PIX Security Appliance Routing Capabilities
Virtual LANs

With PIX Security Appliance Software Version 6.3 and higher, the administrator can assign VLANs to physical interfaces on the PIX or configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN. VLANs connect devices on one or more physical LAN segments through software so that they can act as though they are attached to the same physical LAN . The PIX supports only 802.1Q VLANs.

The PIX Security Appliance does not currently support executable commands for LAN trunks, the physical and logical connection between two switches, because the PIX does not negotiate or participate in any bridging protocols. The PIX only displays the VLANs on the LAN trunk. The state of the LAN trunk is considered the same as the state of the physical interface by the PIX Security Appliance. If the link is up on the physical Ethernet, then the PIX considers the trunk as up as soon as a VLAN has been assigned or configured for it. Additionally, the VLAN is active as soon as a VLAN ID is assigned or configured on the physical Ethernet interface of the PIX.

Physical interfaces are one per PIX Security Appliance interface, in place at boot time and not removable. Logical interfaces can be many-to-one for each interface, are created at runtime, and can be removed through software reconfiguration. A minimum of two physical interfaces is required for all PIX platforms to support VLANs.

Configuring Logical Interfaces
To create a logical subinterface, use the subinterface argument of the interface command in global configuration mode . To remove a subinterface, use the no form of this command. A physical interface cannot be removed. In subinterface configuration mode, name, VLAN, IP address, and many other settings can be configured.

Use theĀ vlan vlan_id command in subinterface configuration mode to assign a VLAN ID to a subinterface. The vlan_id is an integer between 1 and 4094. Subinterfaces require a VLAN ID to pass traffic.

If subinterfaces are enabled, the main interface is typically not configured to pass traffic, because the main interface passes untagged packets. The main interface must be configured with the no shutdown command to let subinterfaces be enabled. Therefore, traffic can not be prevented from being passed through the main interface with the shutdown command. Instead, ensure that the main interface does not pass traffic by leaving out the nameif command. If the main interface is required to pass untagged packets, the nameif command can be configured as usual.

The syntax for the interface command is shown in Figure .

With the nameif command, the administrator defines a name for each VLAN. The interface name is used in all configuration commands on the PIX Security Appliance instead of the interface type and ID, such as fastethernet0/1, and is therefore required before traffic can pass through the interface.

To set the security level of a subinterface, use the security-level number command in subinterface configuration mode. The number can be any integer between 0 and 100.

In the example in Figure , vlan10 is named dmz1, with a security level of 10.

Use the ip address command to assign IP addresses to the VLANs. In the example in Figure , dmz1 is assigned the IP address 172.16.10.1.

The example in Figure details the configuration necessary to create multiple VLANs on a single physical interface. In the example, VLANs 10, 20, and 30 have been created on the appropriate subinterfaces of interface Ethernet3.

VLAN Support
VLANs are not supported on the PIX Security Appliance 501 and 506/ 506E models. The number of logical interfaces that can be configured on the other PIX models varies by platform and license type. The chart in Figure defines the maximum supported interfaces of the PIX Security Appliance family.