July 20, 2008 02:06am pdt

1. KCTS 1,235,397
2. RobWill 1,148,632
3. Sembee 1,023,191
4. kieran_b 752,582
5. TechSoEasy 713,970
6. batry_boy 712,695
7. tigermatt 694,094
8. LeeTutor 672,659
9. and235100 622,245
10. omarfarid 588,892
11. Chris-Dent 560,376
12. ravenpl 558,830
13. lrmoore 523,726
14. rindi 515,643
15. mass2612 462,641

1. Sembee 18,341,679
2. lrmoore 9,223,320
3. TechSoEasy 5,985,705
4. RobWill 4,878,806
5. Sheharya... 4,623,521
6. LeeTutor 4,181,104
7. leew 4,026,821
8. jlevie 3,150,709
9. sirbounty 3,034,902
10. oBdA 3,029,069
11. PeteLong 2,990,118
12. stevenlewis 2,957,465
13. rindi 2,749,458
14. CrazyOne 2,731,649
15. Fatal_Ex... 2,711,971

04.23.2005 at 08:37AM PDT, ID: 21399915

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.8

Cisco 2950 and Pix : VLAN security configuration help needed.

Zones: Miscellaneous Networking, Cisco PIX Firewall, Network Operations

Tags: vlan, cisco, pix, 2950

Although I am not a Cisco guru, I understand the basic concepts and configuration commands, and I thought that I had a handle on this question, but have come into a disagreement with a fellow tech. Now, I may be entirely wrong on my assumptions, and need some clarification on using VLANs for security purposes. Here is the problem:

Devices currently used:

Cisco 2950 Switch 24 port
Cisco PIX 501
IBM AS400 Database Server
18 Nodes (PCs) connecting to Switch

The client needs to segment 6 users that access the AS400 on a separate Broadcast/Security Domain, and those users are not to have internet access. All of the other 12 users will have internet access rights, but some will also need to have AS400 rights.

My proposal was to create 2 VLANs, with the 6 users and AS400 on one VLAN, with the others on the 2nd VLAN (which will also have a port connected to the PIX).

Now, I understand that you need a router to have a trunk between the two VLANs, and I could place Access Lists to permit and deny access to the first VLAN, but the client does not want to purchase a router. So my question is this:

Can you place a port in two separate VLANs within one switch? I was told at one time that you could, but need verification on this.

Or, can you configure the PIX to allow trunking with access lists on the LAN ports?

Or, is it true what my fellow tech is telling the customer. That they have to purchase an additional Switch, which as far as I know is not a solution to the problem. I would think that if additional devices are needed, it would be a router and not a switch. I really don't know what a second switch would do for them at this point, as I do not see that it would accomplish the goals of the client.

What do you think? Any suggestions? Configuration commands are always welcome! :)

Thanks,

FE

Internet
|
PIX 501
|
2950 Switch VLAN 1 <----------> VLAN2
| |
Internet Users AS400 and Security Sensitive Group

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: Fatal_Exception

Solution Provided By: ruddg

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

04.23.2005 at 10:25AM PDT, ID: 13850929

Rank: Master

ruddg:

An additional switch will not help (unless it has layer 3 capabilities). The PIX is not a router, and what you need is a router that will support the VLAN tagging. You cannot talk between the VLANs unless you have a router.

Trunking VLANs is very different from routing between them. Yes, you can trunk multiple VLANs on a single switch port, but they still cannot talk to each other without a router. You could potentially use a server with two NICs to handle to your inter-VLAN routing.

04.23.2005 at 10:40AM PDT, ID: 13850975

Fatal_Exception:

Thanks rud! I thought that would be the answer. So, what I was told about placing ports in multiple VLANs was incorrect. And that I am right in that a router is a must have in this situation, and that the only way to allow interfaces to 'talk' to more than one vlan is to allow routing between them. The PIX cannot be used as a router, as that is not one of its functions.

FE

04.23.2005 at 11:29AM PDT, ID: 13851134

Rank: Master

ruddg:

Just an FYI:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

And finally, you could also use a broadband router (two ethernet interfaces) to handle the inter-VLAN routing. That might be inexpensive enough to get a buy off -- not quite a business-class solution, but it would work. (I would recommend a trade-in on the 2950 to a 3750 L3 switch as a "best" solution.)

04.23.2005 at 12:09PM PDT, ID: 13851272

Fatal_Exception:

Thanks Rud! So, just to clarify:

With the current devices, we could create 2 vlans. One with only the 'security' group as interfaces, and the other with internet use members. I assume that Vlan 1 will include the FastEthernet ports and internet users, and through that would connect to the Switch.

The other Vlan 2 would only include the Security Group connecting through the interfaces configured on it, and would have no access out of their Vlan.

Just want to make sure I advise correctly.

I will also suggest the upgrade. good idea!

FE

04.23.2005 at 03:30PM PDT, ID: 13851791

Rank: Master

ruddg:

Correct, you can use additional VLANs to create isolated subnets on the 2950 switch.

Accepted Solution

04.23.2005 at 05:21PM PDT, ID: 13852025

Fatal_Exception:

Thanks again, rud...

FE

04.24.2005 at 05:01AM PDT, ID: 13853195

Fatal_Exception:

Rud,

Was doing some surfing last night and came across this reference regarding the PIX 506 and VLans... It seems that they now support Vlan configurations on the PIX 506s and higher? Am I reading this right, and what do you think about the configuration?

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080267ccd.html#wp152524

I will open another thread if you want! :)

FE

04.24.2005 at 09:06AM PDT, ID: 13854065

Rank: Master

ruddg:

Yes, I did not push the 506E upgrade option because this is a new feature and I have not seen it in action yet, let alone in a production environment. You certainly can go that route if you prefer... I expect it will function as Cisco says it does.

04.24.2005 at 10:59AM PDT, ID: 13854423

Fatal_Exception:

Thanks, man... glad you came back in..

20080236-EE-VQP-29