Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Virtual routers or sub-vlan's on a 6500?

I'm looking to move to a new 6500-core based architecture, but there's a piece of the plan I can't figure out.

How would your architect this: I want all networks to be a vlan on the 6500 with it acting as their gateway router. However I want to group those vlan's into 'zones' where to get from one zone to another the 6500 will route it out to the PIX and then back down to the other zone.

This way I could have a PIX with say three inside interfaces, USERS, DMZ1, DMZ2. Then I could have a SALES, TECH, SYSADMINS, and OTHER set of "user" vlans that are all downstream of the pix's users interface. DMZ1 and DMZ2 would similarly have 3 - 10 vlan's behind them.

Make sense? I also want a set of VLANs that don't uplink through the PIX at all, they skip over it and go straight out to the internet. I need this because my PIXs can't handle the full bandwidth load of our web and stream servers.

edit: I drew this diagram to help explain what I'm talking about.

http://www.mindspew.net/misc/zones.gif

  • Other Network Infrastructure Subjects
5 REPLIES

Re: Virtual routers or sub-vlan's on a 6500?

Jim,

Use an FWSM Module which is basically a Virtual PIX. It'll sove all your headaches.

The way it works is using Contexts (IE Virtual Firwall) You assign vlans to a context depending on how you want to setup your routing and sercurity.

Lets say you have three contexts with vlans 1-5 10,11

You would attach vlans 1-5 to your primary context

vlan 5 and 10 to another and 5 and 11 to yet another.

Lets say you want traffic to flow from vlan 1 to vlan 11. Triffic would hit the Primary_Context go through the access-list then get dropped onto vlan 5 where it would then go to your Third_Context access-lists and then drop into vlan 11.

If you have any questions about this let me know.

Patrick

New Member

Re: Virtual routers or sub-vlan's on a 6500?

Patrick,

Thanks for your help. The FWSM looks really cool, but I already have the pixes. Plus I'd like to model my secondary site (with cat4006's and pixes) the same way.

What do people normally do when they have a situation like this? So far all I can think of is just to buy a seperate pair of layer3 devices for every zone and run the core switches as just layer2.

New Member

Re: Virtual routers or sub-vlan's on a 6500?

Is this something that could be done using VRF and multiple OSPF instances?

Silver

Re: Virtual routers or sub-vlan's on a 6500?

Yes Jim, your are on to something, I was just about to suggest this.

New Member

Re: Virtual routers or sub-vlan's on a 6500?

***Make the PIX see the User VLANs***

Configure the L2 VLANs on the Switch as needed.

Setup a 802.1q trunk link from the Switch to the PIX

Configure the same VLANs on the PIX as the switch.

Now you can filter all the traffic at the PIX.

All traffic for these VLANs will use the PIX as their default gateway.

***For the Media Servers***

also, since per your diagram has dual ports to the gateway router........

Configure a VLAN on the switch for the media servers.

Configure a VLAN Intf with an IP Address on the switch for this VLAN.

Configure a routed Intf with an IP Address on the switch to connect to the gateway Router.

Policy Route (on the switch) so the traffic sourced from the media servers and destined to the Internet goes to the gateway router.

Policy Route (on the switch) so the traffic sourced from the media servers and destined to the User VLANs go to the PIX.

Add a route to the PIX that says "to get to the media server, go to the VLAN Intf IP on the switch"

Make sure that your security policies are solid, but beware not to force too many features into software (or the switch performance may suffer).

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7c.html

354
Views
0
Helpful
5
Replies