Simple (I hope) VLAN setup

[dozier]

Hi all,

I have a PIX firewall and an underutilized Catalyst 2950. I'd like to be able to use the 2950 for two of the PIX interfaces, so that we don't have to buy any more switches. Is this something I can accomplish using VLANs? Basically I want the 2950 to behave as two separate 12 port switches. Is all I need to do define two VLANs and then add each port to the right one?

I'll provide more information as needed.

Thanks.

 

[bell1996]

dozier -

Your line of thinking is correct. You can set the 2950 with two VLAN's (VLAN 2 & VLAN 3). One for the outside interface and the other for the inside interface.

By default, the 2950, puts all puts onto VLAN 1. You may not want to use VLAN 1 for this setup (even though you could with no problems, just a preference).

Now, from a security perspective, I don't know if this is the perferred way of setting up a IN/OUT segment for a firewall. I usually, try and keep things separate. Even it it means just going with a small (very small) 5 port unmanaged switch on the outside (unless you plan on have lots of devices on the outside). A 5 port unmanaged switch is vey inexpensive. You can get some for under $25 (less than the coffee budget).

 

[baddos]

I beleive as long as you are running per vlan spanning-tree, the security issue is gone w/ VLAN jumping. I could be wrong though.