Cisco Support Community
Community Member

VLANS on PIX do you need physical

Is there a way around this? I have to basically assign an IP/subnet just for failover for each interface I want to use as vlans.

I have 2 pix fw in lan based failover mode.

5 physical interfaces.

state (failover)





I have 4 vlans, 2 each configured on the dmz ints.

Do you need to use the physical command on the interface given this topology? If not why do I keep receiving messages that my ip address is not configured or failover ip is not configured. This occurs when I do not assign an IP to the phiysical port but do I assign it to the logical and failover is enabled. also I do ot believe these interfaces will be in failover mode unless I use the physical command when using vlans. It seems like I have to us the physical and assign an IP for each physical int.


Re: VLANS on PIX do you need physical

There is no interface ... shutdown command in software versions prior to 5.x, so the PIX treats all interfaces as up and active. You must do one of the following for failover to work properly.

* Upgrade to a 5.x or later release where shutting an interface is an option.

* Assign an unused IP address/network to each unused interface (and its failover counterpart) and connect it to a hub or switch (each interface pair on its own VLAN).

Note: Remember that and are not valid IP addresses. Acceptable addresses can be RFC 1918 network addresses, such as 10.x.x.x, 172.16.x.x, and 192.168.x.x.

check out the following link for more information on configuring vlans on PIX :

CreatePlease to create content