Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
1
Replies

Can I have multiple different vlans in one Single Mode Transparent Firewall

Mike Masalla
Level 1
Level 1

‎06-11-2014 12:42 AM - edited ‎03-11-2019 09:19 PM

Hi,

I am about configuring Data Center FW (ver 9.2) to protect multi tier Servers Farm; Web, Applications & Data Base. There is a requirement to set the FW in Transparent Mode, while the license is the base 2-contexts, only.


I wonder if One Single Transparent Context, with different bridge-groups, one for each vlan is a workable solution. I have pasted the configuration of the FW, it may help in understanding the setup.

======

firewall transparent
names
!
interface TenGigabitEthernet0/8
 description To Nx7K-1 Port-8
 channel-group 9 mode passive
 no shutdown
 no nameif
 no security-level
 
!
interface TenGigabitEthernet0/9
 description Nx7K-1 Port-9
 channel-group 9 mode passive
 no shutdown
 no nameif
 no security-level
!
interface TenGigabitEthernet1/8
 description Nx7K-2 Port-8
 channel-group 9 mode passive
 no shutdown
 no nameif
 no security-level
!
interface TenGigabitEthernet1/9
 description Nx7K-2 Port-9
 channel-group 9 mode passive
 no shutdown
 no nameif
 no security-level
!
!
interface BVI1
 desc Services Zone
 ip address x.x.41.250 255.255.255.0
!
interface BVI2
 description WEB-APPS Zone
 ip address x.x.42.250 255.255.255.0
!
interface BVI3
 desc Oracle management
ip address x.x.43.250 255.255.255.0
!
interface BVI4
 descr Oracle DB
 ip address x.x.44.250 255.255.255.0
!
interface Port-channel9
 description ECLB Trunk to NX7Ks
 duplex full
 port-channel load-balance src-dst-ip-port
 no nameif
 no security-level
switchport mode trunk
switchport trunk allowed vlan 41-44,141-144


!
interface Port-channel9.41
 vlan 41
 nameif Services-Outside
 bridge-group 1
 security-level 0
!
interface Port-channel9.141
 description Services-Inside
 vlan 141
 nameif Services-Inside
 bridge-group 1
 security-level 100
!
interface Port-channel9.42
description WEB_APPS-Outside
 vlan 42
nameif WEB_APPS-Outside
 bridge-group 2
 security-level 0
!
interface Port-channel9.142
 description WEB_APPS-Inside
 vlan 142
 nameif WEB_APPS-Inside
 bridge-group 2
 security-level 100
!

interface Port-channel9.43
desc Oracle management
 vlan 43
 nameif Oracle_Mgmt-Outside
 bridge-group 3
 security-level 0
!
interface Port-channel9.143
 description Oracle management Inside
 vlan 143
 nameif Oracle_Mgmt_Inside
 bridge-group 3
 security-level 100
!
interface Port-channel9.44
desc Oracle DB
 vlan 44
 nameif Oracle_DB_Outside
 bridge-group 3
 security-level 0
!
interface Port-channel9.144
 description Oracle DB Inside
 vlan 144
 nameif Oracle_DB_Inside
 bridge-group 4
 security-level 100
!

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎06-11-2014 07:33 AM

it is possible but it is not scaleable.  If I remember correctly you can only have a maximum of 8 BVI interfaces...so this means you can only have 8 subnets going across the ASA.  You would also need seperate VLANs for the inside interface and the outside interface since you can not configure two interfaces to be in the same VLAN, and then assign these interfaces to the appropriate BVI group.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card