cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6422
Views
0
Helpful
3
Replies

ASA - Transparent Bridging and BVI

Robert Ho
Level 1
Level 1

Does the BVI have to be on the same subnet as the nodes on the Inside interface?

We'd like to place the ASA between two routers with a /29 in between them and put the BVI on the same subnet.

The servers would be behind one of the routers (L3 switch) on a different subnet.

Looking through the docs, the ASA seem to be placed between the the servers and its default gateway, and acts as a front end to the servers.

Servers -- Cat3750 -- ASA -- Router

3 Replies 3

Andrew Phirsov
Level 7
Level 7

In what subnet you're gonna put your bvi interface doesn't really matter, as long as you've got a route to that subnet from management host. That's because bvi IP is only required for managing an ASA.

Where you're gonna install your asa (between routers or in server's segment) is not related question and depends on what you're trying to protect with that asa, and, if I understand your topology correctly, it doesn't matter in your case.

Looked further into the release notes and now, leads to more confusion ...

"Each bridge group requires a management IP address. The ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network."

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/intro_fw.html

My understanding is that the BVI does the following?

- used for management

- must be on the same subnet as the Inside Hosts

- as acts a front-end to the hosts to respond to ARP, etc

-used for management;

-must be on the same L3 subnet  as router's (or other devices) interfaces, between wich it's installed (just because otherwice you won't be able to route to it for management). There's no logic like where inside hosts or smwhere else. If you can connect to it from your management host then it's okay.

- it doesn't interract with arp, but just allowes them through (arp's  can be inspected if arp-inpection is enabled).

Review Cisco Networking for a $25 gift card