I'm trying to setup an Internal and a Guest wireless SSID. Have our internal DHCP server handle "Internal" and use the PIX dhcpd pool to handle the Guest.
I think I have an idea of how to set this up, but I've hit a snag.
I was reading that IOS 6.3 would not support such a setup, so I've successfully updated to 7.2 (yay?). I see the possibility to use subinterfaces now (interface ethernet 0.1) and assign vlans (vlan 100). But I'm not seeing where to define the said VLANs?
I know this is possible with an ASA (another client has an ASA). I was hoping I'd be able to do the same on the 515e once I got 7.2 on there. Is this not possible?
Some pseudo code:
ip address 22.214.171.124
ip address 192.168.1.1
ip address 172.16.1.1
Does my question make sense?
The only Cisco switch I have on the network is a 2960, so I can define VLANs there, but cannot give them an IP range.
Maybe I don't need to:
I have a Cisco AP and want to have two SSID's. "Internal" and "Guest". "Internal" has full network and http access, "Guest" only has http access.
I was under the assumption 7.0+ was needed for this. Is it possible with 7.2 on a PIX 515e connected to a 2960 switch and a Cisco 1180ag AP?
Was thinking I would allow "Internal" SSID full access to network and DHCP server, and use "dhcpd relay" for the "Guest" VLAN and have the PIX give out DHCP to them and run them through an ACL.
You don't need to have a L3 switch only a L2 one so the 2960 will be fine. You define the L2 vlans on the switch but you "route" them on the pix so it will work fine.
The IP range is allocated on the pix interfaces.
Define the ip ranges for both VLANs as subinterfaces on your PIX (the PIX is the gateway for your 2 VLANs).
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
ip address 10.0.1.1 255.255.255.0 standby 10.0.1.2
After that, create an access-list with the rules you want and apply it on the outbound direction on interface Ethernet 1.
Hope this helps :)
Ok, this is what I have:
ip address 192.168.1.253 255.255.255.0
ip address 10.3.3.1 255.255.255.0
telnet 0.0.0.0 0.0.0.0 inside
It seems logical, but I can't seem to "telnet 192.168.1.253"
Am I missing something here?
Also, how should the config for Ethernet1 look?
no ip address
? Does this config turn it into a trunk port for the VLAN tags?
Thanks for all the input so far!
So I currently have a mock-setup at home that I've been playing with. I want to get it working at home before I implement live.
My PC is directly connected to the PIX with static IP in the same network as "inside". I wasn't for the life of me able to ping or telnet to "inside". I was thinking since we assigned VLANs, that my PC must not be carrying a VLAN tag.
So I was digging around in my NIC card properties and enabled VLAN tagging, tried pinging, Bingo!. Telnet worked, also!
So the thing I'm missing at home is the 2960.
Now my question is this:
At the client, there is only one Cisco 2960 switch, then there are 3 or 4 Cisco Linksys series, and a couple D-Link switches. I'm not sure how these other switches handle VLANs.
If, on the PIX, VLAN 1 is on interface Ethernet1.1 as 192.168.1.x, does that mean that all traffic passing through the 2960 with 192.168.1.x traffic will be tagged with VLAN 1?
In other words, how will all that other switch vendor traffic get tagged with with the VLAN 1?
Are the D-Link switches managable? I mean do they allow you to telnet them and do some configuration?
I have worked on D-Link switches once that were managable, and had no issues with VLANs and trunking since they supported 802.1q IEEE standard and were compatible with the cisco ones accordingly.
In order to telnet your PIX, you have to allow the hosts that you want to login from by using the command below on you PIX:
PIX(config)# telnet A.B.C.D X.X.X.X interface
where A.B.C.D is the IP address you are going to connect from.
X.X.X.X is the subnetmask (usually 255.255.255.255)
interface is the interface on the PIX you are expected to connect from (Usually inside)
As for Ethernet 1, I recommend to make it this way:
no ip address
"Does this config turn it into a trunk port for the VLAN tags?"
The answer is yes.
Cheers mate :)
I might be misunderstanding but you don't define vlans on the firewall, rather they are defined on the switch that the firewall connects to and you make the link from the firewall to the switch an 802.1q trunk.
By the way you could run logical vlan interfaces on version 6.3 of pix as well.