Vlans and PIX question
in [Cisco]
|
From: pfisterfarm on 27 Jan 2010 16:01 Thanks again to everyone who replied to my last post... I've got another project related to the same VMWare server... I have a situation where I need to set up network access for a new virtual server in a vlan where most of the existing hosts are on the other side of a PIX 525 (running 7.2(2)). The other hosts in the vlan are connected to a 4507 core switch, which is connected to an interface which is the DMZ and has the default gateway address of that vlan. Actually, the vlan, let's use the number 10, was set up at one point but is currently shutdown. The connection to the PIX is an access port in the 10 vlan. The inside interface is connected to another port on the same 4507. The port the inside interface is connected to is an access port in the central site's core vlan... let's use 20 for this discussion. The VMWare server is 2 hops away, first through an ATM connection to a 8540 (set up with IRB) to a 3560. Two other things about the configuration that might be important: (1) there is a second PIX in an active/standby configuration, and (2) the inside ports that the two PIXes are connected to is the source in a port mirror to a port that a content filter is connected to. I'm guessing that some sort of routing needs to be set up on the PIX (es)... what is the best method of doing that? Since this is a production network, I was hoping to have to change as little as possible (obviously...)
From: Christoph Gartmann on 28 Jan 2010 03:43 In article <d3be1086-d0aa-4a93-98e8-9a559a99290d(a)d14g2000vbb.googlegroups.com>, pfisterfarm <pfisterfarm(a)gmail.com> writes: >Thanks again to everyone who replied to my last post... I've got >another project related to the same VMWare server... > >I have a situation where I need to set up network access for a new >virtual server in a vlan where most of the existing hosts are on the >other side of a PIX 525 (running 7.2(2)). > >The other hosts in the vlan are connected to a 4507 core switch, which >is connected to an interface which is the DMZ and has the default >gateway address of that vlan. Actually, the vlan, let's use the number >10, was set up at one point but is currently shutdown. The connection >to the PIX is an access port in the 10 vlan. The inside interface is >connected to another port on the same 4507. The port the inside >interface is connected to is an access port in the central site's core >vlan... let's use 20 for this discussion. > >The VMWare server is 2 hops away, first through an ATM connection to a >8540 (set up with IRB) to a 3560. Two other things about the >configuration that might be important: (1) there is a second PIX in an >active/standby configuration, and (2) the inside ports that the two >PIXes are connected to is the source in a port mirror to a port that a >content filter is connected to. > >I'm guessing that some sort of routing needs to be set up on the PIX >(es)... what is the best method of doing that? I have some problems understanding your scenario. Some sort of a schematic would be helpful. In general, a Pix interface can be divided up into several virtual interfaces. Each interface may belong to a different VLAN. Could this be a solution for your scenario? Regards, Christoph Gartmann -- Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -80464 Immunbiologie Postfach 1169 Internet: gartmann(a)immunbio dot mpg dot de D-79011 Freiburg, Germany http://www.immunbio.mpg.de/home/menue.html
From: pfisterfarm on 28 Jan 2010 09:32 Yes, I should have known I really needed a diagram. I'll put something together and post it. Thanks!
From: pfisterfarm on 28 Jan 2010 10:46 On Jan 28, 9:32 am, pfisterfarm <pfisterf...(a)gmail.com> wrote: > Yes, I should have known I really needed a diagram. I'll put something > together and post it. Thanks! I've got a diagram together and hopefully I've got everything on there that I need to... http://www.pfisterfarm.com/vlan_and_pix_post.jpg The ports on the 4507R going to the pix are both access ports in the appropriate vlan. All other ports should be trunk ports, currently. Thanks!
|
Pages: 1 Prev: Question on limit to dynamically learned MAC addresses per vlan Next: L2TP Help needed! |