https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692633#M423432 <HTML><HEAD></HEAD><BODY><P>If the individual VLANs cannot access each other, is there something you do want them to access? I don't believe you can turn off security levels. You could make all the VLAN interfaces have the same security level and do not enable the "same-security-traffic permit inter-interface' command.</P></BODY></HTML> Thu, 21 Sep 2006 17:56:34 GMT todh 2006-09-21T17:56:34Z https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692632#M423429 <P>I'm evaluating the ASA 5520 specifically for vLAN implementation. I create several vLAN logical interfaces and associated IPs on a single physical interface representing different internal client groups. Now if I set the Security Level to 0 for each vLAN then traffic can cross from one vLAN to another which I don't want. Now, if I set the Security level different for each vLAN interface then vLANs with higher levels can access lower ones but not vica versa, again I don't want one vLAN to be able to access another.</P><P></P><P>To prevent this inter-vLAN communication must I create a security policy for each vLAN to stop it accessing every other vLAN ? For 100 vLANs thats a lot of security policies to create ! Or can I simply just turn of Security Levels on these logical vLAN interfaces ?</P><P></P><P>Any help/direction appreciated.</P> Fri, 21 Feb 2020 09:11:23 GMT https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692632#M423429 paulrmono 2020-02-21T09:11:23Z https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692633#M423432 <HTML><HEAD></HEAD><BODY><P>If the individual VLANs cannot access each other, is there something you do want them to access? I don't believe you can turn off security levels. You could make all the VLAN interfaces have the same security level and do not enable the "same-security-traffic permit inter-interface' command.</P></BODY></HTML> Thu, 21 Sep 2006 17:56:34 GMT https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692633#M423432 todh 2006-09-21T17:56:34Z https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692634#M423434 <HTML><HEAD></HEAD><BODY><P>I would like by default to prevent all traffic between vLANs but then control what </P><P>access one vLAN has to another, i.e., one vLAN hosts servers so client vLANs require </P><P>access to certain ports in the server vLAN. </P><P></P><P>If I set all vLANs to the same Security Level and do not enable 'same-security-traffic permit inter-interface', then I am prevented from creating security policies under ASDM (to allow traffic from one vLAN to another) with a warning informing me that "No communication is allowed between two interfaces which have the same security level".</P><P></P><P>If I enable the 'same-security-traffic permit inter-interface', then vLANs with a higher Security Level to another vLAN have full unconstrained access, unless I create Security Policies to prevent this, a lot of security policies if you're using 100 vLANs.</P></BODY></HTML> Fri, 22 Sep 2006 08:58:47 GMT https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692634#M423434 paulrmono 2006-09-22T08:58:47Z https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692635#M423436 <HTML><HEAD></HEAD><BODY><P>Hi Paul, </P><P></P><P>I believe you need the (no nat-control) command which then does not require you to have the nat &amp; global commands to pass the traffic, and it will pass the traffic based on the access-list configured, and it will nat them to the egress interface I believe...</P><P></P><P>I hope this helps, please rate if it does!</P><P></P><P></P></BODY></HTML> Fri, 22 Sep 2006 09:57:41 GMT https://community.cisco.com/t5/network-security/asa-vlan-implementation/m-p/692635#M423436 oabduo983 2006-09-22T09:57:41Z