why do we need different vlans with same subnet on cisco asa firewall. can't we have same vlan on all interfaces with different ip addresses from same subnet on it?
Asked
Active
Viewed 2,668 times
2
-
No interfaces have IPs in transparent mode. They're like ports on a Layer 2 switch. The firewall needs one IP for management traffic, but it's not assigned to a specific interface. – Paul Dec 01 '15 at 18:55
-
Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. – Ron Maupin Aug 08 '17 at 20:44
1 Answers
4
The ASA uses bridge groups for transparent firewall configurations. Bridge groups require distinct interfaces, which includes the vlan tag.
If you dont want multiple firewall contexts to share the same physical interface on the ASA, you can simply put two physical interfaces (using their untagged native vlan) in the same bridge group.
If you need dot1q trunks on the firewall with multiple transparent firewall contexts sharing the same physical interface, then you're stuck with bridging two different vlans. The good news is that many Cisco switches have vlan translation capabilities (also called vlan mapping); see the question I linked for one example of how I worked around the problem by retranslating one of the dot1q trunks with vlan mapping.
Mike Pennington
- 29,876
- 11
- 78
- 152