Announcement

Collapse
No announcement yet.

Basic Cisco PIX and Catalyst VLAN question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Basic Cisco PIX and Catalyst VLAN question

    Hi - I am a longtime Petri.co.il visitor, but this is my first forum post.

    This will hopefully be an easy question for some of you - I have seen some good materials that have helped me on Safari and at Cisco...but I am still confused.

    Where I work, we have a PIX 506e....connected to a Catalyst 3548XL switch. We also have a Cisco router, but it is managed so I dont control it.

    My network consists of about 40 Windows XP PC's.....and I have one Windows 2000 DC....

    I currently have the PIX as the DHCP server.

    Here is my problem/question: I want to split/segment the network up. (My company hosts classes in our facility, and for security reasons I want the students/teachers network and PC's seperated from ours....) so I would like to create 3 vlans:

    Vlan 1: Our PC's

    Vlan 2: Student's and Teachers PC's

    Vlan 3: Printers (to be shared with Vlan 1 and 2)

    I have tried to create test Vlans....but dont end up getting any connectivity, so I need major help.....

    - Do I need a router for each Vlan? If not, how do I set the gateway for each Vlan?

    - What do I do about DHCP? The PIX, which I am using now for the DHCP server, looks like it is pretty limited as a DHCP server. Do I need to use my Windows 2000 Domain Controller as a DHCP Server? And do I set up a DHCP Relay to each Vlan? Is that how it works?

    - If none of the above is right - if anybody has any suggestions, please feel free to make them - you definately wont hurt my feelings

    Sorry this is such a long and drawn out question. At home I have a Cisco 871 Router/Switch, and it does Vlans...but since it is integrated it is easy to do all of this...It even lets you set up DHCP pools for each Vlan segment.

    Thanks in advance for your help.

    Mike

  • #2
    Re: Basic Cisco PIX and Catalyst VLAN question

    You are correct: a vlan separates frames at layer 2, a router separates packets at layer 3. So, creating a number of L3 nets means you need to route between them.

    You dont need another router, though.

    What you can do is use your 506 as an 'intervlan router'.

    So yes, you could divide up your network into separate logical networks
    (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, for example)

    Then, you could set the physical interface where they all connect to the PIX
    as a number of logical interfaces, all on separate vlans. The code depends on
    what FOS you run. Here's an example:

    http://www.cisco.com/en/US/products/...html#wp1113411

    The link to the PIX from the switch now becomes a 'trunked' interface. From there, you'll need to:

    -set up a corresponding trunk on the switch
    -configure the appropriate vlans and ports on the switch
    -set up the right access rules for the various networks on the pix.


    Sounds good eh? This way, you get to really put some control between your internal nets. A big limitation is, of course, the throughput of your pix.

    However, this could definitely work for you.

    theterranaut

    Comment


    • #3
      Re: Basic Cisco PIX and Catalyst VLAN question

      Thanks for your help theterranaut -

      This is exactly what I was looking for! I may have some more questions for you - I will work on this next week some time more than likely.

      The point you raised about the throughput of the PIX - this should impact the CPU of the PIX most, correct?

      Ill let you know how it works.

      Mike

      Comment


      • #4
        Re: Basic Cisco PIX and Catalyst VLAN question

        Yes, mostly. Remember that in general (gross oversimplification alert):

        -L2 devices (switches) "switch"- not much decision making there, so are generally very fast
        -L3 devices (routers) "route"- some more decision need made, so are generally quite fast BUT slower than switches
        -L3/4/5/6/7 devices (firewalls) need to make complex decisions, so are slower.

        The 506 has a total of 100Mbps of TCP throughput, so if you are going to do this then design very carefully. Keep things like file servers that need to talk to each other constantly on the same LAN, for example. Think of placement and throughput and how to minimise traffic.

        theterranaut

        Comment


        • #5
          Re: Basic Cisco PIX and Catalyst VLAN question

          Hi theterranaut -

          I had some other things come up at work and had to put this on the shelf for a few weeks, but now I have the time to do this.

          After reading your final post in the thread - the point about the TCP throughput of the PIX being 100Mbps really scares me - I was wondering if there might be any alternatives that you could think of.

          If there arent any alternatives, I should point out that there will only be 1 or 2 file servers, and they will definately be on the same VLAN (VLAN1). The only VLAN to VLAN communication will be for the printers, DHCP.

          Thanks again for all of your help. I will let you know how it turns out....

          Mike


          Originally posted by theterranaut View Post
          Yes, mostly. Remember that in general (gross oversimplification alert):

          -L2 devices (switches) "switch"- not much decision making there, so are generally very fast
          -L3 devices (routers) "route"- some more decision need made, so are generally quite fast BUT slower than switches
          -L3/4/5/6/7 devices (firewalls) need to make complex decisions, so are slower.

          The 506 has a total of 100Mbps of TCP throughput, so if you are going to do this then design very carefully. Keep things like file servers that need to talk to each other constantly on the same LAN, for example. Think of placement and throughput and how to minimise traffic.

          theterranaut

          Comment


          • #6
            Re: Basic Cisco PIX and Catalyst VLAN question

            Hi Mike, thanks for coming back.

            I suppose it all depends what you want to do! (Apologies for how trite that sounds.) 100Mb isn't as bad as its sounds, I think. Even a 'bog standard' router (Cisco), connected in to do intervlan routing, will probably only have a 100Mb interface which all traffic will have to share . But it all depends on clients, traffic, etc etc. Without really detailed traffic stats its hard to tell. My gut feeling is that you would be okay, though.

            Anyway:

            I wonder if you really need a firewall in the middle of everything, filtering traffic in detail. Could you live without it? If so, how about:

            Option 1
            -Building a box with (for example) Server 2000/2003.
            -Stick in as many nic's as you'll need for your networks. (100Mb at least.)
            -Divide up your switches into vlans, and your network into separate logical networks/subnets.
            -Address the nics separately with an IP address from each subnet.
            -Connect one nic per vlan/subnet.
            -Have the per-subnet-nic as the gateway for all clients in that subnet/network/vlan.

            See where I'm going with this? You've just set up a very basic router that will happily route between subnets/networks out of the box. No further config needed. Depending on the speed of the server, and whether or not you could get gigabit nics and gig ports on your switch, you might even end up with routing speeds >100 Mb per vlan. You would need to enable DHCP relay on the server, if there's going to be a single DHCP server, but thats fairly straightforward.

            Option 2
            As for the above- but add in RRAS on Server 2000/2003. Now, you can set up (if needed) packet filtering to give you some limited but effective firewalling between subnets/networks/vlans. A bit more involved.

            Option 3
            Buy a router! Then go down the vlan/intervlan routing line. Less complex than the above, no overhead from your OS, etc, etc.

            I realise all of these options may involve additional outlay for you. In the first instance, it might be useful to try and build up a picture of your lan traffic to see where the heaviest usage is. You never know, 100Mb may be all you need!

            best regards,

            theterranaut

            Comment


            • #7
              Re: Basic Cisco PIX and Catalyst VLAN question

              Hi Mike
              Did you get your questions answered?
              Anymore questions on this topic?
              Thanks for posting!
              If you have more questions, let us know.
              Thanks,
              David
              David Davis - Petri Forums Moderator & Video Training Author
              Train Signal - The Global Leader in IT Video Training
              TrainSignalTraining.com - Free IT Training Products
              Personal Websites: HappyRouter.com & VMwareVideos.com

              Comment


              • #8
                Re: Basic Cisco PIX and Catalyst VLAN question

                Theterranaut,

                I saw your reply to Mike, and as luck would have it, I have a similar issue. Actually its the same, however, I am using IOS version 7.0(4). The commands are a bit different and resemble a router config.

                MY question is this. How do I create the Vlans.

                I have created Sub interfaces, and assigned them an IP address. Is this correct or do I simply create the logical interfaces and they all use the same Ip address. I am really lost on this, and cannot find and information on creating InterVlan routing on a Pix 506E. Any help would be appreciated.

                Thank you


                interface Ethernet0
                shutdown
                no nameif
                no security-level
                no ip address
                !
                interface Ethernet1
                nameif inside
                security-level 100
                ip address 10.10.10.1 255.255.255.0
                !
                interface Ethernet1.2
                vlan 2
                nameif vlan2
                security-level 50
                ip address 10.10.2.1 255.255.255.0


                When I try to create the third Vlan it says that I have MAxed out.



                Thanks

                Comment


                • #9
                  Re: Basic Cisco PIX and Catalyst VLAN question

                  Hi Mjaggi,

                  I am just reading here in the config docs for the PIX OS 6.3 and it says this:
                  With Version 6.3, you can assign VLANs to physical interfaces on the PIX Firewall, or you can configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN.
                  Then it says that the 506 is limited with this:
                  Table 2-6 Maximum Number of Interfaces Supported on PIX Firewall Models
                  Model Restricted License1 Unrestricted License
                  Total Interfaces Physical Interfaces Logical Interfaces Total Interfaces Physical Interfaces Logical Interfaces

                  PIX 506/506E
                  NA
                  NA
                  NA
                  4
                  2
                  2
                  It does go on to describe how to configure VLAN's in the PIX OS. Here is where I was reading this-->
                  http://www.cisco.com/en/US/products/...html#wp1113411

                  Now, I know you are using 7.x so you it may be different. Here is the link to the 7.x config guide-->
                  http://www.cisco.com/univercd/cc/td/....htm#wp1044601

                  I hope that helps out.

                  Thanks,
                  David Davis - Petri Forums Moderator & Video Training Author
                  Train Signal - The Global Leader in IT Video Training
                  TrainSignalTraining.com - Free IT Training Products
                  Personal Websites: HappyRouter.com & VMwareVideos.com

                  Comment


                  • #10
                    Re: Basic Cisco PIX and Catalyst VLAN question

                    David,

                    Thank you for this information, However, It still does not allow me to add more then One Vlan.

                    It allows only one sub-interface, and when I attemt to add another, It says "Max vlans supported by platform exceeded".

                    The firewall claims it has 2 physical interfaces as well as 2 logical.

                    I have Ethernet0, Ethernet1, And it only alllows the creation of Ethernet1.100.

                    Do you, or anyone else in the cyber world have an idea what I can try? Or am I destined to purchase a higher level firewall?

                    Thank you again for your help, and thanks in advance to anyone that has had this issue and can help.

                    Some posts below Mike and Theterrnaut were working on this. How can I reach them ?

                    Manu. I can be reached directly at [email protected] ( is this acceptable for me to post? )

                    Comment


                    • #11
                      Re: Basic Cisco PIX and Catalyst VLAN question

                      HI Manu,

                      I have sent PM's to both terranaut and Mike, requesting their comments on this topic.

                      Just a thought - you can't put the vlan x command on the physical interface, can you?

                      Yes you can post your email addres but I would be weary of spammers. That is why we try to use PM.

                      Is there anyone else out there you has any idea on how to help Manu?

                      Any comments or suggestions are appreciated.

                      Thanks
                      David
                      David Davis - Petri Forums Moderator & Video Training Author
                      Train Signal - The Global Leader in IT Video Training
                      TrainSignalTraining.com - Free IT Training Products
                      Personal Websites: HappyRouter.com & VMwareVideos.com

                      Comment


                      • #12
                        Re: Basic Cisco PIX and Catalyst VLAN question

                        David,

                        Thanks again for your help. I cannot add Vlan x to the physical interface. This may very well be a hardware issue. The 506E does not support 7.0(4). Although it will run it. It is very possible that this IOS works only with certain devices. Therefore I am unable to add an additional Vlan.


                        What doesn;t make sense is that with the older version 6.3(5). It allows the creation of two vlans. Maybe I need to go back to 6.3(5)

                        ant help would be appreciated

                        Manu

                        Comment


                        • #13
                          Re: Basic Cisco PIX and Catalyst VLAN question

                          David,

                          Another thought occured to me. My objective here is to segment the network, and utilize my Pix. What if I create Access lists and Static lists? Will this do the same as Vlans?


                          Manu

                          Comment


                          • #14
                            Re: Basic Cisco PIX and Catalyst VLAN question

                            ACL's will provide you security between interfaces, if that is what you are after.

                            In other words, you have 3 interfaces. These are really designed with the following in mind:

                            Inside - your LAN
                            Outside - the Internet
                            DMZ - semi-secure servers

                            You could really use these for any 3 networks (they could all be internal LANs). The ACLs would restrict traffic between these 3 interfaces.

                            If you have a number of VLANs and subnets that you want to create (say one for each floor or each department), I would recommend a Layer 3 switch like a 3550 with the enterprise IOS. Or, at least a 2950 with a 2811 to do the VLAN routing.

                            Does that help?

                            Thanks,
                            David Davis - Petri Forums Moderator & Video Training Author
                            Train Signal - The Global Leader in IT Video Training
                            TrainSignalTraining.com - Free IT Training Products
                            Personal Websites: HappyRouter.com & VMwareVideos.com

                            Comment


                            • #15
                              Re: Basic Cisco PIX and Catalyst VLAN question

                              Hello all,

                              I have been throughthe ringer on this, and I realized a few things that may be helpful to the community. First and foremost, a PIX 506E will load 7.04 IOS, however will not have full functionality. In fact you can only use a subset of the IOS.

                              Next creating Vlans with trunking using a PIX506E is not advisable. Although I am not a pro with PIX, I tried everything under the sun.

                              End result. I went back down to IOS 6.35 and have created a seperate internal network.

                              Now folks, my pgoblem is this, As indicated earlier I am not a pro. So I need halp in creating an ACL list to use https port 443

                              I have attached my config, however have changed the outside address for security. Please advise what my next step should be or if I have forgotton something.

                              MY inside will go to a switch 192.168.10.2, out side to a router 65.122.48.1
                              Inside int 192.168.10.1 outside 65.122.48.2

                              please review and advice. Thank you


                              PIX Version 6.3(5)
                              interface ethernet0 auto shutdown
                              interface ethernet1 auto
                              nameif ethernet0 outside security0
                              nameif ethernet1 inside security100
                              enable password 8Ry2YjIyt7RRXU24 encrypted
                              passwd 2KFQnbNIdI.2KYOU encrypted
                              hostname TADPIX
                              domain-name xxxxxx
                              fixup protocol dns maximum-length 512
                              fixup protocol ftp 21
                              fixup protocol h323 h225 1720
                              fixup protocol h323 ras 1718-1719
                              fixup protocol http 80
                              fixup protocol rsh 514
                              fixup protocol rtsp 554
                              fixup protocol sip 5060
                              fixup protocol sip udp 5060
                              fixup protocol skinny 2000
                              fixup protocol smtp 25
                              fixup protocol sqlnet 1521
                              fixup protocol tftp 69
                              pager lines 24
                              mtu outside 1500
                              mtu inside 1500
                              ip address outside 65.122.48.2 255.0.0.0
                              ip address inside 192.168.10.1 255.255.255.0
                              ip audit info action alarm
                              ip audit attack action alarm
                              pdm history enable
                              arp timeout 14400
                              nat (inside) 1 0.0.0.0 0.0.0.0 0 0
                              route outside 0.0.0.0 0.0.0.0 65.122.48.1 1
                              timeout xlate 3:00:00
                              timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
                              timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
                              timeout sip-disconnect 0:02:00 sip-invite 0:03:00
                              timeout uauth 0:05:00 absolute
                              aaa-server TACACS+ protocol tacacs+
                              aaa-server TACACS+ max-failed-attempts 3
                              aaa-server TACACS+ deadtime 10
                              aaa-server RADIUS protocol radius
                              aaa-server RADIUS max-failed-attempts 3
                              aaa-server RADIUS deadtime 10
                              aaa-sno snmp-server location
                              no snmp-server contact
                              snmp-server community public
                              no snmp-server enable traps
                              floodguard enable
                              telnet timeout 5
                              ssh timeout 5
                              console timeout 0
                              terminal width 80
                              Cryptochecksum:893fbdddd80b924d6bf91bc2cad0ce36
                              : end


                              THANK YOU in ADVANCE

                              Comment

                              Working...
                              X