How is a layer 3 device aware of what the vlans are at layer 2? You are speaking of two different layers. If a transparent firewall is needs to bridge the traffic, what is the purpose of a bridge?
Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Kingsley Charles [mailto:[email protected]] Sent: Sunday, October 04, 2009 10:57 AM To: Tyson Scott Cc: 'Segun Daini; [email protected] Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking Hi Tyson Irrespective of whether the ASA is in Transparent or routed mode, if I need put the ASA in between a trunk link between two switches then it seems ASA should have two different VLANs. switch ---- trunk-------------ASA ------trunk-------------switch vlan 2 - 10.20.30.0 vlan 6 - 10.20.30.0 vlan 3 - 20.10.30.0 vlan 7 - 20.10.30.0 Does this not break the transparency of the network of bringing two different vlans for a single subnet? With regards Kings On Sun, Oct 4, 2009 at 6:53 PM, Tyson Scott <[email protected]> wrote: Actually the problem is not that you can't do what you are trying to do. The problem is that you are doing it wrong. The VLAN should be different on each side. You can't bridge the same VLAN. R1 vlan 2 - 10.20.30.0 - Vlan22 - R2 R3 vlan 3 - 20.10.30.0 - Vlan 33 - R4 So the configuration would be E0/0 no shutdown E0/0.2 vlan 2 E0/0.3 vlan 3 E0/1 no shutdown E0/1.22 vlan 22 E0/1.33 vlan 33 context TransparentFw1 allocate-interface E0/0.2 allocate-interface E0/0.22 context TransparentFw2 allocate-interface E0/1.3 allocate-interface E0/1.33 Then You assign the Port for R1 to Vlan 2, and R2 to Vlan 22 R3 to Vlan 3, and R4 to Vlan 33 Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of 'Segun Daini Sent: Sunday, October 04, 2009 5:11 AM To: Kingsley Charles; [email protected] Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking Hi, For transparent firewall, you can only split a single network into two separate networks bridged by the FW. The FW interfaces will need to be in unique vlan in a single switch scenario while for a two switch scenario, the vlan may be same. The FW int can carry traffic for multiple vlan, thats why you cannot trunk it. Also in multi context, the interface cant be shared. Regards. _____ From: Kingsley Charles <[email protected]> To: [email protected] Sent: Sunday, October 4, 2009 9:47:33 AM Subject: [OSL | CCIE_Security] Transparent firewall with trunking Hi all I am trying trunking with transparent firewall with following topology: 10.20.30.43 10.20.30.42 R1 (vlan2)-------------I I-------------------- (vlan2) R3 Switch--------Trunking---------ASA---------Trunking---------- Switch R2 (vlan3)-------------I I ------------------- (vlan3) R4 20.10.30.43 20.10.30.42 I have four routers. R1 and R2 are connected to switch 1 in vlan 2 and vlan 3 respectively. R3 and R4 are connected to switch 1 in vlan 2 and vlan 3 respectively. ASA G0/1 is connected to switch 1 with trunking. ASA G0/0 is connected to switch 2 with trunking. vlan 2 - 10.20.30.0 vlan 3 - 20.10.30.0 Based on my investigation, it seems we can't achieve this. During the initial config itself, I am facing an issue. If I associate vlan2 to e1.2, then I am not able to associate to vlan2 to e0.2 again. interface Ethernet1 no nameif no security-level ! interface Ethernet1.2 vlan 2 nameif vlan2 security-level 100 ! interface Ethernet1.3 vlan 3 nameif vlan3 security-level 100 pixfirewall(config-subif)# vlan2 ERROR: VLAN 2 has been assigned to another interface pixfirewall(config-subif)# vlan3 ERROR: VLAN 3 has been assigned to another interface I am not able configure transparent firewall across vlans but how we do, if there a case, if I need transparent firewall across trunk that carries many vlans. Is it possible with ASA transparent firewall? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
