cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3201
Views
0
Helpful
5
Replies

Using same vlan on multiple contexts with different IP's -- cisco asa

stillmags
Level 1
Level 1

So I setup 3 different contexts. I am wanting to configure the same vlan id, on each of these contexts. An error comes up displaying, this vlan is already used on port such n such. If each context is it's on firewall, why does it give this error? Can anyone assist with a design configuration for this. Thanks

5 Replies 5

Hi,

For transparent mode this is expected.

"

Unique Interfaces

If only one context is associated with the ingress interface, the ASA classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses the interface MAC address. The ASA lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. 

 

-If I helped you somehow, please, rate it as useful.-

Hi,

Thanks for your response. My firewall is not in transparent mode, it is
in routed. I am using 6 interfaces, which i have turned into 3 port
channels. Each port channel is going to a different network. So
technically, each ingress traffic from each network should have unique
interface. Yet, the contexts are still looking at the same vlan database.

Although it is not clear, we can see this information on some Cisco material:

 

"You cannot assign the same VLAN to multiple subinterfaces. You cannot assign a VLAN to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. "

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-vlan.html

 

Also we can see some discussions around this:

https://supportforums.cisco.com/t5/firewalling/asa-5585-same-vlan-id-on-different-physical-interfaces/td-p/3023826

 

-If I helped you somehow, please, rate it as useful.-

 

So is it safe to say that each context has its own .cfg but they all share
the same vlan database? I was thinking about it like you are a service
provider who has mutiple clients accessing your fw. What if company A and
company B have the same vlan id? Do they make them change the vlan id?
Doesn't make sense that the asa will allow you to create virtual firewalls
within, but share the same vlan database?

Dear family,
There will be some solution, on the subject: Using same vlan on multiple contexts with different IP's -- cisco asa.

 

Best Regards,

Victor Alvarado

Review Cisco Networking for a $25 gift card