Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VLAN Between PIX and 6506

Status
Not open for further replies.
ErrolDC

ErrolDC

MIS
May 26, 2004
72
0
0
US
I am trying to determine the best approach complete a task that I have set before me. I wanted to ping this community see what others would have to say.

I have a PIX 515E with 6 physical interfaces. One of these interfaces is responsible for firewalling/segmenting a network that is specifically reserved for building tenants of my company. The interface physically connects to a swithport on a 6506. The idea is to connect each of our tenants to a port the 6506 and segment them through vlans. Each tenant will be on a separate vlan. This seperates the tenants from each other and from our network, however, the PIX firewall will be their gateway so the PIX needs to reside on the same vlan as each tenant.

I am aware that the PIX I have only supports 10 total interfaces, which means got only got 4 interfaces to play with for VLAN stuff. However, I don't need the vlan information to route through the PIX. The vlan stuff can be stripped before the packet exits the interface physically connected to the switch. What I am interested is binding multiple VLANS to a single switch port so that all my tenant vlans can communicate with their gateway. Is this possible to do? Or is there another way I can do what I need to do?

Thanks for your thoughts.
 
Sort by date Sort by votes
how many (tenants) vlans do you need.?

PIX 6.3 now supports up to 8 or 10 vlans for the pix but that's probably not enough.

I'd think you could turn the 6506 into a vlan routing machine but you may have to purchase a RSM if you don't already have I'm not sure I'd try the cisco switches forum for that.

another note: I don't think your pix supports 10 ethernet I've been down that road a couple of years ago so I would make sure before you purchase any cards.

see the following blurb from the website.

The PIX 515E "Unrestricted" (PIX 515E-UR) model extends the capabilities of the family ...two 10/100 Fast Ethernet interfaces, and support for up to four additional 10/100 Fast Ethernet interfaces.

the ports are there but unless they changed something that I am unaware of the box does not actually support having 2 4port pci cards...



Jeff
 
Upvote 0 Downvote
Capabilities:

pix 515E UR
max physical 6
max VLAN 8
max 10

As in you can't use all the VLAN capability if you load it up with physical interfces

The 515E R model is 3,3,5 (physical,vlan,total)

525R 6,4,6
525UR 8,10,12

535R 8,6,8
535UR 10,22,24

Source, CSPFA training class material, May 2004 book, page 4-31.
 
Upvote 0 Downvote
hmm.

you want to seperate the users to be unable to see each others but all able to see "uplink".

Private VLAN ports pops in my mind (port protected)

Could this be a solution ?

HTH
Martin Bilgrav
 
Upvote 0 Downvote
Thanks alot! I read up on PVLANs and it seems to be excactly what I am looking for. However, it seems that they have limitations and that in order to use them in a secure manner you should also implement ACLS on the switch. That unfortunately requires a PFC for our 6506.
Thanks again!

Errol
 
Upvote 0 Downvote
With a 500 series firewall if you give two interfaces the same security level, they are blind to each other. So if your number of tennants is within the limitation of the pix, carry the VLANs out to the PIX and be done with it.
 
Upvote 0 Downvote
ErrolDC, Whenever I implement PVLAN on C3524XL I do not apply any ACL.
What would be the issue in our LAN that needs a VLAN ACL ?
 
Upvote 0 Downvote
PVLANs are only capable of providing isolation at layer 2 of the osi model. In our environment, one could defeat our security measures by using a router connected to a promiscuous port to route traffic back to the same subnet and ports on the same pvlan (because the router is connected to the same primary and secondary pvlan). All of our tenants belong to the same subnet on the same network segment and there is not any inter-tenant communication. Using VACL's allows us to make sure that this model is enforced. In addition, we can control the flow of traffic from and to promiscuous in hardware dedicated hardware (at least on the 6500 series switches). This is great for dealing with DOS attacks resulting from compromised machines.


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
136
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
114
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
86
Nitta84
Nitta84
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
34
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
42
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top