cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
626
Views
0
Helpful
1
Replies
Highlighted
Beginner

Cisco ASA IPS inline in bridge mode on a trunked interface

Hi,

I'm trying to figure out how to deploy a Cisco ASA 5512-X IPS inline in bridge mode on an ethernet trunked interface.

switch1--------------vlan10,20----------------ASA IPS--------------vlan10,20----------------switch2

I basically want to drop the IPS inline without changing the existing switch configuration. Its works fine on a non trunked interface but when I configure it similar to the config below I hit the issue that I cant assign 2 separate interfaces to the same VLAN. The exact error is as follows

ERROR: VLAN 10 has been assigned to another interface.

This is such a common scenario I cant imagine there isnt a solution but I cant find one.  Does anyone know ?

Thanks in advance

interface Ethernet0/2.10
vlan 10
nameif INSIDETEN
security-level 100
bridge-group 10
!
interface Ethernet0/2.20
vlan 20
nameif INSIDETWENTY
security-level 100
bridge-group 20
!
interface Ethernet0/3.10
vlan 10
nameif OUTSIDETEN
security-level 0
bridge-group 10
!
interface Ethernet0/3.20
vlan 20
nameif OUTSIDETWENTY
security-level 0
bridge-group 20
!
interface BVI10
ip address x.x.x.x y.y.y.y

interface BVI20
ip address x.x.x.x y.y.y.y

It doesn't work, I can't configure the VLANs on two different interfaces.

ASA(config-subif)# vlan 10
ERROR: VLAN 10 has been assigned to another interface

 

Everyone's tags (1)
1 REPLY 1
Rising star

You can associate VLANs in

You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. but the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support inline VLAN pairs. For more information you can check the following configuration guide.

http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_interfaces.html

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here
This widget could not be displayed.