Có ai cho tôi biết, PIX 515 trở lên có khả năng inter-VLAN giống như mấy con router không?
cảm ơn nhiều

Leo:

Theo trí nhớ của mình, Pix 515 có hỗ trợ trunking dot1q.

thân,

Cảm ơn tiền bối,
tại hạ cũng đã tìm được câu trả lời rồi.
Xin đa tạ

Leo,

Leo cũng phải dùng version 6.3.

thanks

Xin chào,

Plynh đang configuration về trunking giữa catalyst 2950T và pix515E (tren cat2950 chia 3 vlan 1 2 3- tren pix eo:outside, e1:inside link với vlan2 của switch, e2:dmz link với vlan3 của switch)
Ai có cấu hình mẫu xin chỉ giúp !

Thank alot !

plynh:

Thực hiện cấu hình theo qui trình sau:


Step 1 Assign the interface speed to a physical interface by entering the following command:

interface ethernet0 auto


Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan2 physical


By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.

Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan3 logical


This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.

Step 4 Configure the logical and physical interfaces by entering the following commands:

nameif ethernet0 outside security0
nameif vlan3 dmz security50
ipaddress outside 192.168.101.1 255.255.255.0
ipaddress dmz 192.168.103.1 255.255.255.0


The first line assigns the name outside to ethernet0 (the physical interface) and sets the security level to zero. The second line assigns the name dmz to vlan3 (the logical interface) and sets the security level to 50. The third and fourth lines assign IP addresses to both interfaces.

After this configuration is enabled, the outside interface sends packets with a VLAN identifier of 2, and the dmz interface sends packets with a VLAN identifier of 3. Both types of packets are transmitted from the same physical interface (ethernet0).

Một số thao tác khác hữu ích trong khi cấu hình:

Managing VLANs

To display information about the VLAN configuration, enter the following command:
show interface


To temporarily disable a logical interface, enter the following command:
interface ethernet0 vlan_id shutdown


Replace vlan_id with the VLAN ID associated with the logical interface that you want to temporarily shut down.

To change the VLAN ID of a logical interface, enter the following command:
interface change-vlan old_vlan_id new_vlan_id


Replace old_vlan_id with the existing VLAN ID and replace new_vlan_id with the new VLAN ID you want to use.

This command lets you change the VLAN ID without removing the logical interface, which is helpful if you have added a number of access-lists or firewall rules to the interface and you do not want to start over.

To disable VLAN tagging on the interface, enter the following command:
no interface ethernet0 vlan_id physical


Replace vlan_id with the VLAN ID for which you want to disable VLAN tagging.

To remove the logical interface and remove all configuration, enter the following command:
no interface ethernet0 vlan_id logical
Replace vlan_id with the VLAN ID associated with the logical interface that you want to remove.

Admin,

Không cần tạo interface logical có được không ??
Vì plynh muốn Ethernet1 của pix là vlan2 và Ethernet2 là vlan3. Do đó plynh chỉ assign lên vlan physical thôi !
Có cần phải assign IP Address cho 2 vlan 2 và vlan 3 trên Switch không ???


Thanks

Admin,

Với mô hình mà plynh nêu trên thì không cần phải tạo trunk giữa PIX và Switch layer 2 ! (sorry Admin nghen)
Còn theo hướng dẫn của Admin ở trên thì OK và trên PIX 515 cho phép tối đa là 3 interface logical !

Thanks