cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1224
Views
0
Helpful
3
Replies

Transparent ASA 5545X with VLAN trunks

Marcus Peck
Level 1
Level 1

Hello experts,

 

I have a current requirement in that we are to deploy a pair of transparent firewall (active-standby). The active firewall sits between a core switch and an access switch. There is an etherchannel pair (gi0/0 and gi0/1) connecting from the active firewall to the core switch (this interface is named "outside") and a pair of redundant interfaces (gi0/2 and gi0/3) connecting to the access switch (this interface is named "inside").

The core switch is a VTP master where is hold all the VLANs in the environment and is it possible to trunk the etherchannel link and the redundant link to allow all VLANs through from core switch to the access switch and vice versa? Thank you for your time reading this.

3 Replies 3

joe19366
Level 1
Level 1

Actually just read the documentation a little deeper;

 

by default the ASA in transparent mode only permits ARP Traffic; if you want to permit other types of Layer 2 frames you need to create an ethertype access list !

the plot thickens!

(this type of access-list only appears in "firewall mode transparent"

 

(permit stp, dot1q and vtp)

access-list myethertypes ethertype permit bpdu
access-list myethertypes ethertype permit 0x8100
access-list myethertypes ethertype permit 0x2003

 

apply

access-group myethertypes in interface outside

access-group myethertypes in interface inside

 

since the ASA requires all vlan tag interface be tagged, i suspect you are going to need to configure the TRUNK on the switch to tag the native vlan;

 

you can do that on a switch the command

 

vlan dot1q tag native

 

 

Hi Joe,

 

thanks for the much appreciated help on this. Let me try your suggestion on the firewall:

access-list myethertypes ethertype permit bpdu
access-list myethertypes ethertype permit 0x8100
access-list myethertypes ethertype permit 0x2003

access-group myethertypes in interface outside

access-group myethertypes in interface inside

 

And on switches end:

vlan dot1q tag native

-----------------------------------------------------------------------

Just a quick question, do I need to create VLANs on the firewall or the firewall will just accept the VLAN-tagged frames from the downstream switch, after which it is filtered by firewall policy and forwarded to the upstream switch? 

 

The ASA has no vlan database so there is no "creating vlans" on the Firewall.

 

just tag all the interfaces and see if it works. the documentation says it should

Review Cisco Networking for a $25 gift card