The line is saying that you would be able to start a VPN tunnel from an interface which is not a VLAN.
Tunnels to remote location are always connected to a lower security interface, usually the outside interface. If you were planning on configuring your switches so that the lower security interface was connected to the switch -only- through the tagged VLAN (e.g., you would not configure an IP address on ethernet0, only on the VLAN that you have overlaying ethernet0), then Don't Do That ;-)
Configure an IP address on ethernet0 (the "outside" interface) and connect it to the 3COM switch. If that is the only broadcast domain (vlan) configured on that wire, then configure that port on the 3COM as an access port -- a non-tagged interface, which you can make a part of any necessary VLAN at the 3COM level. For inbound traffic, the 3COM would strip the VLAN tag off before sending it to the PIX outside interface and the PIX doesn't need to have any idea that further out in your infrastructure that there is VLANing going on.
If there are multiple broadcast domains (vlans) configured on the wire that connects the PIX outside interface to the 3COM, then configure that port on the 3COM as a trunk port, but take the VLAN number that is carrying the inbound internet traffic and configure that on the 3COM as the "native" VLAN for that trunk port.
802.1Q -requires- that the VLAN tag be stripped off of the "native" VLAN for any port; this gets you back to the situation above, except allowing you to add one or more VLANs onto ethernet0 at the PIX level and that the tags for those would *not* be stripped off (because they wouldn't be the native vlan number for the trunk.)
Keep in mind, by the way, that the PIX 506 and 506E only support
I read it as meaning that I couldn't start a VPN tunnel on an interface that was on a VLAN? I know this is similar to what you're saying, but am I thinking along the right lines?
I'm hoping to set up 2 VLAN's on the inside (i.e LAN) interface of the PIX. One VLAN will be for the the general network and one VLAN for our wireless network. Seeing as I'm setting up the VLAN's on the inside interface (VPN tunnels are configured for the outside interface), I'm assuming that this will be ok in relation to our VPN tunnel to Africa and the Cisco quote does not apply here?
Any cryptomap policy you attach to a vlanXXX interface must not have a 'set peer' statement. But you could attach a cryptomap policy with a 'set peer' to the underlying ethernet interface
if you implement internal vlans, do you have a way to route between each vlan if you need to? can the pix do this with static route statements? its my understanding the pix cannot send traffic out an interface from which it was received - but i have no experience w/ pix vlan/logical interfaces so i dont know if this rule applies. just something to also consider.
if you only are using a 506e, do you have enough inside hosts to require seperate vlans, or is this mainly a change mandated through policy?
It does not apply in this case. It might be easier to think of the rule as being the one the prohibits transmission between interfaces of the same security level: an interface going to exactly the same interface would be an attempt to go to the same security level, but going from an interface to a vlan overlaying the interface would be changing security levels.
I just think of the VLAN interfaces as simply interfaces as the physical ones. They are required to have a security level (different from any other security level already configured) so traffic will be flowing among interfaces with different security levels.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.