VLAN Trunking between PIX 515E and Catalyst 3560G-24TS

Unanswered Question
Oct 16th, 2007


I am newbie in the world of VLANs. Our current set up doesn't use VLANs but we are migrating to an VMware ESX environment that requires VLANs. We have a PIX 515E on our current network and we want to replace the unmanaged switch with a Catalyst 3560 for the VLAN component. Now, my questions are:

1. How do we configure the PIX 515E for the VLAN Trunk?

2. Do we configure the catalyst switch as the VTP server and the PIX as the VTP client?

3. What are the options that we can do so that there's minimal changes on the PIX?

I have also attached a diagram.

I just want to have a clear understanding on how to implement VLANs because these are all new to me. I have downloaded the reference guide for configuring the catalyst for VLANs (I just don't understand some of the components like - DTP, IEEE802.1Q, etc)

Thank you in advance...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Tue, 10/16/2007 - 19:50


1) You don't say which version of Pix software you are running so it's a little difficult to give you the commands for the vlan setup. Attached is a link to configuration guides for different pix versions.


2) PIx firewalls don't paticipate in VTP so you only need to set the VTP mode on the catalyst switch. Pix firewalls do not have a vlan database as such. When you use vlans on a pix firewall you are simply allowing one physical interface to have more than one logical interface. So you can have 3 logical interfaces each with an ip address out of a different subnet all on the same physical interface. It's like routing on a stick if you have ever come across that before.

3) Again it depends on your version of pix software so best to have a look at the pix confgiguration guides. Any issues please come back.

On the Catalyst you need to configure the port that connects to the pix as an 802.1q trunk with a mode of "on".



myce Wed, 10/17/2007 - 17:37


Thank you for your response, Jon!


C3560G-24TS: IOS12.2


for the PIX, I'll configure sub-interfaces on one physical interface (i.e. eth2) then connect this on the trunk of the catalyst switch?

then for the catalyst switch, configure the vlan ids and the trunk port with 802.1q?

your assistance is much appreciated...

myce Wed, 10/17/2007 - 22:21


Follow up question (different one)...

Our Network Infrastructure consists of 2 ESX v3 Servers with virtual switches and NIC-teaming then a catalyst with VLANs...

Is this the best configuration for an ESX environment? Will the "router on a stick" be a source of bottleneck?

thanks again...

Jon Marshall Wed, 10/17/2007 - 22:39


In answer to previous thread, yes you have it right, subinterfaces on the pix and 802.1q trunk on the Catalyst.

In terms of a bottleneck, yes it can be because you are now splitting up the physical interface into multiple logical interfaces so no one logical interface will get the full bandwidth of the physical.

This may or may not be a problem depending on how much traffic your servers generate. If it does become an issue a lyer 3 switch is the way to go.



myce Thu, 10/18/2007 - 22:37


Follow up question...

1. C3560 is capable of Layer3 switching, right?

2. How much configuration change do we get for the PIX? (if we made our catalyst as L3)

3. If we configure our C3560 as a layer 3 switch, then the following steps are needed for the PIX...

a. We don't need to configure sub-interfaces on an interface

b. Retain all interface configs (based from our diagram)

c. make static routes on the PIX as needed

As you can see that, all of my questions are geared in the PIX area... it is because in our environment, we have limited control on the PIX... not like on the catalyst switch where we have full control and we can do anything we like on it...

your generous thoughts are really appreciated!

(Thank you to Jon!)

Jon Marshall Thu, 10/18/2007 - 22:42


1) Yes it is. With base image it will do static routing + EIGRP stub, with ipservices image it will support full EIGRP/OSPF etc. Either way it would support inter-vlan routing.

2) Not sure what you mean. If you route between the vlans on your 3560 the config change on pix would be minimal.

3) a) Yes you are correct.

b) Yes. What you would probably want to do is create a dedicated vlan for the pix to 3560 connection which is not used for any other connections or make the 3560 port connecting to the pix a routed port.

c) Yes you would need static routes for the vlans on the 3560.

Using a layer 3 switch would make more sense. If you do not have access to the pix then you can just leave as is.

Any other questions please come back



This Discussion