Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
4
Replies

How to put PIX between a router and switch (schema with VLANs) ?

anthony.barlow
Level 1
Level 1

‎08-30-2003 10:33 AM - edited ‎03-02-2019 09:59 AM

Hello there,

It's more question of design, so I'd really appreciate any ideas. Basically we have a leased line connection, it's connected thru serial interface to 1721 router. There are 12 VLANs (subinterfaces) setup on internal router's ethernet interface and there is a HP layer2/3 switch connected to the router, which maintain all those VLANs. We have decided to put a firewall (PIX 515E) between a router and a switch - now the main question: how to implement it, and preferably, save existing VLANs. We have a small range of static IPs, but they are for serial router's interface only - the internal interface has non-routable IP range.

Is it possible to use the same IP address on both PIX's interfaces ? Or is there any other way to go ?

Thanks,

Alexander

Labels:
0 Helpful
4 Replies 4

prafuljaded
Level 3
Level 3

‎08-30-2003 12:38 PM

No,its not possible to have same IP address on PIX interfaces.One interface can be routable and another non-routable. Now since you are bringing PIX inbetween the router and switch,you need to create a new vlan for switch-PIX and have a routable IP subnet between the router and PIX. All your NAT on the router need to be moved to the PIX.

Any other suggestions to improve welcome

0 Helpful

anthony.barlow
Level 1
Level 1
In response to prafuljaded

‎09-01-2003 03:30 PM

Hi,

thanks for answer,

what would you tell me about

"ip unnumbered" for Serial0 interface ? That way, I'd move routable network behind the router and in front of the PIX.

Another question - in order to use existing VLANs - do i just need a number of different IP addresses bound to PIX's internal Ethernet interface? How many can i set up for 515E at all (maximum) ?

Cheers

0 Helpful

flitcraft33
Level 1
Level 1
In response to prafuljaded

‎10-23-2003 10:50 AM

if the NAT is on the PIX is the pix in effect routing between the VLANS? Since the NAT is moved off the router does the router route between the VLANS now? If so the inter VLAN traffic will NOT be firewalled. That may or may not matter. If your VLANs trust each other, well and good, but if you want to firewall, I am not sure this will work.

Dan Sichel

Ponderosa Telephone.

0 Helpful

mschooley
Level 1
Level 1
In response to flitcraft33

‎10-24-2003 05:08 AM

your still going to need a layer 3 device inside the firewall to route between the subnets, the pix isn't a router and you're not going to be able to extend the vlans thru the pix, therefore inorder to keep you existing infrastructure, you will need another layer 3 device to handle internal routing, something like a router with 2 ethernet interfaces, or a layer 3 switch, with the router, you would configure one interface with your 12 subinterfaces, (although this seems like a lot if your using private address spaces unless you have a med to large network, i.e more than a 1000 users) and the other interface would be another network to the pix (can be private) with a layer 3 switch you would enable routing and just create another vlan and subnet for the interface that attaches to the pix.

0 Helpful
Customers Also Viewed These Support Documents