10-13-2008 10:37 AM - edited 03-11-2019 06:56 AM
Hello's,
I'm trying to setup an Internal and a Guest wireless SSID. Have our internal DHCP server handle "Internal" and use the PIX dhcpd pool to handle the Guest.
I think I have an idea of how to set this up, but I've hit a snag.
I was reading that IOS 6.3 would not support such a setup, so I've successfully updated to 7.2 (yay?). I see the possibility to use subinterfaces now (interface ethernet 0.1) and assign vlans (vlan 100). But I'm not seeing where to define the said VLANs?
I know this is possible with an ASA (another client has an ASA). I was hoping I'd be able to do the same on the 515e once I got 7.2 on there. Is this not possible?
Some pseudo code:
vlan 100
nameif outside
ip address 20.1.1.1
vlan 1
nameif inside
ip address 192.168.1.1
vlan 2
nameif guest
ip address 172.16.1.1
ethernet 0.1
vlan 100
ethernet 1.1
vlan 1
vlan 2
Does my question make sense?
10-13-2008 10:37 AM
Oh Bah.
The only Cisco switch I have on the network is a 2960, so I can define VLANs there, but cannot give them an IP range.
Maybe I don't need to:
I have a Cisco AP and want to have two SSID's. "Internal" and "Guest". "Internal" has full network and http access, "Guest" only has http access.
I was under the assumption 7.0+ was needed for this. Is it possible with 7.2 on a PIX 515e connected to a 2960 switch and a Cisco 1180ag AP?
Was thinking I would allow "Internal" SSID full access to network and DHCP server, and use "dhcpd relay" for the "Guest" VLAN and have the PIX give out DHCP to them and run them through an ACL.
Make sense?
10-13-2008 10:04 PM
Scott
You don't need to have a L3 switch only a L2 one so the 2960 will be fine. You define the L2 vlans on the switch but you "route" them on the pix so it will work fine.
The IP range is allocated on the pix interfaces.
Jon
10-14-2008 01:12 AM
Hi Scott,
Define the ip ranges for both VLANs as subinterfaces on your PIX (the PIX is the gateway for your 2 VLANs).
interface Ethernet1.1
vlan 1
nameif Internal
security-level 100
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
interface Ethernet1.2
vlan 2
nameif Guests
security-level 100
ip address 10.0.1.1 255.255.255.0 standby 10.0.1.2
After that, create an access-list with the rules you want and apply it on the outbound direction on interface Ethernet 1.
Hope this helps :)
10-14-2008 03:12 PM
Ok, this is what I have:
interface Ethernet1.1
vlan 1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
interface Ethernet1.2
vlan 2
nameif guest
security-level 100
ip address 10.3.3.1 255.255.255.0
telnet 0.0.0.0 0.0.0.0 inside
It seems logical, but I can't seem to "telnet 192.168.1.253"
Am I missing something here?
Also, how should the config for Ethernet1 look?
interface Ethernet1
no ip address
no vlan
no nameif
? Does this config turn it into a trunk port for the VLAN tags?
Thanks for all the input so far!
10-14-2008 04:42 PM
Progress!
So I currently have a mock-setup at home that I've been playing with. I want to get it working at home before I implement live.
My PC is directly connected to the PIX with static IP in the same network as "inside". I wasn't for the life of me able to ping or telnet to "inside". I was thinking since we assigned VLANs, that my PC must not be carrying a VLAN tag.
So I was digging around in my NIC card properties and enabled VLAN tagging, tried pinging, Bingo!. Telnet worked, also!
So the thing I'm missing at home is the 2960.
Now my question is this:
At the client, there is only one Cisco 2960 switch, then there are 3 or 4 Cisco Linksys series, and a couple D-Link switches. I'm not sure how these other switches handle VLANs.
If, on the PIX, VLAN 1 is on interface Ethernet1.1 as 192.168.1.x, does that mean that all traffic passing through the 2960 with 192.168.1.x traffic will be tagged with VLAN 1?
In other words, how will all that other switch vendor traffic get tagged with with the VLAN 1?
10-15-2008 05:17 AM
Are the D-Link switches managable? I mean do they allow you to telnet them and do some configuration?
I have worked on D-Link switches once that were managable, and had no issues with VLANs and trunking since they supported 802.1q IEEE standard and were compatible with the cisco ones accordingly.
Regards,
10-15-2008 05:05 AM
In order to telnet your PIX, you have to allow the hosts that you want to login from by using the command below on you PIX:
PIX(config)# telnet A.B.C.D X.X.X.X interface
where A.B.C.D is the IP address you are going to connect from.
X.X.X.X is the subnetmask (usually 255.255.255.255)
interface is the interface on the PIX you are expected to connect from (Usually inside)
As for Ethernet 1, I recommend to make it this way:
speed 100
duplex full
nameif inside
security-level 100
no ip address
"Does this config turn it into a trunk port for the VLAN tags?"
The answer is yes.
Cheers mate :)
10-13-2008 02:37 PM
Scott
I might be misunderstanding but you don't define vlans on the firewall, rather they are defined on the switch that the firewall connects to and you make the link from the firewall to the switch an 802.1q trunk.
By the way you could run logical vlan interfaces on version 6.3 of pix as well.
6.3 - http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113411
7.2 - http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide