VLAN Between PIX and 6506

[ErrolDC]

I am trying to determine the best approach complete a task that I have set before me. I wanted to ping this community see what others would have to say.

I have a PIX 515E with 6 physical interfaces. One of these interfaces is responsible for firewalling/segmenting a network that is specifically reserved for building tenants of my company. The interface physically connects to a swithport on a 6506. The idea is to connect each of our tenants to a port the 6506 and segment them through vlans. Each tenant will be on a separate vlan. This seperates the tenants from each other and from our network, however, the PIX firewall will be their gateway so the PIX needs to reside on the same vlan as each tenant.

I am aware that the PIX I have only supports 10 total interfaces, which means got only got 4 interfaces to play with for VLAN stuff. However, I don't need the vlan information to route through the PIX. The vlan stuff can be stripped before the packet exits the interface physically connected to the switch. What I am interested is binding multiple VLANS to a single switch port so that all my tenant vlans can communicate with their gateway. Is this possible to do? Or is there another way I can do what I need to do?

Thanks for your thoughts.

 

[criticalUpdate]

how many (tenants) vlans do you need.?

PIX 6.3 now supports up to 8 or 10 vlans for the pix but that's probably not enough.

I'd think you could turn the 6506 into a vlan routing machine but you may have to purchase a RSM if you don't already have I'm not sure I'd try the cisco switches forum for that.

another note: I don't think your pix supports 10 ethernet I've been down that road a couple of years ago so I would make sure before you purchase any cards.

see the following blurb from the website.

The PIX 515E "Unrestricted" (PIX 515E-UR) model extends the capabilities of the family ...two 10/100 Fast Ethernet interfaces, and support for up to four additional 10/100 Fast Ethernet interfaces.

the ports are there but unless they changed something that I am unaware of the box does not actually support having 2 4port pci cards...



Jeff

 

[308win]

Capabilities:

pix 515E UR
max physical 6
max VLAN 8
max 10

As in you can't use all the VLAN capability if you load it up with physical interfces

The 515E R model is 3,3,5 (physical,vlan,total)

525R 6,4,6
525UR 8,10,12

535R 8,6,8
535UR 10,22,24

Source, CSPFA training class material, May 2004 book, page 4-31.

 

[mbilgrav]

hmm.

you want to seperate the users to be unable to see each others but all able to see "uplink".

Private VLAN ports pops in my mind (port protected)

Could this be a solution ?

HTH
Martin Bilgrav

 

[ErrolDC]

Thanks alot! I read up on PVLANs and it seems to be excactly what I am looking for. However, it seems that they have limitations and that in order to use them in a secure manner you should also implement ACLS on the switch. That unfortunately requires a PFC for our 6506.
Thanks again!

Errol

 

[308win]

With a 500 series firewall if you give two interfaces the same security level, they are blind to each other. So if your number of tennants is within the limitation of the pix, carry the VLANs out to the PIX and be done with it.

 

[mbilgrav]

ErrolDC, Whenever I implement PVLAN on C3524XL I do not apply any ACL.
What would be the issue in our LAN that needs a VLAN ACL ?

 

[ErrolDC]

PVLANs are only capable of providing isolation at layer 2 of the osi model. In our environment, one could defeat our security measures by using a router connected to a promiscuous port to route traffic back to the same subnet and ports on the same pvlan (because the router is connected to the same primary and secondary pvlan). All of our tenants belong to the same subnet on the same network segment and there is not any inter-tenant communication. Using VACL's allows us to make sure that this model is enforced. In addition, we can control the flow of traffic from and to promiscuous in hardware dedicated hardware (at least on the 6500 series switches). This is great for dealing with DOS attacks resulting from compromised machines.