Here goes 3 questions:
1) Does anyone have a link to some VLAN samples?
2) Doesn't the fact of having logical interfaces makes the solution less secure tha having physical interfaces?
3) What's is the diference between physical VLAN and logical VLAN?
Thanks and regards,
interface ethernet1 100full
interface ethernet1 vlan10 physical
interface ethernet1 vlan20 logical
interface ethernet1 vlan30 logical
nameif ethernet1 DMZ security10
nameif vlan20 MailSvrs security15
nameif vlan30 WWWsvrs security20
ip address DMZ 192.168.0.1 255.255.255.0
ip address MailSvrs 192.168.1.1 255.255.255.0
ip address WWWsvrs 192.168.2.1 255.255.255.0
Catalyst (port that PIX ethernet1 is connected to):
set port channel mode off
set spantree portfast enable
clear trunk 1-1005
set trunk on dot1q 1,10,20,30
set port speed 100
set port duplex full
2) From a security perspective, Cisco claims that using vlans is actually more secure. With no vlans configured, the PIX sends untagged packets to any connected switch port. If the switch port is trunking, the switch forwards the packet on the native vlan - vlan1 - making the switch vulnerable to a hacker injecting packets into another vlan from the native vlan. As a rule, I never use the default vlan anyway. Assign physical interfaces on the PIX to any vlan other than vlan1. Actually, assign the physical interface to any vlan that is NOT the native vlan for the switch port and you should be good.
3) Logical and physical interfaces are both software objects - but the actual physical object is the NIC. Physical interfaces operate at both layer-2 and layer-3; logical interfaces only operate at layer-3. With that in mind, you can't configure 'failover link' or 'failover lan' on logical interfaces because they don't operate at layer-2.
Hope this helps,