Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
3
Replies

VLAN Tags Through a PIX?

shaferwr8570
Level 1
Level 1

‎08-09-2007 03:35 AM - edited ‎03-11-2019 03:55 AM

Is it possible to pass vlan tags through either a PIX 535 or a CISCO 6503?

Scenario:

I have several switches in line with each other, all layer 2, connected to one router.

Router ----> Switch ----> Switch

I'm running a handful of different vlans from the router out to the final switch.

We have two firewalls ready to be installed, either a 6503, or a PIX 535. I need to put one or the other in between the two switches, without changing the layer two topology. In essence, I want to be able to insert the firewall without the network seeing anything different.

Is this possible?

Looking forward to any replies... I got a boss that's waiting for an answer! =)

Labels:
0 Helpful
3 Replies 3

purohit_810
Level 5
Level 5

‎08-09-2007 04:34 AM

Hey..

How r u?

See, You can achieve this on PIX 535 by using bridge group command.

Steps:

1. enable

2. configure terminal

3. interface [Ethernet | FastEthernet | GigabitEthernet] x/0

4. ip address ip-address mask

5. interface [Ethernet | FastEthernet | GigabitEthernet] x/0.vlan-id

6. encapsulation dot1q vlan-id

7. bridge group number

8. end

And in 6503 :

You need FWSM module: You can figure it easily. I raccomand as of your scenario FWSM.

http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=VLAN+CONFIGURATION+ON+FWSM&Search+All+cisco.com=cisco.com&language=en&country=US&accessLevel=Guest

Regards,

Dharmesh Purohit

0 Helpful

shaferwr8570
Level 1
Level 1
In response to purohit_810

‎08-09-2007 05:09 AM

So, setting up a virtual interface on the PIX or 6503 (whichever I decide to use), will put the firewall within the VLAN, and will still be able to process each packet on the other VLAN's with its firewall ruleset?

Dumb Question: Do I need to make a virtual interface for each VLAN that will be passing through it, and can I associate the firewall's management IP address in one of those VLAN's?

I have a management VLAN that I'm passing from the router to the switches. Can I give the firewall an IP on my management VLAN and be able to communicate with it like I do with the rest of my switches?

Forgive me for the ignorant questions, as I have absolutely zero experiece with the PIX or any of CISCO's firewalls.

Thank you in advance!

-Shafer

0 Helpful

rigoberto.cintron
Level 1
Level 1
In response to shaferwr8570

‎08-09-2007 09:15 AM

What about this?

Switch---1Q-->PIX-TransparentMode---1Q-->Switch

VL=2,3 VL=2,3 VL=2,3

Basically have Vlan 2 and 3 in both sides of the PIX.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card