01-28-2015 06:05 PM - edited 03-11-2019 10:24 PM
Hello experts,
I have a current requirement in that we are to deploy a pair of transparent firewall (active-standby). The active firewall sits between a core switch and an access switch. There is an etherchannel pair (gi0/0 and gi0/1) connecting from the active firewall to the core switch (this interface is named "outside") and a pair of redundant interfaces (gi0/2 and gi0/3) connecting to the access switch (this interface is named "inside").
The core switch is a VTP master where is hold all the VLANs in the environment and is it possible to trunk the etherchannel link and the redundant link to allow all VLANs through from core switch to the access switch and vice versa? Thank you for your time reading this.
01-30-2015 11:07 PM
Actually just read the documentation a little deeper;
by default the ASA in transparent mode only permits ARP Traffic; if you want to permit other types of Layer 2 frames you need to create an ethertype access list !
the plot thickens!
(this type of access-list only appears in "firewall mode transparent"
(permit stp, dot1q and vtp)
access-list myethertypes ethertype permit bpdu
access-list myethertypes ethertype permit 0x8100
access-list myethertypes ethertype permit 0x2003
apply
access-group myethertypes in interface outside
access-group myethertypes in interface inside
since the ASA requires all vlan tag interface be tagged, i suspect you are going to need to configure the TRUNK on the switch to tag the native vlan;
you can do that on a switch the command
vlan dot1q tag native
02-01-2015 06:59 PM
Hi Joe,
thanks for the much appreciated help on this. Let me try your suggestion on the firewall:
access-list myethertypes ethertype permit bpdu
access-list myethertypes ethertype permit 0x8100
access-list myethertypes ethertype permit 0x2003
access-group myethertypes in interface outside
access-group myethertypes in interface inside
And on switches end:
vlan dot1q tag native
-----------------------------------------------------------------------
Just a quick question, do I need to create VLANs on the firewall or the firewall will just accept the VLAN-tagged frames from the downstream switch, after which it is filtered by firewall policy and forwarded to the upstream switch?
02-01-2015 07:04 PM
The ASA has no vlan database so there is no "creating vlans" on the Firewall.
just tag all the interfaces and see if it works. the documentation says it should
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide