Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
0
Helpful
1
Replies

Cisco ASA IPS inline in bridge mode on a trunked interface

hancorp
Level 1
Level 1

‎05-06-2014 12:22 AM - last edited on ‎03-25-2019 05:20 PM by Community Manager

Hi,

I'm trying to figure out how to deploy a Cisco ASA 5512-X IPS inline in bridge mode on an ethernet trunked interface.

switch1--------------vlan10,20----------------ASA IPS--------------vlan10,20----------------switch2

I basically want to drop the IPS inline without changing the existing switch configuration. Its works fine on a non trunked interface but when I configure it similar to the config below I hit the issue that I cant assign 2 separate interfaces to the same VLAN. The exact error is as follows

ERROR: VLAN 10 has been assigned to another interface.

This is such a common scenario I cant imagine there isnt a solution but I cant find one.  Does anyone know ?

Thanks in advance

interface Ethernet0/2.10
vlan 10
nameif INSIDETEN
security-level 100
bridge-group 10
!
interface Ethernet0/2.20
vlan 20
nameif INSIDETWENTY
security-level 100
bridge-group 20
!
interface Ethernet0/3.10
vlan 10
nameif OUTSIDETEN
security-level 0
bridge-group 10
!
interface Ethernet0/3.20
vlan 20
nameif OUTSIDETWENTY
security-level 0
bridge-group 20
!
interface BVI10
ip address x.x.x.x y.y.y.y

interface BVI20
ip address x.x.x.x y.y.y.y

It doesn't work, I can't configure the VLANs on two different interfaces.

ASA(config-subif)# vlan 10
ERROR: VLAN 10 has been assigned to another interface

 

Labels:
0 Helpful
1 Reply 1

Ravi Singh
Level 7
Level 7

‎05-06-2014 09:46 AM

You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. but the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support inline VLAN pairs. For more information you can check the following configuration guide.

http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_interfaces.html

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card