Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3274
Views
5
Helpful
3
Replies

Cisco ASA 55XX Transparent mode VLAN traversing

Go to solution
fuhrersk8
Level 3
Level 3

‎08-01-2014 08:52 AM - edited ‎03-11-2019 09:34 PM

Hello Cisco Forum Team!

    In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?

The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan). 

Thanks in advanced for your support and comments!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎08-02-2014 12:09 PM

Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution.  The catch is that you will need to have different VLANs for the same subnet at either end of the ASA. 

To clarify this, lets say you are using interface Gig0/1 and Gig0/2.  On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4.  Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error. 

So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7.  you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3.  Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎08-02-2014 12:09 PM

Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution.  The catch is that you will need to have different VLANs for the same subnet at either end of the ASA. 

To clarify this, lets say you are using interface Gig0/1 and Gig0/2.  On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4.  Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error. 

So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7.  you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3.  Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
fuhrersk8
Level 3
Level 3
In response to Marius Gunnerud

‎08-04-2014 11:01 AM

   Excellent. Thanks a lot for the great information!

   In my case, since I have same VLAN ID's already configured on the switches (inside and outside), this approach would not work. 

 

Thanks again for your great support!

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to fuhrersk8

‎08-04-2014 11:27 PM

Thank you for the rating :)

In my case, since I have same VLAN ID's already configured on the switches (inside and outside), this approach would not work.

This would really depend on how the rest of your network is set up and how dependent you are on those VLANs in the setup.  If you are going to implement a transparent firewall for multiple VLANs it would require some careful planning and preparation.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card