Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2936
Views
0
Helpful
6
Replies

Cisco ASA as VXLAN bridge?

handsy
Level 1
Level 1

‎07-23-2019 12:50 AM

I'm exploring VXLANs for the first time and have found out that my ASA5555-X firewalls do support it. They're running 9.8(3) code.

My use case is better explained using diagrams. The first one is how things look now:

vxlanbefore.png

Today, the servers are in different subnets and are routed between 2 ASA firewalls so they can chat to each other.

What I want to do is get the servers in the same subnet and I think I can use VXLAN to achieve that. Here's what I want it to look like:

vxlanafter.png

I'm not sure how to configure this. I *think* I need to create VTEP interfaces on the server ports, and both 0/0 and 1/0 on both ASA firewalls?

I'm sure this is really simple and basic but the Cisco articles don't have this as an example for me to use.

Any help appreciated :)

2 people had this problem
Labels:
0 Helpful
6 Replies 6

handsy
Level 1
Level 1

‎07-26-2019 06:55 AM

Anyone?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to handsy

‎07-26-2019 09:04 PM

Sorry. In my experience very very few customers use VXLAN on their ASAs - I've never seen one outside a lab environment. Those who do typically are working directly with Cisco Advanced Services or have significant in house engineering resources and not hanging out on the general support community.

0 Helpful

Alan Ng'ethe
Level 3
Level 3

‎07-26-2019 09:20 PM

This looks interesting. I am actually going to lab this out to see how it works.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
0 Helpful

handsy
Level 1
Level 1
In response to Alan Ng'ethe

‎07-29-2019 12:25 AM

Thanks Alan Ng'ethe, that would be super helpful.

I love the fact that the VXLAN (VTEP) interface does not have to be a dedicated physical port, i.e. it can be shared with normal firewall services! See attached below:

vxlan-vtep.png

0 Helpful

Caleb Stucki
Level 1
Level 1

‎12-02-2020 07:35 PM

Handsy, I just configured an extended L2 network via 2 Firepower 2140 ASAs similar to what you are asking. It does work.

ASA ports to the Servers can just be sub-interfaced and set for vlan traffic.

VTEP only needs to be on the ASA ports connecting to the L3 network.

It's kind of like a GRE tunnel where you just tell it is a VTEP and tell it it's VTEP peer on the other side of the L3 network. As long as those physical interfaces can ping each other, they can establish VTEP mapping.

0 Helpful

abbes
Level 1
Level 1
In response to Caleb Stucki

‎10-10-2021 02:31 AM

Can you give us configuration for this ASA

THk

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card