gopher_49
asked on
VLAN trunking and/or virtual interfaces on a PIX 506e
I have VLAN trunking and/or virtual interfaces enabled on my PIX 506e. I have two logical interfaces... The first one used the default VLAN id 1 and the second one uses the VLAN id 3. I have an access point with two SSID's. SSID 1 goes to VLAN id 1 and SSID 2 goes to VLAN id 3. I want to change my default VLAN id to 2 instead of 1. By doing this do I have to specify the new VLAN id on the first logical interface? Currently there is no VLAN id listed in my syntax for its understood that it's the default VLAN of 1. Below is the syntax used on my 506e that pertains to my VLAN trunking config.
interface ethernet0 auto
interface ethernet1 100full
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 wireless security50
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (wireless) 1 0.0.0.0 0.0.0.0 0 0
dhcpd address 192.168.1.10-192.168.1.100
dhcpd address 192.168.13.100-192.168.13.
dhcpd dns 192.168.1.6 192.168.1.250
dhcpd enable inside
dhcpd enable wireless
What do I change in the above syntax to make the interface called 'inside' to use the VLAN id 2?
interface ethernet0 auto
interface ethernet1 100full
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 wireless security50
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (wireless) 1 0.0.0.0 0.0.0.0 0 0
dhcpd address 192.168.1.10-192.168.1.100
dhcpd address 192.168.13.100-192.168.13.
dhcpd dns 192.168.1.6 192.168.1.250
dhcpd enable inside
dhcpd enable wireless
What do I change in the above syntax to make the interface called 'inside' to use the VLAN id 2?
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
It is a good practice to assign data ports to dedicated vlan other than vlan 1. You are correct that as long as the AP is connected to a trunk port, then unplugging and plugging in a laptop would result in the laptop being assigned to vlan1 where there is no data or access to anything.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
Now,
I was thinking I can accomplish my goal in an easier fashion. I have three buildings that are connected by wireless LAN bridges. I have 2 x AP's in each building. In the 3rd building a data switch is in an area where people could easily plug devices into the switch. I've disabled all unused ports, however, I'm worried that someone might unplug an AP and in return plug a computer into the port. The end result would be that they would be on a VLAN that I do not want them on... So, I thought about simply changing the VLAN to all of the active ports to VLAN 2. I have nothing on VLAN 2 and at that point it won't matter if they plug into that VLAN.
I'll keep your notes for future configs though. Thanks for the accurate and quick response.