Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN Tags Through a PIX?

Is it possible to pass vlan tags through either a PIX 535 or a CISCO 6503?

Scenario:

I have several switches in line with each other, all layer 2, connected to one router.

Router ----> Switch ----> Switch

I'm running a handful of different vlans from the router out to the final switch.

We have two firewalls ready to be installed, either a 6503, or a PIX 535. I need to put one or the other in between the two switches, without changing the layer two topology. In essence, I want to be able to insert the firewall without the network seeing anything different.

Is this possible?

Looking forward to any replies... I got a boss that's waiting for an answer! =)

3 REPLIES
Silver

Re: VLAN Tags Through a PIX?

Hey..

How r u?

See, You can achieve this on PIX 535 by using bridge group command.

Steps:

1. enable

2. configure terminal

3. interface [Ethernet | FastEthernet | GigabitEthernet] x/0

4. ip address ip-address mask

5. interface [Ethernet | FastEthernet | GigabitEthernet] x/0.vlan-id

6. encapsulation dot1q vlan-id

7. bridge group number

8. end

And in 6503 :

You need FWSM module: You can figure it easily. I raccomand as of your scenario FWSM.

http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=VLAN+CONFIGURATION+ON+FWSM&Search+All+cisco.com=cisco.com&language=en&country=US&accessLevel=Guest

Regards,

Dharmesh Purohit

New Member

Re: VLAN Tags Through a PIX?

So, setting up a virtual interface on the PIX or 6503 (whichever I decide to use), will put the firewall within the VLAN, and will still be able to process each packet on the other VLAN's with its firewall ruleset?

Dumb Question: Do I need to make a virtual interface for each VLAN that will be passing through it, and can I associate the firewall's management IP address in one of those VLAN's?

I have a management VLAN that I'm passing from the router to the switches. Can I give the firewall an IP on my management VLAN and be able to communicate with it like I do with the rest of my switches?

Forgive me for the ignorant questions, as I have absolutely zero experiece with the PIX or any of CISCO's firewalls.

Thank you in advance!

-Shafer

New Member

Re: VLAN Tags Through a PIX?

What about this?

Switch---1Q-->PIX-TransparentMode---1Q-->Switch

VL=2,3 VL=2,3 VL=2,3

Basically have Vlan 2 and 3 in both sides of the PIX.

160
Views
0
Helpful
3
Replies
CreatePlease login to create content