VLAN Configuration

Our Cisco Catalyst 3560G switch has 4 VLANs created on it.  2 of those VLANs have a port connection to the 2 available interfaces on our Cisco PIX515e FW ("Inside" & "DMZ").

Does that mean members of the other VLANs on the switch can't have Internet access since none of the ports that are members of those VLANs connect to the perimeter FW?
That will be correct.

Unless a client port has access to the vlan that has connection to the vlan with a connection to the INSIDE of the PIX, there will be no internet access.

Ken BooneNetwork ConsultantCommented:
So there are 2 different vlans that have direct connections to your PIX firewall.  There are 2 additional vlans configured on the switch.  You can provide Internet access to the other 2 vlans.  I am assuming that these other 2 vlans would be considered "inside" networks.  There are a few ways you can do this.  Do you have a router on the inside of your firewall where these 2 other vlans use as their default gateway.  If you do you can add a default route in the router to point to the inside ip address of the PIX.  Then you would have to add a static route on the pix to reach these two networks.   In addition you would have to make sure your NAT rule on the firewall allows all networks or else you could add these two additional networks.  

If you do not have a router on the inside of your network, the 3560 switch is a layer 3 switch and is capable of routing between all the vlans.  In this case you would need to create layer 3 interfaces on the 3560, turn on IP routing, and add a default route to the inside ip address of the firewall.  

If you can provide more details as to how the networks are configured on the switch I can provide you with more details on what to configure.
dealvisAuthor Commented:
Our Cisco Catalyst 3560 Switch VLANs...

VLAN 1 -  (Default Mgmt VLAN)

VLAN 2 -  Internal LAN where employee workstations are, has connection to PIX FW "Inside" interface [] Internet is accessible from any host in this VLAN.  Works great - had for long time.

VLAN 3 - DMZ subnet [], connection to PIX FW "Middle" interface [], home for servers providing services to external hosts such as email, FTP, Streaming Media, etc.  Internet is also accessible from hosts located in this VLAN.  Works great, have used for long time.

VLAN 4 - NEW - No connection to PIX.  No router installed. static IP assignments.  Created to isolate IP based Audio & Video control equipment (i.e. projectors, sound mixers, computers, etc) within separate broadcast domain/separate IP subnet.  Creative Dir wants Internet access for his computers in VLAN 4 but I don't know how to configure the Catalyst 3560 switch to provide it?

Would it be easier to add a router or configure the Catalyst 3560 switch to perform inter-VLAN routing?
Ken BooneNetwork ConsultantCommented:
Configure the 3560 to route this traffic.  
Config t
ip routing
int vlan4
ip address 10.x.x.x    <-- make this the default gateway for vlan 4 devices
no shut

int vlan2
ip address 192.168.0.x
no shut

ip route

Configure PIX:
config t
route inside  192.168.0.x  <--whatever you used on the 3560

Now the pix should have a route to the vlan4

Also we need to look at your NAT statement.

It should look something like:

nat (inside) 1

If that is what it is you are in good shape if not we will have to add entries for the 10.x network.


dealvisAuthor Commented:
Clarification please related to these config commands...
int vlan2
ip address 192.168.0.X

So locate an unused IP address within the internal LAN's network & use it where you placed the X, correct?
Ken BooneNetwork ConsultantCommented:
That is correct.  You already have a layer 2 vlan established as vlan 2.  What we are doing now is creating the layer 3 vlan 2 interface.  Use a free vlan 2 ip address on this interface.  You should be able to ping the firewall from this address once you have it created to make sure you have the basic connectivity.
dealvisAuthor Commented:
Allright, I will locate a free IP address and reserve it on the DHCP server for this purpose but I do not understand how to "ping the FW from this address"?  (DoYou mean just make sure I can ping the PIX Inside interface [] from the Catalyst switch CLI? after making these config additions?)
Ken BooneNetwork ConsultantCommented:
Yes that is what I mean.
dealvisAuthor Commented:
Excellent, accurate information.  Application of clearly defined configuration commands Ken provided produced the desired result on first attempt. VLAN 4 members now have internet access also!

P.S. The NAT statement on our PIX FW did not need modified as it was exactly as you said it should look (i.e. NAT (INSIDE) 1
Thank you very, very much for your assistance!
