cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1264
Views
0
Helpful
3
Replies

Security Levels and VLANs

gmcvb
Beginner
Beginner

When setting up a subinterface for a VLAN...

What do you set the security level at for the actual interface?

As seen below, I've managed to do two different things.Intially I didn't know what I was doing...bet you hear that alot. 

1)  Ethernet0/1 the actual port and a subinterface on that port becomes VLAN 100.

Probably not supposed to do that, it is working.  But they both have different security levels, does one step on the other?

2)  Ethernet0/3 physical port has no security set, however VLANs 2 and 6 both have different security levels.

I have had it set that the physical port has a security level set, but I find that confusing-- wouldn't that interfere with the security levels on the subinterfaces below it?

interface Ethernet0/0

nameif Outside

security-level 0

ip address 66.162.230.66 255.255.255.224

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address XXX.XXX.3.254 255.255.255.0

!

interface Ethernet0/1.100

vlan 100

nameif VOIP

security-level 99

ip address XX.XX.1.10 255.255.255.0

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/3.2

vlan 2

nameif DMZ

security-level 50

ip address XXX.XXX.30.254 255.255.255.0

!

interface Ethernet0/3.6

vlan 6

nameif Public

security-level 30

ip address XXX.XXX.112.254 255.255.255.0

Really what is the best way this should be setup?  And do security levels on the physical interface affect the security levels on the subinterfaces?

Thank you so much!

3 Replies 3

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

The security-level describe the trustworthiness of the attached networks. The higher the number, the more trustworthy is the connected network. If inside is your most trusted network, give it 100 (which is default). 0 for outside. If VOIP is nearly as trusted as inside, then 99 is ok. But I still would use 90 so that you later can add am interface between VOIP and inside if you want. DMZ and Public: which is more trustworthy? That one will get the 50, the other the 30.

For your outside-interface you use no subinterface. That's not considered a best practice as you are using the native vlan for that. On a security-device you better should tag all traffic. You should change that to a subinterface as you have done on Ethernet0/3.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re:  Outside-interface

That never occured then to assign a VLAN to the Outside Interface.  I'll have to reconfigure...what...for traffic to flow properly.

Also, again, what about the security-level on the physical interface?  Does that interfere with the security-level of the subinterfaces below it?

Thanks

Also, again, what about the security-level on the physical interface?  Does that interfere with the security-level of the subinterfaces below it?

no, it doesn't matter if it's on the main interface or on a subinterface. The security-level is to classify the firewall-interfaces. Both (on the main interface and on the sub-interface) are firewall-interfaces.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers