06-29-2016 10:09 AM - edited 03-12-2019 12:58 AM
Hello,
I have a FW ASA 5515 and I came accross this article: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2. It shows that in ASA 5505 it was possible to create VLAN interfaces, and in 5515 that doesn´t seem to be possible anymore (in 5515 only VLAN subinterfaces?). So, my questions are:
1) Can I accomplish what was possible in 5505 using the command: no forward interface vlan number? I want to be able to isolate interfaces from each other, for example, interface gigabitEthernet 0/1 should never communicate with interface gigabitEthernet 0/5 regardless if there are ACLs, same security-levels, etc. It seems that with no forward interface vlan command that was what I needed.
2) Has the concept of VLANs in 5515 died? I mean, those VLANs that you set in subinterfaces in 5515 are the ones set up in switches and arrive at the FW physical interface through the trunk, then they are directed to the subinterface by their IDs. Are VLANs in ASA5515 only possible (if ever) in transparent mode?
3) In fact, 1) is really important to me, so if I´m to use subinterfaces, which I will probably do, can I have configurations at the subinterface level that forbids communication between two subinterfaces or between a subinterface and another physical interface (regardless of ACLs and security-levels)?
Thank you,
Solved! Go to Solution.
06-29-2016 10:55 AM
Hello,
I hope you are fine, regarding your queries:
1) The No forward interface vlan number command is a command available in ASA apliances that has a built in switch incorporated, the ASA 5505 has it but the ASA 5500-x models such as the 5515 do not have this feature, for that reason the command is not available in ASA 5515.
Please refer to the following link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f2.html#pgfId-2017031
2) It is not that the vlan concept died, because the ASA 5515 can hadle vlans, but not in the same way that ASA 5505 does since it has a built in switch.
3) You will need to use the acl and security levels to restrict traffic between one interface an another.
06-30-2016 02:23 PM
Hi!
Yes, you are right! When you configure a subinterface on the ASA with vlan id "A" the firewall is expecting to receive traffic of vlan A on that interface.
06-29-2016 10:55 AM
Hello,
I hope you are fine, regarding your queries:
1) The No forward interface vlan number command is a command available in ASA apliances that has a built in switch incorporated, the ASA 5505 has it but the ASA 5500-x models such as the 5515 do not have this feature, for that reason the command is not available in ASA 5515.
Please refer to the following link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f2.html#pgfId-2017031
2) It is not that the vlan concept died, because the ASA 5515 can hadle vlans, but not in the same way that ASA 5505 does since it has a built in switch.
3) You will need to use the acl and security levels to restrict traffic between one interface an another.
06-30-2016 12:31 PM
Hello Kornelia,
Thank you for answering. So, the way in which ASA 5515 handles VLANs are not in itself but using other device´s VLANs? For example, when I set "vlan id" command on a subinterface that VLAN traffic should arrive at that subinterface, correct? That doesn´t mean ASA is in fact managing that VLAN, right?
06-30-2016 02:23 PM
Hi!
Yes, you are right! When you configure a subinterface on the ASA with vlan id "A" the firewall is expecting to receive traffic of vlan A on that interface.
07-02-2016 06:18 AM
It's worth noting that you dont HAVE to use subinterfaces - if you switch ports are in access mode then you will only set the VLAN on the switch.
If however you are using an 802.1q trunked interface (with a switch that can do this) and you want to carry several VLANs to the same physical port on your 5515, this is when you use subinterfaces, to allow the correct traffic to the correct VLAN on the same interface. In this case, the VLAN is going to be managed by a switch, as the 5515 is not a switch.
As mentioned also, to ensure no two segments communicate with eachother, you must ensure you have ACL's set correctly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide