Re: [OSL | CCIE_Security] Transparent firewall with trunking

[Nabil Omar]

The reason for using two Vlans I think is a matter of Design , that is used to 
avoid bypassing the Firewall .
Because usually in real life you have the Vlans spanned across all the switches 
, So if somebody messed the cabling , and for example connected 
the two switches together with a cable , in this case if The INSIDE and OUTSIDE 
are in the Same vlan , The user will be able to communicate with the outside 
without any restriction (bypassing the Firewall ) , But if they are in 
different vlans they will not be able to communicate Unless through the 
Firewall , Because it is Bridging between though two vlans.
That is my opinion , Correct my If I am wrong .

Scenario with Same Vlans on both Sides


 switch ---- trunk-------------ASA ------trunk-------------switch
       |                                                                      |
        -----------------------------------------------------------
                                  Wrong Cabled Trunk Link
vlan 2 - 10.20.30.0                                            vlan 2 - 
10.20.30.0 
vlan 3 - 20.10.30.0                                            vlan 3 - 
20.10.30.0 

Best Regards
Nabil


Date: Mon, 5 Oct 2009 16:50:22 +0530
From: kingsley.char...@gmail.com
To: pestew...@gmail.com; tsc...@ipexpert.com; segunda...@yahoo.com
CC: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Transparent firewall with trunking

Thanks to all for your inputs.
 
I just wanted to do some investigation in my lab before replying.

 
  
Various cases
 
IPS (inline) is transparent and doesn't disturb the setup
 
 
 switch ---- trunk-------------IPS ------trunk-------------switch
 
vlan 2 - 10.20.30.0                                               vlan 2 - 
10.20.30.0 
vlan 3 - 20.10.30.0                                                vlan 3 - 
20.10.30.0  

 
Switch is transparent and doesn't disturb the setup
 
 
 switch ---- trunk-------------switch ------trunk-------------switch
 
vlan 2 - 10.20.30.0                                               vlan 2 - 
10.20.30.0 
vlan 3 - 20.10.30.0                                               vlan 3 - 
20.10.30.0  

 
Tranparent firewall ASA requires for vlans
 
 switch ---- trunk-------------ASA ------trunk-------------switch
 
vlan 2 - 10.20.30.0                                            vlan 6 - 
10.20.30.0 
vlan 3 - 20.10.30.0                                            vlan 7 - 
20.10.30.0  

 
 
 
I was about to talk about the trunking inspection done by IPS sensor. 
 
With IPS sensor, if you need to monitor the traffic between a trunk link, you 
need to just configure an inline pair interface and insert the two trunk links 
from the two switches into two interfaces of the sensor that has been paired.  
Here I need not disturb the swtich setup. It is very transparent. If you want, 
you can use vlan groups and put each sub-interfaces in different virtual sesnor.

 
But when it comes to ASA for the above topology where IPS sensor was placed it, 
we need to bridge between different vlans.
 
I am actually aware of that we need different vlans when we put ASA in between 
a trunk.
 
But I am actually searching for a reason from anyone of why did Cisco implement 
this way of requiring two vlans and thereby forcing one of swtiches to their 
vlan for inserting the ASA in between. 
 
With IPS sensor, the job was easy. With ASA, I need to reconfigure the vlans on 
switches.
 
With IOS router or ASA in routing mode, is it inter-vlan routing there we 
definitely need different vlans to route between vlans.
 
But with transparent firewall, why do we need different vlans for bridging a 
subnet. Transparent means plug and play, right?
 
I just wanted others thoughts on this Cisco's way of implementation to be sure 
that I remove the mis-understanding from my mind. 
 
So I have posted this mail here.
 
 
 
 
 
 
 
With regards
Kings
 


 
On Mon, Oct 5, 2009 at 12:06 AM, Paul Stewart <pestew...@gmail.com> wrote:

In my opinion, the best example of transparent firewalling in the way described 
is vlan pairs on the IPS appliance.  The concept of using transparent Firewall 
to bridge two VLANs is exactly the same as using a VLAN pair on an IPS to 
bridge two vlans.  In both cases, both of the vlans exist in the same layer 3 
subnet.  However, for devices in vlan x to talk to devices in vlan y, they must 
go through the transparent firewall, just like they would have to go through 
the IPS.  The IPS simply has a less strictly defined role than that of a 
firewall.


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com



                                          
_________________________________________________________________
Keep your friends updated—even when you’re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com