Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
2
Replies

Two L3 networks on one L2 Vlan

jimmiejoe
Level 1
Level 1

‎07-24-2006 05:33 AM - edited ‎03-03-2019 04:12 AM

A couple of years ago, I set up a small 30 host network on a switch behind a Pix firewall. Now the network has almost outgrown its boundaries, and is still expanding. Because adjoining networks are already used, I cannot go from a /27 network to a /26 or /25 network.

The question is this - can I set up two separate L3 networks on two separate interfaces on a PIX firewall, and connect them to a single L2 Vlan on a switch, then have hosts in both Vlans access their own gateways?

Here's an example. If 192.168.1.0/27 is on one interface of a PIX connected to a 3550 switch, which has all of its ports on Vlan 1, and I add another interface to the PIX, addresss it as 192.168.2.0/25 and plug it into the same switch, will any host devices plugged into the 3550 switch be able to access their own gateway if they are in different networks? The long term plan is to put a new network on the existing switch, and gradually migrate the old addresses to a new range, while still being able to add new devices. It would be kind of like secondary addresses on a router.

I hope I'm asking this question right. I think it can be done, but want to see if anyone else has done it.

Thanks, Jim

Labels:
0 Helpful
2 Replies 2

ryan.bachman
Level 1
Level 1

‎07-24-2006 11:15 AM

Jim -

If I understand your question correctly...

You want have your 3550 a part of a flat L2 network. All ports are going to be on vlan 1 (the default vlan) and you want to create 2 seperate L3 network address range for hosts residing of the switch?

If this is the case, this will work. When a hosts tries to ARP it's configured gatway, only the correct PIX interface will reply with it's MAC, which gets stored in the ARP table on the 3550, and switches traffic as it would any other packet.

The only issue I can see with this design, is obvioulsy it doesn't allow you to truly segment the two networks. Where two machines on the seperate L3 networks can't talk directly to one another, virurses, multicast and broadcast traffic still can be seen by all. So stuff like NETBios can't be segmented from the 2 L3 networks. Also, I don't know what version of PIX you are using, anything prior to 7.0 does not allow two interfaces to be the same security level, meaning you will obviously have make sure you write Access-lists for the inside interface.

HTH

Ryan

0 Helpful

jimmiejoe
Level 1
Level 1
In response to ryan.bachman

‎07-24-2006 12:26 PM

Ryan,

Thanks for the reply. The devices hanging off the back of this PIX will be storage devices and non-Windows devices. The whole purpose of this is to allow expansion of a small 30 host network to half of a Class C without having to do any more work other than re-IP'ing the hosts. Once everything is migrated to the new network, we'll turn down the old interface (old network) and disconnect it from the switch.

Jim

0 Helpful
Customers Also Viewed These Support Documents