Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
5
Replies

Are firewall VLAN Groups on ASASM equal to seperate interfaces I.E. DMZs???

fsebera
Level 4
Level 4

‎10-16-2015 10:36 AM - edited ‎03-11-2019 11:45 PM

Looking for confirmation!!

 

From the Cisco documentCLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1

found at URL: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/intro_switch.html#Assigning VLANs to the ASA Services Module

You can assign up to 16 firewall VLAN groups to each ASASM. (You can create more than 16 VLAN groups in Cisco IOS software, but only 16 can be assigned per ASASM.) For example, you can assign all the VLANs to one group; or you can create an inside group and an outside group; or you can create a group for each customer.

 

MY QUESTION:

Are the 16 firewall VLAN groups equivalent to 16 different interfaces on the ASASM, where each interface could be a separate DMZ and where each separate DMZ could have multiple VLANs?

 

THANK YOU

Frank

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎10-16-2015 11:20 AM

Frank

Firstly I have only used the FWSM but I am assuming the principle is the same for the ASASM.

So that said, in answer to your question the vlan groups are not the equivalent of the interfaces on the firewall as that would be a severe limitation.

The vlan groups are used to tell the switch which vlans are allocated to the firewall.

What determines the number of interfaces on the firewall is how many vlans you allocate to the firewall obviously subject to the per context and overall hardware limitations of the ASASM itself ie. there are limits as to how many total vlans it supports and with the FWSM there was also a limit of how many interfaces you could have per context as well.

In terms of using multiple vlan groups I don't think I ever did to be honest although we only had one FWSM per chassis and if you had multiple ASASMs per chassis you may want to use it for organisation.

Or there may just be a limit of how many vlans you can actually assign with a vlan group ie. if the vlans were not sequential it may be there is a limit to the number but then you would just use another vlan group.

That last bit is just supposition though.

But no, as far as I know based on my knowledge of the FWSM, the number of vlan groups does not define the number of interfaces (DMZs) you can have on the ASASM.

Jon

 

0 Helpful

fsebera
Level 4
Level 4
In response to Jon Marshall

‎10-16-2015 12:13 PM

Hi Jon,

I think you are saying the VLAN Group feature is used just to inform the ASASM which VLANs the ASASM should create so the ASASM and SWITCH can communicate. Once the ASASM is aware of the VLANs assigned to it, the ASASM will automatically create these VLANs. (a layer-2 sync up). I'm guessing this is sort of like the old Vlan database feature on a Cisco router.

 

More digging I guesssss.

Thanks

Frank

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to fsebera

‎10-16-2015 12:26 PM

Frank

Again, based on the FWSM, the module does not create the vlans.

You create vlans in the vlan database just as you would with any other vlan.

The main difference is that for your DMZ vlans you do not create a L3 SVI on the switch because you want the firewall to route traffic.

The vlan group does not tell the ASASM which vlans to create, it simply tells the module which vlans have been assigned to it.

Jon

0 Helpful

fsebera
Level 4
Level 4
In response to Jon Marshall

‎10-19-2015 06:06 AM

HI Jon

Thank for the clarification!

Frank

0 Helpful

fsebera
Level 4
Level 4
In response to Jon Marshall

‎10-19-2015 06:06 AM

HI Jon

Thank for the clarification!

Frank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card