https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011765#M146450 <P>FTDs in ASA with Inline Sets. Acts like a bump on the wire, without having to change anything in your current addressing, only cabling.</P> <P></P> <P>Or you could do with ASA OS and Firepower in transparent mode. It's not as "invisible" as the FTD with inline mode, but it could do the trick.</P> <P></P> <P>Or you can use other products, like 8000 series, 7000 series, which you can be used inline and can do more hardware level things.</P> Thu, 16 Feb 2017 21:24:47 GMT Claudiu Cismaru 2017-02-16T21:24:47Z https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011762#M146445 <P>Hi,</P> <P>I'm not a network engineer myself, but will try and communicate this best I can.&nbsp; Please bear with me.</P> <P>I have servers on a subnet that I need to segment for security reasons.&nbsp; Currently they are all in a single VLAN.&nbsp; I'd like to complete this segmentation without readdressing.&nbsp; I would like to have a firewall between these segments.&nbsp; Everything is patched into a 4500 switch running in layer 3 mode.</P> <P>My idea;</P> <UL> <LI>Create new VLANS for the servers to be segmented off, but share the subnet.</LI> <LI>Do not allow these VLANs to access each other within the 4500</LI> <LI>Present a port on the 4500&nbsp;for each VLAN and connect this to the firewall.</LI> <LI>Run the firewall in layer2/transparent/bridging mode to connect the VLANS.</LI> <LI>Reconfigure the ports the servers are patched to reflect the VLAN I wish them to be in.</LI> <LI>Add rules on firewall the block unwanted traffic between the VLANS.</LI> </UL> <P>I hope that makes sense?</P> <P>Is what I am proposing possible?</P> <P>Any advice or suggestions welcomed.</P> <P></P> <P>Many thanks</P> <P></P> <P>Mark.</P> <P></P> Tue, 12 Mar 2019 08:56:41 GMT https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011762#M146445 md09 2019-03-12T08:56:41Z https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011763#M146446 <P>Each server in own vlan (with /30 mask as a example)</P> <P><SPAN id="result_box" class="" lang="en"><SPAN>and depending on the</SPAN> <SPAN>version of the ASA software</SPAN> <SPAN>to configure</SPAN> <SPAN>the access rights</SPAN> <SPAN class="">between them</SPAN> <SPAN>(</SPAN><SPAN>through</SPAN> <SPAN class="">access</SPAN> <SPAN class="">lists</SPAN> <SPAN>or</SPAN> <SPAN class="">NAT</SPAN><SPAN class="">)</SPAN></SPAN></P> <P></P> Thu, 16 Feb 2017 14:13:35 GMT https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011763#M146446 FrOg Lee 2017-02-16T14:13:35Z https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011764#M146448 <P>Thanks for reply FrOg.</P> <P>So essentially you are saying what I suggest will work?&nbsp; I don't want to segment individual servers, but groups of them.</P> <P>MD</P> <P></P> Thu, 16 Feb 2017 15:33:21 GMT https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011764#M146448 md09 2017-02-16T15:33:21Z https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011765#M146450 <P>FTDs in ASA with Inline Sets. Acts like a bump on the wire, without having to change anything in your current addressing, only cabling.</P> <P></P> <P>Or you could do with ASA OS and Firepower in transparent mode. It's not as "invisible" as the FTD with inline mode, but it could do the trick.</P> <P></P> <P>Or you can use other products, like 8000 series, 7000 series, which you can be used inline and can do more hardware level things.</P> Thu, 16 Feb 2017 21:24:47 GMT https://community.cisco.com/t5/network-security/adding-a-layer2-firewall-between-vlans-with-same-subnet/m-p/3011765#M146450 Claudiu Cismaru 2017-02-16T21:24:47Z