Do you need an IP address on a BVI ?

SabeelShakeel00430 · ‎10-19-2021

I am configuring an ASA in transparent mode and want it to act like a switch between two vlans. I know how to do this, but I can see that on a BVI you can add an ip address. i have read that this is for routing (i imagine it acts as SVI) - however - can Vlans switch without the need of an ip address on the BVI.

The device in front and behind the firewall will have trunk links to the firewall and the vlans will be trunked here. they will also be trunked northbound to the edge router.

Harold Ritter · ‎10-19-2021

Hi @SabeelShakeel00430 ,

Yes, you do need to configure an IP address on the BVI, as stated in the following section of the documentation:

"Each bridge group requires a BVI for which you configure an IP address. The ASA uses this IP address as the source address for packets originating from the bridge group. The BVI IP address must be on the same subnet as the connected network. For IPv4 traffic, the BVI IP address is required to pass any traffic. For IPv6 traffic, you must, at a minimum, configure the link-local addresses to pass traffic, but a global management address is recommended for full functionality, including remote management and other management operations."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-routed-tfw.html#ID-2214-00000259

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México