how asa forward traffic between different vlans in transparent mode

Unanswered Question
May 9th, 2007
User Badges:

hi all i am wondering how does the asa bridge between vlans in transparent mode.


i have r1 connetced to asa inside interface and they are configured in vlan 10


i have r2 connected to asa outside and they are in vlan 20.


till now i have learned for traffic between different vlans needs a routing device in between to forward traffic between them.


here when r1 in vlan 10 is sending traffic destined to vlan 20 how does the asa forward it.


cause traffic has to be forward within the same vlan. say for arp. r1 is doing a arp query for r1 which is in different vlan then how does this work.


can someone pls help me out in understanding this.


regards


sebastan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 05/09/2007 - 22:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Sebastan


the key thing to bear in mind is that even though you have 2 vlans you only use 1 ip subnet.


As you say in normal circumstances if you have 2 vlans you generally have 2 subnets one per vlan. And then yes the firewall would have to act as router between the 2 subnets. But in transparent mode you stilll have 2 vlans but you have the same IP subnet across both vlans. And the ASA bridges across the 2 vlans.


Hope this makes sense. Please come back with any other questions.


Jon

sebastan_bach Thu, 05/10/2007 - 04:21
User Badges:

hi jon thanks for ur reply.


i got it and i know this works.


but can u pls tell me anyone one reason or benefit of me configuring vlans in transparent mode.


waiting for ur reply.


thanks once again.


regards


sebastan


Jon Marshall Thu, 05/10/2007 - 04:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Sebastan


Transparent firewalls are useful for a number of things.

Firstly they require no ip address changes to any of your devices as they work at layer 2.

Secondly because they work at layer 2 they are in effect invisible as they are not acting as a layer 3 endpoint.


In addition they can allow a router on one side of the firewall to peer with a firewall on the other side of the firewall via EIGRP/OSPF etc. This can be quite useful in some designs.


HTH


Jon

sebastan_bach Thu, 05/10/2007 - 07:38
User Badges:

hi jon i guess u didn;t get my question right. i know all the benefits of asa in transparent mode.


i was asking what is the need for configuring vlans when asa in transparent mode .


can u pls reply to that.


waiting for ur reply.


regards


sebastan

Jon Marshall Thu, 05/10/2007 - 10:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Sebastan


Apologies for misreading the question. Still not 100% sure what you are asking but lets see if this gets any closer.


When a device, be it a load-balancer such as the CSM or an ASA acts in bridge mode you have to have separate vlans on either interface otherwise you are in danger of creating a layer 2 loop in the switched network. If you bridge across the same vlan then you will in effect create a loop so you use 2 vlans but the same IP subnet across both vlans.


Hope this has answered your question.


Jon

Actions

This Discussion