how asa forward traffic between different vlans in transparent mode

sebastan_bach · ‎05-09-2007

hi all i am wondering how does the asa bridge between vlans in transparent mode.

i have r1 connetced to asa inside interface and they are configured in vlan 10

i have r2 connected to asa outside and they are in vlan 20.

till now i have learned for traffic between different vlans needs a routing device in between to forward traffic between them.

here when r1 in vlan 10 is sending traffic destined to vlan 20 how does the asa forward it.

cause traffic has to be forward within the same vlan. say for arp. r1 is doing a arp query for r1 which is in different vlan then how does this work.

can someone pls help me out in understanding this.

regards

sebastan

Jon Marshall · ‎05-09-2007

Hi Sebastan

the key thing to bear in mind is that even though you have 2 vlans you only use 1 ip subnet.

As you say in normal circumstances if you have 2 vlans you generally have 2 subnets one per vlan. And then yes the firewall would have to act as router between the 2 subnets. But in transparent mode you stilll have 2 vlans but you have the same IP subnet across both vlans. And the ASA bridges across the 2 vlans.

Hope this makes sense. Please come back with any other questions.

Jon

sebastan_bach · ‎05-10-2007

hi jon thanks for ur reply.

i got it and i know this works.

but can u pls tell me anyone one reason or benefit of me configuring vlans in transparent mode.

waiting for ur reply.

thanks once again.

regards

sebastan

Jon Marshall · ‎05-10-2007

Hi Sebastan

Transparent firewalls are useful for a number of things.

Firstly they require no ip address changes to any of your devices as they work at layer 2.

Secondly because they work at layer 2 they are in effect invisible as they are not acting as a layer 3 endpoint.

In addition they can allow a router on one side of the firewall to peer with a firewall on the other side of the firewall via EIGRP/OSPF etc. This can be quite useful in some designs.

HTH

Jon

sebastan_bach · ‎05-10-2007

hi jon i guess u didn;t get my question right. i know all the benefits of asa in transparent mode.

i was asking what is the need for configuring vlans when asa in transparent mode .

can u pls reply to that.

waiting for ur reply.

regards

sebastan

Jon Marshall · ‎05-10-2007

Hi Sebastan

Apologies for misreading the question. Still not 100% sure what you are asking but lets see if this gets any closer.

When a device, be it a load-balancer such as the CSM or an ASA acts in bridge mode you have to have separate vlans on either interface otherwise you are in danger of creating a layer 2 loop in the switched network. If you bridge across the same vlan then you will in effect create a loop so you use 2 vlans but the same IP subnet across both vlans.

Hope this has answered your question.

Jon

sebastan_bach · ‎05-11-2007

thanks jon.

regards

sebastan