[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Two VLANs in a Catalyst 2950 and one PIX 501

Posted on 2006-05-19
6
Medium Priority
?
740 Views
Last Modified: 2009-07-29
We have a small LAN with a Catalyst 2950 and a PIX 501, with the following desired config:

a) Two separate vlans that cannot see one another
b) Both vlans have access to the Internet

Tried this, but it did not work:

The Catalyst 2950 configured with two VLANS (i.e. VLAN 2 and VLAN 3)

The first 22 ports of the Catalyst 2950 were setup as follows:

switchport mode access
switchport access vlan 3

The 23rd port was setup as follows:

switchport mode access
switchport acecss vlan 2

The 24th port was setup as follows:

switchport mode trunk

The PIX 501 was connected to port 24.

All hosts are in the same 192.168.1.0/24 subnet.

Neither segment could see the PIX when I did this. I assumed it was a vlan tagging issue, so I changed port 23 as follows:

switchport mode trunk
switchport trunk native-vlan 2

... which I figured would tag the data from that port as vlan 2. This seemed to then allow that one port to see the PIX, but vlan 3 (the prior 22 ports) still could not.

Is this just beyoind the ability of the PIX to negotiate? Am I misunderstanding vlans? Suggestions?
0
Comment
Question by:skeleton_key
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:naveedb
ID: 16719566
I am not sure you can do it with 501. You may try 506E which supports VLANs, I don't see any VLAN inforomation for 501.

Have a look at following discussion and link for Device features for PIX 501 vs. other models.

http://www.experts-exchange.com/Networking/Q_21399915.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheets_list.html
0
 
LVL 2

Author Comment

by:skeleton_key
ID: 16719610
I know the 501 itself does not support vlans, but I'm not sure it needs to as the switch should be doing that, no? In other words, as long as the packets from a host on port 17 are tagged as from vlan 2, then when they need to go back to that host the trubk port connected to the PIX should know which vlan to put them on, no?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16719772
What you need to do is to configured 802.1q trunking on BOTH sides of the link. Unfortunately it doesn't appear that the 501 supports that.

The reason that vlan 2 works when you set the native vlan to 2 is that native vlan frames are untagged, so the PIX sees them as normal traffic. But it can't read the tagged frames without 802.1q support. It's the opposite of what you thought :-)

In fact, best practice is to set the native vlan to something that does not have any user traffic (vlan 1 is the default).
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 2

Author Comment

by:skeleton_key
ID: 16719886
So, in a nutshell we CANNOT do this with this model PIX or without an intermediate router, yes?

And by "this" I mean my orginal objective:

> We have a small LAN with a Catalyst 2950 and a PIX 501, with the following desired config:
>
> a) Two separate vlans that cannot see one another
> b) Both vlans have access to the Internet

Correct?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16719974
I saw something about PIX software 6.3 supporting 802.1q virtual interfaces, and it did not say that the 501 was excluded from that. What version of software do you have?
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 16720068
Ok. Although 6.3 supports vlans, the 501 does not. So in answer to your last question, you are correct.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question