i currently have a Cisco 2620 and i am trunking to a HP procurve switch doing intervlan routing. I am wanting to implement a pix firewall in the mix but I am unsure on the best way to do this with vlan routing. As you know the 2620 only has one 100mb ethernet port. Will the pix trunk between the two?? Thanks for any suggestions I am drawing a blank here.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Router > VLAN > Need a PIX ?? somewhere
- Thread starter ndog4ever
- Start date
Hi!
With Version 6.3, you can assign VLANs to physical interfaces on the PIX Firewall, or you can configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN.
It supports multiple virtual interfaces on a single physical interface through VLAN trunking (802.1q)
and multiple VLAN trunks per Cisco PIX Firewall
Max Vlans:
8 VLANs on Cisco PIX 515 and 515E
10 VLANs on Cisco PIX 520 and 525
24 VLANs on Cisco PIX 535
Numbers are lower for restricted licence.
This decision depends on size and design of your network, throughput it must support and features you want to implement on the PIX (ie.DMZ support).
PIX 515 can support up to 188 Mbps of firewall throughput with the ability to handle over 130,000 simultaneous sessions as well as integrated hardware VPN acceleration delivering up to 140 Mbps of 3DES VPN throughput.
If you need few VPNs I'll update IOS on 2620 to version with Firewall Feature Set and configure it with CBAC and VPNs/VPDNs. And if you have T1 connection it makes no sense to go with the PIX. I've seen 515E on fully saturated T3 with over a thousand active 3-DES VPN tunnels and cpu usage was below 40%.
In my opinion cisco router properly configured as FW is as good as PIX if not better. The only constrain is 3-DES throughput and support for more interfaces.
There may be some issues at layer 8 - your boss may feel more secure seeing dedicated device acting as FW. You may have a hard time to convince him that your router will do the same job.
Of course, adding a PIX won't hurt
With Version 6.3, you can assign VLANs to physical interfaces on the PIX Firewall, or you can configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN.
It supports multiple virtual interfaces on a single physical interface through VLAN trunking (802.1q)
and multiple VLAN trunks per Cisco PIX Firewall
Max Vlans:
8 VLANs on Cisco PIX 515 and 515E
10 VLANs on Cisco PIX 520 and 525
24 VLANs on Cisco PIX 535
Numbers are lower for restricted licence.
This decision depends on size and design of your network, throughput it must support and features you want to implement on the PIX (ie.DMZ support).
PIX 515 can support up to 188 Mbps of firewall throughput with the ability to handle over 130,000 simultaneous sessions as well as integrated hardware VPN acceleration delivering up to 140 Mbps of 3DES VPN throughput.
If you need few VPNs I'll update IOS on 2620 to version with Firewall Feature Set and configure it with CBAC and VPNs/VPDNs. And if you have T1 connection it makes no sense to go with the PIX. I've seen 515E on fully saturated T3 with over a thousand active 3-DES VPN tunnels and cpu usage was below 40%.
In my opinion cisco router properly configured as FW is as good as PIX if not better. The only constrain is 3-DES throughput and support for more interfaces.
There may be some issues at layer 8 - your boss may feel more secure seeing dedicated device acting as FW. You may have a hard time to convince him that your router will do the same job.
Of course, adding a PIX won't hurt
- Thread starter
- #3
Thanks, i had no idea that the higher end pix's did VLAN trunking. Yeah I am pretty sure he is going to want a firewall even though i have some access-lists in place now. Do you know of a good reference site that has some trick of the trade for hardening cisco routers with access-lists? Thanks for the input and help!!
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question