With PIX Security Appliance Software Version 6.3 and higher, the
administrator can assign VLANs to physical interfaces on the PIX or configure
multiple logical interfaces on a single physical interface and assign each
logical interface to a specific VLAN. VLANs connect devices on one or more
physical LAN segments through software so that they can act as though they are
attached to the same physical LAN
. The PIX
supports only 802.1Q VLANs.
The PIX Security Appliance does not
currently support executable commands for LAN trunks, the physical and logical
connection between two switches, because the PIX does not negotiate or
participate in any bridging protocols. The PIX only displays the VLANs on the
LAN trunk. The state of the LAN trunk is considered the same as the state of
the physical interface by the PIX Security Appliance. If the link is up on the
physical Ethernet, then the PIX considers the trunk as up as soon as a VLAN has
been assigned or configured for it. Additionally, the VLAN is active as soon as
a VLAN ID is assigned or configured on the physical Ethernet interface of the
PIX.
Physical interfaces are one per PIX Security Appliance interface, in
place at boot time and not removable. Logical interfaces can be many-to-one for
each interface, are created at runtime, and can be removed through software
reconfiguration. A minimum of two physical interfaces is required for all PIX
platforms to support VLANs.
Configuring Logical Interfaces
To
create a logical subinterface, use the subinterface argument of the
interface command in global configuration mode
. To
remove a subinterface, use the no form of this command. A
physical interface cannot be removed. In subinterface configuration mode, name,
VLAN, IP address, and many other settings can be configured.
Use
theĀ vlan vlan_id command in subinterface
configuration mode to assign a VLAN ID to a subinterface. The vlan_id
is an integer between 1 and 4094. Subinterfaces require a VLAN ID to
pass traffic.
If subinterfaces are enabled, the main interface is
typically not configured to pass traffic, because the main interface passes
untagged packets. The main interface must be configured with the no
shutdown command to let subinterfaces be enabled. Therefore, traffic
can not be prevented from being passed through the main interface with the
shutdown command. Instead, ensure that the main interface
does not pass traffic by leaving out the nameif command. If
the main interface is required to pass untagged packets, the
nameif command can be configured as usual.
The syntax
for the interface command is shown in Figure
.
With the
nameif command, the administrator defines a name for each
VLAN. The interface name is used in all configuration commands on the PIX
Security Appliance instead of the interface type and ID, such as
fastethernet0/1, and is therefore required before traffic can pass through the
interface.
To set the security level of a subinterface, use the
security-level number command in subinterface
configuration mode. The number can be any integer between 0 and 100.
In
the example in Figure
, vlan10 is named
dmz1, with a security level of 10.
Use the ip address
command to assign IP addresses to the VLANs. In the example in Figure
, dmz1 is
assigned the IP address 172.16.10.1.
The example in Figure
details the
configuration necessary to create multiple VLANs on a single physical
interface. In the example, VLANs 10, 20, and 30 have been created on the
appropriate subinterfaces of interface Ethernet3.
VLAN Support
VLANs are not supported on the PIX Security
Appliance 501 and 506/ 506E models. The number of logical interfaces that can
be configured on the other PIX models varies by platform and license type. The
chart in Figure
defines the
maximum supported interfaces of the PIX Security Appliance family.