Ok... we had an internal(10.1.1.1), DMZ(10.2.1.1), interface on our PIX firewall. Let's say those are VLANs 1,2...
We connected a 3560 to VLAN 2 and put VLAN interface as 10.2.1.11... we routed all 10.2.1.0 255.255.255.0 traffic on our firewall to 10.2.1.11, and routed all less specific traffic(10.2.0.0) to the DMZ interface(10.2.1.1)
Then, we connected our controllers(physical interface #2) to that 3560, you should already have interface #1 connected to the internal network.
We put a DMZ interface on the controller(10.2.1.10) with a default gatewat of 10.2.1.11
We put a VLAN 2 interface on the 3560(10.2.1.11) and a static route 0.0.0.0 0.0.0.0 10.2.1.1
no ports need to be opened for this configuration, although you will need some type of routing capability via router or L3 switch...
1. Traffic from the controller is sent to the 3560 for VLAN 2
2. The 3560 sends it to the firewall on the DMZ interface
3. The firewall sends traffic to the internet and return traffic to the 3560
note: I typed this from memory, and may have left out a detail or two, but this is the nuts and bolts of how we set it up...
Let me know if you have any questions..
Thanks,
Tony
