Hi King, The primary purpose of transparent fw is to filter traffic within a single vlan (layer 2). If you have a single switch and all the nodes are in the same vlan, the traffic will not pass through the fw. To make the traffic pass through the fw, you separate the nodes by putting them in two diff vlans. and you bridge the vlans with the fw by putting an interface in each vlan.
For a two switch scenario, the nodes are already physically separated, the vlans dont matter here. all you need do is plug the fw legs in the two switches to bridge. Regards. ________________________________ From: Kingsley Charles <[email protected]> To: Tyson Scott <[email protected]> Cc: 'Segun Daini <[email protected]>; [email protected] Sent: Sunday, October 4, 2009 3:57:00 PM Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking Hi Tyson Irrespective of whether the ASA is in Transparent or routed mode, if I need put the ASA in between a trunk link between two switches then it seems ASA should have two different VLANs. switch ---- trunk-------------ASA ------trunk-------------switch vlan 2 - 10.20.30.0 vlan 6 - 10.20.30.0 vlan 3 - 20.10.30.0 vlan 7 - 20.10.30.0 Does this not break the transparency of the network of bringing two different vlans for a single subnet? With regards Kings On Sun, Oct 4, 2009 at 6:53 PM, Tyson Scott <[email protected]> wrote: Actually the problem is not that you can’t do what you are trying to do. The problem is that you are doing it wrong. > >The VLAN should be different on each side. You can’t bridge the same VLAN. > >R1 vlan 2 - 10.20.30.0 – Vlan22 – R2 >R3 vlan 3 - 20.10.30.0 – Vlan 33 – R4 > > >So the configuration would be > >E0/0 >no shutdown >E0/0.2 > vlan 2 >E0/0.3 > vlan 3 >E0/1 >no shutdown >E0/1.22 >vlan 22 >E0/1.33 >vlan 33 > >context TransparentFw1 > allocate-interface E0/0.2 > allocate-interface E0/0.22 >context TransparentFw2 > allocate-interface E0/1.3 > allocate-interface E0/1.33 > >Then You assign the Port for R1 to Vlan 2, and R2 to Vlan 22 >R3 to Vlan 3, and R4 to Vlan 33 > > >Regards, > >Tyson Scott - CCIE #13513 R&S and Security >Technical Instructor - IPexpert, Inc. > >Telephone: +1.810.326.1444 >Cell: +1.248.504.7309 >Fax: +1.810.454.0130 >Mailto: [email protected] > >Join our free online support and peer group communities: >http://www.IPexpert.com/communities > >IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand >and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE >Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab >Certifications. > >From:[email protected] >[mailto:[email protected]] On Behalf Of 'Segun Daini >Sent: Sunday, October 04, 2009 5:11 AM >To: Kingsley Charles; [email protected] >Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking > >Hi, > >For transparent firewall, you can only split a single network into two >separate networks bridged by the FW. > >The FW interfaces will need to be in unique vlan in a single switch scenario >while for a two switch scenario, the vlan may be same. > >The FW int can carry traffic for multiple vlan, thats why you cannot trunk it. >Also in multi context, the interface cant be shared. > >Regards. > > ________________________________ >From:Kingsley Charles <[email protected]> >To: [email protected] >Sent: Sunday, October 4, 2009 9:47:33 AM >Subject: [OSL | CCIE_Security] Transparent firewall with trunking >Hi all > >I am trying trunking with transparent firewall with following topology: > > > 10.20.30.43 > 10.20.30.42 >R1 (vlan2)-------------I > I-------------------- (vlan2) R3 > > Switch--------Trunking---------ASA---------Trunking---------- Switch >R2 (vlan3)-------------I > I ------------------- (vlan3) R4 > 20.10.30.43 > 20.10.30.42 > > >I have four routers. > >R1 and R2 are connected to switch 1 in vlan 2 and vlan 3 respectively. >R3 and R4 are connected to switch 1 in vlan 2 and vlan 3 respectively. > >ASA G0/1 is connected to switch 1 with trunking. >ASA G0/0 is connected to switch 2 with trunking. > > >vlan 2 - 10.20.30.0 >vlan 3 - 20.10.30.0 > > >Based on my investigation, it seems we can't achieve this. During the initial >config itself, I am facing an issue. If I associate vlan2 to e1.2, then I am >not able to associate to >vlan2 to e0.2 again. > > >interface Ethernet1 > no nameif > no security-level >! >interface Ethernet1.2 > vlan 2 > nameif vlan2 > security-level 100 >! >interface Ethernet1.3 > vlan 3 > nameif vlan3 > security-level 100 > >pixfirewall(config-subif)# vlan2 >ERROR: VLAN 2 has been assigned to another interface > >pixfirewall(config-subif)# vlan3 >ERROR: VLAN 3 has been assigned to another interface > > > >I am not able configure transparent firewall across vlans but how we do, if >there a case, if I need transparent firewall across trunk that carries many >vlans. Is it possible with ASA transparent firewall? > > >With regards >Kings > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
