08-15-2015 04:34 PM - edited 03-11-2019 11:26 PM
Hi Everyone,
I came across the client network where they have ASA 5505 with 2 vlans there name are different but subnet address and subnet mask is same.
Is this design ok to have?
ASA is using two different physical interfaces for each vlan.
setup is
switch ----vlan 10 ----192.168.50.0/25-------ASA----Vlan 11--------------192.168.50.0/24-----------Switch
I know in Router we can not have two physical interfaces in same subnet.
Regards
Mahesh
Solved! Go to Solution.
08-16-2015 03:33 AM
I'm not sure why everyone is saying this is not a good design because it just looks like a transparent firewall setup to me ie. two vlans using one IP subnet.
Admittedly the subnets have different masks which is not ideal although Mahesh says the subnet mask is the same in his description so it might be a typo.
The reason for two vlans is to avoid an STP loop ie. the ASA has joined two vlans together using the same IP subnet so it is in transparent mode.
Jon
08-16-2015 04:01 AM
Hi Shan
There is IP subnet overlap. In fact the IP subnet should be the same ie. same mask as well for transparent mode.
I agree we don't know whether it is routed or transparent but I am assuming the latter simply because I don't believe the ASA would let you configure two interfaces from the same IP subnet when there is an overlap in the addressing.
Jon
08-16-2015 02:49 AM
Hi,
This is not a good practice as there would be this network (192.168.50.0-.127) which would be overlapping.
The only reason probably u were able to configure this was because of different masks.
Thanks and Regards,
Vibhor Amrodia
08-16-2015 12:20 PM
sorry i put wrong info earlier.
IP address of 2 vlans were 10.31.102.17/28 and 10.31.102.33/28.
This ASA is not in transparent mode.
When i calculated there address range its not on same network.
I was confused by only looking at same subnet mask not calculating there address range.
Many thanks to everyone who replied to post
Regards
Mahesh
08-16-2015 02:57 AM
This is not nice, no it isn't...
If you can convince your customer to redesign:
Give it a shot with transparent firewall:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html
Regds, MiKa
PS also Routers support bridging and transparent firewall (IRB)
08-16-2015 03:19 AM
Hi
It is not a good design.Try to convince the customer , explain the challenges.
Ask them to give diff. subnets for the VLANs . So that you can terminate the VLAN on the dedicated interface.
i.e VLAN 10 - 192.168.50.0/24 - ASA if eth 1
VLAN20 - 192.168.60.0/24 - ASA if eth 2
Rgds
Shan
08-16-2015 03:33 AM
I'm not sure why everyone is saying this is not a good design because it just looks like a transparent firewall setup to me ie. two vlans using one IP subnet.
Admittedly the subnets have different masks which is not ideal although Mahesh says the subnet mask is the same in his description so it might be a typo.
The reason for two vlans is to avoid an STP loop ie. the ASA has joined two vlans together using the same IP subnet so it is in transparent mode.
Jon
08-16-2015 03:52 AM
Hi Jon,
I thought there was IP subnet overlap. But as you said it would be typo mistake also. Also not sure abt the Mode (Transparent or Routed).
If transparent mode, then no issues. only BVI interface,we create for Mgmt access through data port
Rgds
Shan
08-16-2015 04:01 AM
Hi Shan
There is IP subnet overlap. In fact the IP subnet should be the same ie. same mask as well for transparent mode.
I agree we don't know whether it is routed or transparent but I am assuming the latter simply because I don't believe the ASA would let you configure two interfaces from the same IP subnet when there is an overlap in the addressing.
Jon
08-16-2015 04:11 AM
Hi Jon,
As i know , no need to configure the IP for the VLANs on ASA. Just for Mgmt we have to configure , right Jon?.
I am not worked with transparent mode solutions. so am not have much idea in solution point of view & challenges.
But your post has good info. Can you share any links for Transparent deployment ?.
Shan
08-16-2015 04:22 AM
Correct, you don't configure the IP addresses on the actual interfaces.
By deployment do you mean how to configure it or where you would use it ?
Jon
08-16-2015 04:32 AM
That's why i had doubt abt Mahesh post. Because we won't configure the IP on ASA other than for mgmt purpose.
Transport mode we do only L2 level segmentation.
No . I know the configuration perspective. I got the requirement now.
Thanks Jon.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide