318...

Static Routes

Static Routes
Static routes are manually configured routes that do not frequently change. They essentially
direct your Security Appliance to send traffic destined for a specific network to a specific
router that has connectivity to the destination network. Static routes are perhaps best
explained by using a network example. Figure 11-1 illustrates a simple network
configuration with hosts on both the 10.10.10.0 and 10.10.20.0 networks.

IP Routing

IP Routing
At the IP layer, your Cisco Security Appliance routes traffic based on the IP addresses in the
network traffic. It does not provide all the functionality of a router, but it does enable you to
define the following two types of routes:
■ Static routes
■ Dynamic routes

Managing VLANs

Managing VLANs
After you create your logical interfaces, you also need to assign the following parameters to
each logical interface:
■ Interface name
■ Security level
■ IP address
Table 11-6 interface Command Parameters
Parameter Description
hardware-id Specifies the network interface on which the command will be applied (such
as Ethernet0).
subinterface-num The subinterface identifier that will be assigned for this logical interface,
which can be between 1 and 4,294,967,293.
mapped-name In multiple-context mode, enter the mapped name if it was assigned using the
allocate-interface command.
shutdown Keyword indicating that the interface should be administratively shut down.
NOTE You do not need to assign a VLAN to the physical interface to assign logical
interfaces to an interface.
IP Routing 277
Using the nameif interface command, you can assign an interface name to a logical interface.
The syntax for the nameif command is as follows:
nameif interface-name
The interface-name parameter for the nameif command is the name to be assigned to the
specified interface.
Using the security-level interface command, you can assign a security level to a logical
interface. The syntax for the security-level command is as follows:
security-level security-level
The security-level parameter is the security level for the specified interface in the range from
0 to 100, with 0 being the least trusted interface and 100 being the most trusted interface.
Finally, you need to complete your logical interface configuration by assigning an IP address
to the logical interface. To assign an IP address to an interface, you use the ip address
command. The syntax for this command is as follows:
ip address ip-address

Maximum Interfaces for Unrestricted License

Maximum Interfaces for Unrestricted License
Cisco Secure PIX Model Total Interfaces Physical Interfaces Logical Interfaces
501 2 2 Not supported
506E 2 2 Not supported
515E 10 6 25
525 12 8 100
535 24 10 150
Table 11-4 Maximum Interfaces for ASA Security Appliances Base License
Cisco ASA Security Model Physical Interfaces Logical Interfaces
5510 5 0
5520 5 25
5540 5 100
Table 11-5 Maximum Interfaces for ASA Security Appliances Security Plus
Cisco ASA Security Model Physical Interfaces Logical Interfaces
5510 5 10
5520 5 25
5540 5 100
NOTE The maximum number of logical interfaces that you can use is equal to the total
number of interfaces available minus the total number of physical interfaces that you
currently have configured on your PIX Firewall.

Maximum Interfaces for Restricted License

Maximum Interfaces for Restricted License
Cisco Secure PIX Model Total Interfaces Physical Interfaces Logical Interfaces
515E 5 3 10
525 8 6 25
535 10 8 50
NOTE VLANs are not supported on the PIX 501. The PIX 506/506E support 802.1q
trunking with the introduction of PIX OS 6.3.4

Understanding Logical Interfaces

Your Security Appliance has a limited number of physical interfaces. This limits the number
of Layer 3 networks to which the Security Appliance can be directly connected. If you use
VLANs to segment your network into smaller broadcast domains, each of these VLANs
represents a different Layer 3 network. By using logical interfaces, you can accommodate
multiple VLANs by using trunk lines on your switch ports and configuring multiple logical
interfaces on a single physical interface on your Security Appliance. Logical interfaces
overcome the physical interface limitation by enabling a single physical interface to handle
multiple logical interfaces.
Table 11-2 shows the maximum number of interfaces allowed using a PIX Firewall restricted
license, while Table 11-3 shows the maximum number of interfaces allowed for a PIX
Firewall unrestricted license.
Table 11-4 shows the maximum number of interfaces allowed using an ASA Security
Appliance base license, while Table 11-5 shows the maximum number of interfaces allowed
for an ASA Security Appliance Security Plus license.

Understanding Trunk Ports

Understanding Trunk Ports
Usually, you configure a switch as a member of a specific VLAN. This automatically
associates all of the regular Ethernet traffic received on that port with that VLAN.
Sometimes, however, you may want a single port to receive traffic from multiple VLANs.
A switch port that accepts traffic from multiple VLANs is known as a trunk port.
To differentiate between the different VLANs, each packet is tagged with a specific VLAN
identifier. This identifier informs the switch to which VLAN the traffic needs to be forwarded.
By using trunk lines on your switch, your Security Appliance can send and receive traffic
from multiple VLANs using only a single physical interface.