1. Home
  2. Cisco Systems
  3. how to connect L3 switch and PIX

how to connect L3 switch and PIX

We newly purchased a Cisco Catalyst 3560G-24-EMI that will be a core layer 3 switch to route between 3 vlans (at 3 distinct locations that separately link to an ISP switch by fiber optics) and to use a trunk port to carry vlan traffic to the ISP's switch.

The following is the basic network map:

site1---------------ISP switch ------------- site 2 vlan 102 | | vlan103

192.168.1.0/24 | | 192.168.2.0/24 | | trunk (dot1q) | | | | native vlan101; | | vlan104 - 192.168.3.0/24

Site 3(Headquarter) Core L3 switch 3560G (192.168.3.1) | PIX 506E (192.168.3.2)

We also have a PIX 506E available in site 3 to control the Internet traffic.

My questions lie in the two areas:

  1. Physically where should I install the PIX? --my understanding is I should link both interfaces of the PIX to two ports of the 3560G, one interface for inbound and the other for outbound. The two ports on the switch that connect to the PIX should not be assigned to any vlan. Thus I don't need to configure anything about vlan on the PIX to allow vlan tagging traffic.
  2. Do site 1 and site 2 have to be configured vlan information on their access layer switches? Regarding the ISP engineer's opinion, we don't need configure vlan on switches on site 1 and site 2 because the ISP switch has already assigned two ports to vlans that belong to the two sites. Is this true? If not, we have to consider purchasing two layer 2 switches (such as 2960) to fulfill the task.

Thank you so much for your help on the two questions.

Reply to
szhang3
Loading thread data ...

Where is 192.168.1.1? Is VLAN 102 carried into site 3 on the trunk?

Where is 192.168.2.1? Is VLAN 103 carried into site 3 on the trunk?

Is there any equipment on 192.168.3.x on the ISP's network? If not, what is VLAN 104 used for? If so, at what IP address[es]?

Is there any equipment in VLAN 101 on the ISP's network? Any associated IP address? If not, what is VLAN 101 used for?

Is the ISP doing IP routing for you or just handing off layer 2 connectivity? Are they handing you an Internet circuit as well?

Every plausible guess that I can make as to your actual configuration can be ruled out based on the information in your drawing. It makes no sense.

Also? You mean other than the one you already showed on the drawing?

Yes, that is one way of doing it.

Yes, this is true.

Reply to
briggs

192.168.1.1 belongs to the inferface for vlan 102 on the switch 3560G on site 3.
192.168.2.1 belongs to the inferface for vlan 103 on the switch 3560G on site 3.

No. Vlan 104 is for site 3 solely. 192.168.3.1 belongs to the inferface for vlan 104 on the switch 3560G.

No equipment nor IP address for vlan 101. The ISP claimed vlan 101 as native vlan and would use it for our Internet access.

The ISP handles layer 2 connectivity on their switch. They offer us Internet connection as well. What the ISP pre-configured on their layer 2 switch were: vlan 102 for site1, vlan 103 for site 2, vlan 104 for site 3, and vlan 101 for NATIVE vlan which they claimed to let our network traffic go to the Internet.

On the ISP switch the port connecting to site 3 has been configured as a trunk port. Therefore, on our catalyst 3560G layer 3 switch, we need build a trunk port too. The 3560G will do inter-vlan routing by assigning 192.168.1.1to interface vlan 102; 192.168.2.1 to the interface vlan 103; and 192.168.3.1 to interface vlan 104.

We only have one PIX. Previously it controlled Internet traffic only. What puzzles me is where I should connect the PIX once the switch

3560G is brought in our network. I was told by the ISP that i don't need to configure vlan-related change on the PIX. Then how does the pix carry vlan tagging packets in and out?

Regarding site 1 and site2, currently we don't have cisco switches to be configured vlan information. I want to try out if the two sites can handle network traffic without L2 switches to be configured on site.

Please kindly give me your suggestion if you think my design has shortcomings or faults. Anything unclear I'll be happy to offer more informaiton.

Thanks!

Reply to
szhang3

Traffic going to the pix will not be vlan tagged unless those links are configured as trunks. The 'in' 'out' scenario you mention would have to be configured at layer-3 but then you're looking at asymetric routing of packets within the same TCP stream. You could go down the '2-link' path using an EtherChannel to the PIX (I'm not sure what pix platforms or software versions support EtherChannel) but I'd also recommend creating a seperate vlan for that logical link to remove the reliance on layer-2 stability ie. spanning-tree of vlan 104, which it has with the proposed topology.

When traversing a third party switch you are limited as to what vlan assignments are available to you. If the ISP has dsesignated vlan #'s 102 and 103 then these vlans need to be trunked between their switch and your

3560G and they would have to configure their switch ports attached to your equipment as trunks using the vlan assighned to each. Without vlans 102 and 103 being trunked to the 3560G their switch is responsible for layer-3 switching frames between them and into vlan 104. I'm unsure about the requirement for a native vlan because that's typically used for point-to-point traffic between switches at layer-2 like UDLP for example and I don't think their switch is going to be interested in seeing it. Don't use DTP. Check with the ISP about that type of traffic. We had a problem with an ISP's Cabletron switch being between two Catalyst 6500's ... 'something' was causing the cabletron switch to reset. We eventually went down the dark fibre path and haven't looked back.

BernieM

Reply to
BernieM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.