topic HI JonThank for the in Network Security

Are firewall VLAN Groups on ASASM equal to seperate interfaces I.E. DMZs???

fsebera — Tue, 12 Mar 2019 06:45:50 GMT

Looking for confirmation!!

From the Cisco document: CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1

found at URL: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/intro_switch.html#Assigning VLANs to the ASA Services Module

You can assign up to 16 firewall VLAN groups to each ASASM. (You can create more than 16 VLAN groups in Cisco IOS software, but only 16 can be assigned per ASASM.) For example, you can assign all the VLANs to one group; or you can create an inside group and an outside group; or you can create a group for each customer.

MY QUESTION:

Are the 16 firewall VLAN groups equivalent to 16 different interfaces on the ASASM, where each interface could be a separate DMZ and where each separate DMZ could have multiple VLANs?

THANK YOU

Frank

FrankI have only used the

Jon Marshall — Fri, 16 Oct 2015 18:20:30 GMT

Frank

Firstly I have only used the FWSM but I am assuming the principle is the same for the ASASM.

So that said, in answer to your question the vlan groups are not the equivalent of the interfaces on the firewall as that would be a severe limitation.

The vlan groups are used to tell the switch which vlans are allocated to the firewall.

What determines the number of interfaces on the firewall is how many vlans you allocate to the firewall obviously subject to the per context and overall hardware limitations of the ASASM itself ie. there are limits as to how many total vlans it supports and with the FWSM there was also a limit of how many interfaces you could have per context as well.

In terms of using multiple vlan groups I don't think I ever did to be honest although we only had one FWSM per chassis and if you had multiple ASASMs per chassis you may want to use it for organisation.

Or there may just be a limit of how many vlans you can actually assign with a vlan group ie. if the vlans were not sequential it may be there is a limit to the number but then you would just use another vlan group.

That last bit is just supposition though.

But no, as far as I know based on my knowledge of the FWSM, the number of vlan groups does not define the number of interfaces (DMZs) you can have on the ASASM.

Jon

Hi Jon,I think you are saying

fsebera — Fri, 16 Oct 2015 19:13:00 GMT

Hi Jon,

I think you are saying the VLAN Group feature is used just to inform the ASASM which VLANs the ASASM should create so the ASASM and SWITCH can communicate. Once the ASASM is aware of the VLANs assigned to it, the ASASM will automatically create these VLANs. (a layer-2 sync up). I'm guessing this is sort of like the old Vlan database feature on a Cisco router.

More digging I guesssss.

Thanks

Frank

FrankAgain, based on the FWSM

Jon Marshall — Fri, 16 Oct 2015 19:26:59 GMT

Frank

Again, based on the FWSM, the module does not create the vlans.

You create vlans in the vlan database just as you would with any other vlan.

The main difference is that for your DMZ vlans you do not create a L3 SVI on the switch because you want the firewall to route traffic.

The vlan group does not tell the ASASM which vlans to create, it simply tells the module which vlans have been assigned to it.

Jon

HI JonThank for the

fsebera — Mon, 19 Oct 2015 13:06:02 GMT

HI Jon

Thank for the clarification!

Frank

HI JonThank for the

fsebera — Mon, 19 Oct 2015 13:06:29 GMT

HI Jon

Thank for the clarification!

Frank