Re: Virtual routers or sub-vlan's on a 6500?

jimbartus · ‎03-15-2006

I'm looking to move to a new 6500-core based architecture, but there's a piece of the plan I can't figure out.

How would your architect this: I want all networks to be a vlan on the 6500 with it acting as their gateway router. However I want to group those vlan's into 'zones' where to get from one zone to another the 6500 will route it out to the PIX and then back down to the other zone.

This way I could have a PIX with say three inside interfaces, USERS, DMZ1, DMZ2. Then I could have a SALES, TECH, SYSADMINS, and OTHER set of "user" vlans that are all downstream of the pix's users interface. DMZ1 and DMZ2 would similarly have 3 - 10 vlan's behind them.

Make sense? I also want a set of VLANs that don't uplink through the PIX at all, they skip over it and go straight out to the internet. I need this because my PIXs can't handle the full bandwidth load of our web and stream servers.

edit: I drew this diagram to help explain what I'm talking about.

http://www.mindspew.net/misc/zones.gif

Patrick Laidlaw · ‎03-15-2006

Jim,

Use an FWSM Module which is basically a Virtual PIX. It'll sove all your headaches.

The way it works is using Contexts (IE Virtual Firwall) You assign vlans to a context depending on how you want to setup your routing and sercurity.

Lets say you have three contexts with vlans 1-5 10,11

You would attach vlans 1-5 to your primary context

vlan 5 and 10 to another and 5 and 11 to yet another.

Lets say you want traffic to flow from vlan 1 to vlan 11. Triffic would hit the Primary_Context go through the access-list then get dropped onto vlan 5 where it would then go to your Third_Context access-lists and then drop into vlan 11.

If you have any questions about this let me know.

Patrick

jimbartus · ‎03-17-2006

Patrick,

Thanks for your help. The FWSM looks really cool, but I already have the pixes. Plus I'd like to model my secondary site (with cat4006's and pixes) the same way.

What do people normally do when they have a situation like this? So far all I can think of is just to buy a seperate pair of layer3 devices for every zone and run the core switches as just layer2.

jimbartus · ‎03-25-2006

Is this something that could be done using VRF and multiple OSPF instances?

bhedlund · ‎03-26-2006

Yes Jim, your are on to something, I was just about to suggest this.

d-garnett · ‎03-26-2006

***Make the PIX see the User VLANs***

Configure the L2 VLANs on the Switch as needed.

Setup a 802.1q trunk link from the Switch to the PIX

Configure the same VLANs on the PIX as the switch.

Now you can filter all the traffic at the PIX.

All traffic for these VLANs will use the PIX as their default gateway.

***For the Media Servers***

also, since per your diagram has dual ports to the gateway router........

Configure a VLAN on the switch for the media servers.

Configure a VLAN Intf with an IP Address on the switch for this VLAN.

Configure a routed Intf with an IP Address on the switch to connect to the gateway Router.

Policy Route (on the switch) so the traffic sourced from the media servers and destined to the Internet goes to the gateway router.

Policy Route (on the switch) so the traffic sourced from the media servers and destined to the User VLANs go to the PIX.

Add a route to the PIX that says "to get to the media server, go to the VLAN Intf IP on the switch"

Make sure that your security policies are solid, but beware not to force too many features into software (or the switch performance may suffer).

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7c.html