VLANs on Pix 515e firewall

Answered Question
Feb 15th, 2010

Hi. I've been tasked with making some config changes to a Pix 515e owned by a new customer. My query is that one of the physical interfaces (ethernet2) appears to have 2 VLANs set up on it and I've no experience of VLANs on Pixes (in truth, very little experience of VLANs on switches either which is the only plance I've encountered them before). Does anyone use VLANs on their Pix and in what circumstances?

I manage 3 Pix/ASAs already so am comfortable with multiple physical interfaces (albeit thru ADSM and a bit of CLI), just never encountered VLANs before (every day's a school day). The relevant config is as follows

interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
interface ethernet2 vlan998 physical
interface ethernet2 vlan996 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 Coventry security50
nameif vlan996 Darlaston security50

ip address outside 172.19.128.160 255.255.248.0
ip address inside 10.0.4.1 255.255.255.0
ip address Coventry 10.255.255.1 255.255.255.252
ip address Darlaston 10.255.255.5 255.255.255.252

The 2 VLAN interfaces are actually 2 remote sites connected over an MPLS network. I'm guessing that interface ethernet2 has a cisco switch plugged into it thats bringing in traffic from both sites. This is guesswork though as we dont manage the MPLS, the aforementioned remote sites or indeed the LAN infrastructure for the site where the pix is, just the pix itself. Just to complicate matters I haven't even visited this site (it's 300 miles away) so can't confirm the physical setup. And I have no network diagram. Bit of a nightmare really.

I'm asking because this customer has just added a new site and I think this might require a new VLAN adding (just awaiting confirmation from the ISP).

Any help in expanding my understanding of this is greatly appreciated.

Thanks, Rex.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 9 months ago

rexbiesty wrote:

interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
interface ethernet2 vlan998 physical
interface ethernet2 vlan996 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 Coventry security50
nameif vlan996 Darlaston security50

ip address outside 172.19.128.160 255.255.248.0
ip address inside 10.0.4.1 255.255.255.0
ip address Coventry 10.255.255.1 255.255.255.252
ip address Darlaston 10.255.255.5 255.255.255.252

Any help in expanding my understanding of this is greatly appreciated.

Thanks, Rex.

Rex

ethernet2 on the pix will be connected to a port on a switch. That port will be configured as an 802.1q trunk link which means it can send traffic for mutiple vlans on that link.

Compare that with a physical interface that does not have vlan interfaces. In that case the port on the switch would only be in one vlan.

So with ethernet2 you have one physical interface but you are sending the traffic for 2 vlans or IP subnets down the link. Note this is a general rule that one vlan = one IP subnet which is by far the commonest approach. This has probably been done because you ran out of physical interfaces on the firewall so one of the physical interfaces was split up for 2 vlans.

Each subinterface or vlan interface ie. vlan 998 and vlan 996 are treated as separate interfaces ie. you can apply acls to each separate subinterface and you would need NAT rules for each subinterface. If you needed to create a further subinterface on ethernet2 it would be a "logical" interface ie. lets say you need to add vlan 997 -

interface ethernet2 vlan 997 logical

nameif vlan997 security50

ip address

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 02/15/2010 - 12:52

rexbiesty wrote:

interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
interface ethernet2 vlan998 physical
interface ethernet2 vlan996 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 Coventry security50
nameif vlan996 Darlaston security50

ip address outside 172.19.128.160 255.255.248.0
ip address inside 10.0.4.1 255.255.255.0
ip address Coventry 10.255.255.1 255.255.255.252
ip address Darlaston 10.255.255.5 255.255.255.252

Any help in expanding my understanding of this is greatly appreciated.

Thanks, Rex.

Rex

ethernet2 on the pix will be connected to a port on a switch. That port will be configured as an 802.1q trunk link which means it can send traffic for mutiple vlans on that link.

Compare that with a physical interface that does not have vlan interfaces. In that case the port on the switch would only be in one vlan.

So with ethernet2 you have one physical interface but you are sending the traffic for 2 vlans or IP subnets down the link. Note this is a general rule that one vlan = one IP subnet which is by far the commonest approach. This has probably been done because you ran out of physical interfaces on the firewall so one of the physical interfaces was split up for 2 vlans.

Each subinterface or vlan interface ie. vlan 998 and vlan 996 are treated as separate interfaces ie. you can apply acls to each separate subinterface and you would need NAT rules for each subinterface. If you needed to create a further subinterface on ethernet2 it would be a "logical" interface ie. lets say you need to add vlan 997 -

interface ethernet2 vlan 997 logical

nameif vlan997 security50

ip address

Jon

Rex Biesty Tue, 02/16/2010 - 01:18

Brilliant answer, thanks Jon. That gives me an idea of what the ISP might be up to and at least I've got a clearer idea of what questions to ask them. Thanks again.

Collin Clark Mon, 02/15/2010 - 12:53

Hi Rex-

VLANs on PIX/ASA are common. Trunking on a physical interface saves on the physical interface usage. The setup is stratight forward (much like a switch). On the switch that connects to the ASA, you'll need to add the VLAN to the trunk and add it in the PIX. Then just like a physcial interface on the PIX, you need to assign a security leve, nameif, IP address, etc. With MPLS you usually don't need another interface, it's added in the MPLS cloud. Sounds like your ISP will let you know for sure though.


Hope it helps.

Actions

This Discussion