This is actually a little of topic now but it raised a question for me, how do you add subinterfaces to a ethernet interface without enabling ISL/802.1q from my experience the router does not permit this and requires that you first enable ISL/802.1q. If you have ISL/802.1q you must have VLANs. Unless you are using secondary addresses and not subinterfaces.
Doug -----Original Message----- From: Ciaron Gogarty [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 11:18 AM To: Robertson, Douglas; [EMAIL PROTECTED] Subject: RE: PIX Design Considerations [7:48979] Hi Richard, The simple answer to your question is "yes you need a seperate router outside the pix". Leave your internal router alone and just add a default route pointing at the pix interface . He doesn't necessarily have to be using VLANS as long as all the subnets is routing for are on the same lan segment than the router just routes between ip networks on the same wire. The router you add to the scenario would be on the outside of the pix, and would usually be connected to the internet via a serial line, or possibly another untrusted network. This router than becomes the default route for the pix itself. You need to add a route inside command on the pix to route to the other subnets hanging off your internal router. You are correct, the pix performs some routing funtions but is not a fully functional router - so you can't have things like secondary ip's on a pix interface, therefor you need a device behind the pix that can route between your internal networks. outside router------pix------internalrouter----ip-segment |-----second-ip segment |----third-ip segment hope this helps, C -----Original Message----- From: Robertson, Douglas [mailto:[EMAIL PROTECTED]] Sent: 17 July 2002 15:50 To: [EMAIL PROTECTED] Subject: RE: PIX Design Considerations [7:48979] I am not sure I would class a PIX as a router in the true sense of the word, yes it does route traffic from interface to interface but would I use it as a router, NO, it only supports ONE routing protocol RIP, that does not constitute a good router in my eyes. Now to the question, just reading the description (I may be mis-understanding the topology a bit) but it sounds like you have one router ethernet interface with subinterfaces with separate subnets going to a switch. I do not see how the switches are not running VLAN's and the interface must have ISL or 802.1q. Or you don't have subinterfaces but secondary addresses. The PIX does not support subinterfaces or secondary addressing on any interfaces, so in this case you would require a router. Doug -----Original Message----- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 7:47 AM To: [EMAIL PROTECTED] Subject: Re: PIX Design Considerations [7:48979] Why don't people get the notion that a "Firewall" is essentially a router. PIX = Firewall = Router... Firewall = Router. It ROUTES.... >>> "Jeffrey Reed" 07/16 8:19 PM >>> I?m still pretty green with PIX in general and was talking today about introducing a PIX into an existing network. The customer has a router (not controlled by them) that has three public class C subnets defined. They are not using VLANs, so the router has an interface and two sub-interfaces going into a switches network. We want to put the PIX in between the outside router and the LAN. I know this group has said several times the PIX is not a router. Do I need to have another router between the PIX and the LAN to perform routing between subnets? I assume the PIX will not facilitate routing between the internal subnets. Can you define multiple interfaces on the internal interface of the PIX if we didn?t need to route between the internal VLANs? Any suggestions would be appreciated! Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. For more information contact [EMAIL PROTECTED] phone + 353 1 4093000 fax + 353 1 4093001 ********************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49027&t=48979 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]