Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4776
Views
8
Helpful
4
Replies

vlan tagging - asa

Go to solution
suthomas1
Level 6
Level 6

‎08-25-2013 10:59 PM - edited ‎03-11-2019 07:30 PM

Hi,

Is the following configuration correct on an asa:

interface GigabitEthernet0/0

nameif apps

security-level 50

ip address 192.168.106.1 255.255.255.0

!

interface GigabitEthernet0/0.109

vlan 109

nameif test

security-level 51

ip address 192.168.109.1 255.255.255.224

Current Network ( 192.168.109.0/24 ) -> Current ASA -> Current Switch -> New ASA -> Application VLANS

Current Network is connected to the New Network ( Applications Vlans ) using a link between Current Switch & New ASA as 192.168.106.1 on current ASA and 192.168.106.2 on the New ASA. Routing for traffic from Application Vlans and Current Network is accordingly added using default and static routes.

The network 192.168.106.0/24 also has some users who will access the Application vlans.

Users in current network will use 192.168.106.1 as their gateway.

Will these configuration work? Appreciate if folks could point out anything that seeems incorrect or better thing to be done here.

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to suthomas1

‎08-27-2013 03:17 AM

No, there won't be any functional problem. Your way (native VLAN) combined with additional things like misconfiguration on the switch can lead to security-problems like VLAN-hopping. That's the reason that using the native VLAN is not a best practice.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Andrew Phirsov
Level 7
Level 7

‎08-26-2013 12:13 AM

The config will work, why not? You'd have to have same-security-traffic permit intra-interface on the current ASA, for traffic to be able to hairpin through gig0/0 interface. And surely, you'd  have to add all nesessary ACL rules, needed for applications you work with, on both ASAs.

Config for subinterface on ASA is ok. Switchport to Gig0/0 should be setup as a trunk with vlans 0 and 109 allowed.

Go to solution
Karsten Iwen
VIP
VIP

‎08-26-2013 03:52 AM

Your config will work, but is not the recommended way to configure it. On a security-device it is not best practice to use the native vlan. A better way to configure ist would be the following:

interface GigabitEthernet0/0

  no nameif

  no security-level

  no ip address

  ! only set speed and duplex here

!

interface GigabitEthernet0/0.106

  vlan 106

  nameif apps

  security-level 50

  ip address 192.168.106.1 255.255.255.0

!

interface GigabitEthernet0/0.109

  vlan 109

  nameif test

  security-level 51

  ip address 192.168.109.1 255.255.255.224

On the switch you need to allow VLan 106 and VLan 109 and make sure that the network 192.168.106.0 is migrated to vlan106.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Go to solution
suthomas1
Level 6
Level 6
In response to Karsten Iwen

‎08-27-2013 02:25 AM

Thanks for the reply.

if i just leave the interface this way for vlan 106, what possible effects will it cause?

will the return traffic for this segment have problems.

interface GigabitEthernet0/0

nameif apps

security-level 50

ip address 192.168.106.1 255.255.255.0

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to suthomas1

‎08-27-2013 03:17 AM

No, there won't be any functional problem. Your way (native VLAN) combined with additional things like misconfiguration on the switch can lead to security-problems like VLAN-hopping. That's the reason that using the native VLAN is not a best practice.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card