Can I do VLAN routing on a Pix 515E??

[Cooky]

Here's out setup:
1 Cisco 4500 switch connected to a 3-interface Pix 515E firewall, which then connects to a Cisco 3600 router going to ISP.
On one of the interfaces of the Pix is our DMZ network.

4500 --- 515E --- 3600 --- ISP

We're going to implement VoIP so I will set up some VLANs on 4500.
I know how to do inter-VLAN routing on the 4500, but now my issue is how do I configure the link between the Pix and the 4500 switch so that the hosts on the 4500 can get to the DMZ network and Internet??

Should I set up a port as a routed port on the 4500, and then define a default route to the Pix?
Or will I have to rely on the Pix?
Cisco's website
indicates Pix version 6.3 and higher support VLAN, but it doesn't really give you much detail and I'm not sure how to approach the task at hand.

If anyone has any idea or suggestion, please let me know.
Thanks!

 

[spidey07]

setup a trunk on the switch using 802.1q tagging, allow the vlans you want the trunk to pass. all set.

the documentation on trunking with the 4500 should help.

running native or hybrid mode on the 4500?

-edit- also make sure the native vlan is the same on the pix and the 4500

 

[Cooky]

So the Pix will take the trunk link from 4500 w/o any additional modification, in terms of interface type (access / trunk)??
It sounds like you're suggesting router on a stick, using Pix as the router??

We'll have multiple VLANs on 4500 and I was hoping we could use 4500 to do inter-VLAN routing (unless destination is DMZ on Pix), therefore, bypass the Pix to speed things up. Is this not possible??

The 4500 is running native IOS.

 

[spidey07]

sure it's possible, and recommended. you don't want things moving through the pix unless they have to for security reasons.

but a lot of times you want your DMZ to be a completely separate physical network.

 

[Cooky]

Thanks for the reply spidey.
My question is how do I configure inter-VLAN routing on both the 4500 and Pix??

 

[spidey07]

to the pix it is just another virtual interface.

as far as intervlan routing, you just create the vlan interfaces (SVIs) on the 4500

int vlan 2
ip address x.x.x.x 255.255.x.x
ip helper-address <your dhcp server>
no shut

repeat for any other vlans you need. the global command on the 4500 is "ip routing", but it probably enabled by default.

 

[Cooky]

to the pix it is just another virtual interface.

What did you mean by that??

What happens when the packets need to go outside of the VLANs on the 4500?? How do I direct those packets to the Pix, which knows how to get to the DMZ and Internet?
ip route 0000 0000 IP_of_Pix and set up a routed port on the 4500?

 

[spidey07]

try to draw a picture, even in ascii.

a vlan is a layer2 network, so no routing is needed.

It might be better to draw it out. this stuff gets complicated without a picture (from a logical layer3 perspective as well as a layer1/2 picture)

so let me get this straight - the pix has 3 interfaces? internal, public, DMZ?

what swich provides connectivity for the DMZ? normally looks like this
switch---pix---router----I
.............|....
...........DMZ

 

[Cooky]

The diagram you have is exactly how they're set up:
switch---pix---router---ISP
................|......................
..............DMZ...................

so, pix is the only device that knows how to get to the DMZ and Internet.

For simplicity's sake, say I have 2 VLANs on the 4500 switch. After enabling ip routing on 4500, they can communicate w/ each other. (this part is easy for me)

What do I have to do on the switch and Pix, so that the hosts from these 2 VLANs would know how to get to the DMZ or the Internet (anywhere other than their own networks)??
My understanding is that the switch only knows the routes to the 2 VLANs on itself.

I hope my questions make sense and you know what I'm trying to ask...if not, my apologies.

 

[spidey07]

oh, in that case it doesn't sound like you need to do any vlan stuff on the pix.

you just need a default route on the 4500 and point it to the internal IP address of the pix. no trunking or anything like that needed.

or if you like, just a route for the DMZ network on the 4500, pointing to the internal pix IP.

this way any packet (we're talking layer3 here) that the 4500 doesn't know about gets forwarded (routed) to the pix.

ip route 0.0.0.0 0.0.0.0 <next hop>

 

[Cooky]

Do I need to set up the port connecting to the Pix as a routed port and give it an IP?? Or just leave it as a regular access switch port??

I'm reliefed to know I wasn't way off base (Please refer to my question 2 messages up).

 

[spidey07]

regular switchport, not a routed port.

although you could do it eitherway and in this case it may be better to just use a /27 IP network for the connection to the PIX.

I'd recommend however just creating another VLAN and using this network for the connection to the pix.

also, the pix will need routes to your networks on the 4500

 

[Cooky]

if I use a regular switchport, the Pix will attempt to communicate w/ a VLAN SVI on the switch right?? Otherwise how would they talk to each other??

 

[spidey07]

that's correct. you are routing at that point.

that's why the 4500 and the pix both need routes of all IP networks.