VLAN Tags Through a PIX?

Unanswered Question
Aug 9th, 2007
User Badges:

Is it possible to pass vlan tags through either a PIX 535 or a CISCO 6503?


I have several switches in line with each other, all layer 2, connected to one router.

Router ----> Switch ----> Switch

I'm running a handful of different vlans from the router out to the final switch.

We have two firewalls ready to be installed, either a 6503, or a PIX 535. I need to put one or the other in between the two switches, without changing the layer two topology. In essence, I want to be able to insert the firewall without the network seeing anything different.

Is this possible?

Looking forward to any replies... I got a boss that's waiting for an answer! =)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
purohit_810 Thu, 08/09/2007 - 04:34
User Badges:
  • Silver, 250 points or more


How r u?

See, You can achieve this on PIX 535 by using bridge group command.


1. enable

2. configure terminal

3. interface [Ethernet | FastEthernet | GigabitEthernet] x/0

4. ip address ip-address mask

5. interface [Ethernet | FastEthernet | GigabitEthernet] x/0.vlan-id

6. encapsulation dot1q vlan-id

7. bridge group number

8. end

And in 6503 :

You need FWSM module: You can figure it easily. I raccomand as of your scenario FWSM.



Dharmesh Purohit

shaferwr8570 Thu, 08/09/2007 - 05:09
User Badges:

So, setting up a virtual interface on the PIX or 6503 (whichever I decide to use), will put the firewall within the VLAN, and will still be able to process each packet on the other VLAN's with its firewall ruleset?

Dumb Question: Do I need to make a virtual interface for each VLAN that will be passing through it, and can I associate the firewall's management IP address in one of those VLAN's?

I have a management VLAN that I'm passing from the router to the switches. Can I give the firewall an IP on my management VLAN and be able to communicate with it like I do with the rest of my switches?

Forgive me for the ignorant questions, as I have absolutely zero experiece with the PIX or any of CISCO's firewalls.

Thank you in advance!


rigoberto.cintr... Thu, 08/09/2007 - 09:15
User Badges:

What about this?


VL=2,3 VL=2,3 VL=2,3

Basically have Vlan 2 and 3 in both sides of the PIX.


This Discussion