Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

4006 routes between VLANS - how does PIX cut in?

I'm implementing a PIX525 into a test network with a Cat4006 as the core switch and 3550s as edge switches; there are 3 VLANs as well as the default. Traffic is currently being routed across all VLANs within the 4006; how do I block cross-VLAN traffic at the switch and force all VLANs to the PIX interfaces for routing (via the access-lists)?

This is known as the "PIX on a stick" setup, I hear - where traffic enters the 4006, goes to the PIX, then back to the 4006 on a different interface (and VLAN) and out. I'd like to understand how the 4006 does NOT bypass this process by simply routing between VLANs by itself, leaving the PIX useless.


Re: 4006 routes between VLANS - how does PIX cut in?


I assume I am missing something here because the solution I would suggest seems rather simplistic. But I will go ahead and throw it out there if for no other reason that to get the conversation started.

I assume you are using seperate subnets within each VLAN and are using the VLAN interfaces on the 4006 as the default gateway for each VLAN/subnet. If this is the case, why not remove the VLAN interfaces on the 4006 and apply the addresses to the logical interfaces you create for each VLAN on the PIX? This way, the default gateway for the hosts on each subnet is the PIX rather than the 4006. In this scenerio, you are stripping away the L3 functionality on the 4006 and allowing it to focus on L2 only. In this scenerio, the 4006 would not be routing the packets between the various VLAN's. This task would now be sent to the PIX where the packets would need to pass through various security parameters before being routed.

Does this help?


New Member

Re: 4006 routes between VLANS - how does PIX cut in?

I'm sure the solution is simple, but with less than a year of experience built on my CCNA I'm sure I missed it :-P

Yes, there are different subnets for each VLAN; the default gateway for each host is the respective 3500 edge switch they connect to (I replaced the 3550s to remove the L3 routing as a factor). The 3500s have trunk links to the 4006 and each of the 3 PIX interfaces connect to the 4006 via a 10/100 port designated to the corresponding VLAN (inside/outside/dmz).

[This setup imitates our production setup that uses 3500XL edge switches that trunk to the pair of 6509s; these have a pair of PIXs connected in the same manner, except via GB links.]

Yes, my question DID have to do with removing the core switch from L3 routing, and yes, directly connecting each interface through the PIX instead of the 4006 would separate each VLAN physically and logically... but the setup I described can work because that's what we currently have running in production!

I'm trying to duplicate the setup in a single rack and I'm obviously missing some part of the configuration that isolates the VLANs from each other within the 4006, before the access-lists are applied in the PIX.

CreatePlease login to create content