM&Search+All+cisco.com=cisco.com&language=en&country=US&accessLevel=Guest


Regards,

Dharmesh Purohit

shaferwr8570 Thu, 08/09/2007 - 05:09
User Badges:

So, setting up a virtual interface on the PIX or 6503 (whichever I decide to use), will put the firewall within the VLAN, and will still be able to process each packet on the other VLAN's with its firewall ruleset?


Dumb Question: Do I need to make a virtual interface for each VLAN that will be passing through it, and can I associate the firewall's management IP address in one of those VLAN's?


I have a management VLAN that I'm passing from the router to the switches. Can I give the firewall an IP on my management VLAN and be able to communicate with it like I do with the rest of my switches?


Forgive me for the ignorant questions, as I have absolutely zero experiece with the PIX or any of CISCO's firewalls.


Thank you in advance!


-Shafer

rigoberto.cintr... Thu, 08/09/2007 - 09:15
User Badges:

What about this?


Switch---1Q-->PIX-TransparentMode---1Q-->Switch

VL=2,3 VL=2,3 VL=2,3


Basically have Vlan 2 and 3 in both sides of the PIX.

Actions

This Discussion